DefensePro User Guide v6.02

DefensePro User Guide
Software Version 6.02

Document ID: RDWR-DP-V0602_UG1201
January, 2012
2 Document ID: RDWR-DP-V0602_UG1201
Document ID: RDWR-DP-V0602_UG1201 3
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 20062011. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes : Copyright Radware Ltd. 20062011.
Tous droits rservs.
Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels
contenus dans ce guide sont la proprit de Radware Ltd.
Ce guide d'informations est fourni nos clients dans le cadre de l'installation et de l'usage des
produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui
pour lequel il a t conu.
Les informations rpertories dans ce document restent la proprit de Radware et doivent tre
conserves de manire confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement pralable crit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert:
Copyright Radware Ltd. 20062011. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit.
(http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This code is hereby placed in the public domain.
This product contains code developed by the OpenBSD Project
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
This product includes software developed by Markus Friedl
This product includes software developed by Theo de Raadt
This product includes software developed by Niels Provos
This product includes software developed by Dug Song
This product includes software developed by Aaron Campbell
This product includes software developed by Damien Miller
This product includes software developed by Kevin Steves
This product includes software developed by Daniel Kouril
This product includes software developed by Wesley Griffin
This product includes software developed by Per Allansson
This product includes software developed by Nils Nordman
This product includes software developed by Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
ALL THE SOFTWARE MENTIONED ABOVE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
Notice traitant du copyright
Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Ce produit inclut un logiciel dvelopp dans le cadre du projet OpenSSL. Pour un usage dans la bote
outils OpenSSL (http://www.openssl.org/).
Copyright (c) 1998-2005 Le projet OpenSSL. Tous droits rservs. Ce produit inclut la catgorie de
chiffre Rijndael.
L'implmentation de Rijindael par Vincent Rijmen, Antoon Bosselaers et Paulo Barreto est du
domaine public et distribue sous les termes de la licence suivante :
@version 3.0 (Dcembre 2000)
Code ANSI C code pour Rijndael (actuellement AES)
@author Paulo Barreto <paulo.barreto@terra.com.br>.
Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes
de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets
source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande
auprs de Radware. Une copie de la licence est rpertorie sur:
Ce code est galement plac dans le domaine public.
Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Copyright (c) 1983, 1990, 1992, 1993, 1995
Les membres du conseil de l'Universit de Californie. Tous droits rservs.
La distribution et l'usage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies :
1. La distribution d'un code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et l'avis de non-responsabilit suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
l'avis de non-responsabilit suivant.
3. Le nom de l'universit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour
approuver ou promouvoir un produit driv de ce programme sans l'obtention pralable d'une
autorisation crite.
Ce produit inclut un logiciel dvelopp par Markus Friedl
Ce produit inclut un logiciel dvelopp par Theo de Raadt Ce produit inclut un logiciel dvelopp par
Niels Provos
Ce produit inclut un logiciel dvelopp par Dug Song
Ce produit inclut un logiciel dvelopp par Aaron Campbell Ce produit inclut un logiciel dvelopp
par Damien Miller
Ce produit inclut un logiciel dvelopp par Kevin Steves
Ce produit inclut un logiciel dvelopp par Daniel Kouril
Ce produit inclut un logiciel dvelopp par Wesley Griffin
Ce produit inclut un logiciel dvelopp par Per Allansson
Ce produit inclut un logiciel dvelopp par Nils Nordman
Ce produit inclut un logiciel dvelopp par Simon Wilkinson.
La distribution et l'usage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies :
1. La distribution d'un code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et l'avis de non-responsabilit suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
l'avis de non-responsabilit suivant.
LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE
GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS S'Y LIMITER, TOUTE GARANTIE
IMPLICITE DE QUALIT MARCHANDE ET D'ADQUATION UN USAGE PARTICULIER EST EXCLUE.
EN AUCUN CAS L'AUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS,
INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS
S'Y LIMITER, L'ACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE D'USAGE,
DE DONNES OU DE PROFITS OU L'INTERRUPTION DES AFFAIRES), QUELLE QU'EN SOIT LA CAUSE
ET LA THORIE DE RESPONSABILIT, QU'IL S'AGISSE D'UN CONTRAT, DE RESPONSABILIT
STRICTE OU D'UN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE
QUELLE QUE FAON QUE CE SOIT DE L'USAGE DE CE LOGICIEL, MME S'IL A T AVERTI DE LA
POSSIBILIT D'UN TEL DOMMAGE.
Copyrightvermerke
Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code
Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL
Toolkit. (http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die
Rijndael cipher
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
ffentlich zugnglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES)
@author Paulo Barreto <paulo.barreto@terra.com.br>
Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine
ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter:
Dieser Code wird hiermit allgemein zugnglich gemacht.
Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de
Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses
Produkt enthlt von Dug Song entwickelte Software
Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien
Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses
Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin
entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt
enthlt von Nils Nordman entwickelte Software
Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND ("AS IS")
BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH,
DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER
ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN.
UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR
BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR
SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH
NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN
NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE
ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE,
GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT
ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST
WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.
Safety Instructions
The following safety instructions are presented in English, French, and German.
Safety Instructions
CAUTION
A readily accessible disconnect device shall be incorporated in the building installation wiring.
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
The following figure shows the caution label that is attached to Radware platforms with dual power
supplies.
Figure 1: Electrical Shock Hazard Label
DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE
The following figure is the warning for Radware platforms with dual power supplies.
Figure 2: Dual-Power-Supply-System Safety Warning in Chinese
Translation of Figure 2 - Dual-Power-Supply-System Safety Warning in Chinese, page 8:
This unit has more than one power supply. Disconnect all power supplies before maintenance to
avoid electric shock.
SERVICING
Do not perform any servicing other than that contained in the operating instructions unless you are
qualified to do so. There are no serviceable parts inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided
as much as possible and, when inevitable, must be carried out only by a skilled person who is aware
of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument has been disconnected
from its source of supply.
GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
48V DC-powered platforms have an input tolerance of 36-72V DC.
SPECIFICATION CHANGES
Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN
61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-
11For CE MARK Compliance. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required
to correct the interference at his own expense.
VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS
Figure 3: Statement for Class A VCCI-certified Equipment
Translation of Figure 3 - Statement for Class A VCCI-certified Equipment, page 9:
This is a Class A product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this equipment is used in a domestic environment,
radio disturbance may occur, in which case, the user may be required to take corrective action.
Figure 4: Statement for Class B VCCI-certified Equipment
Translation of Figure 4 - Statement for Class B VCCI-certified Equipment, page 9:
This is a Class B product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a
domestic environment, it may cause radio interference.
Install and use the equipment according to the instruction manual.
SPECIAL NOTICE FOR NORTH AMERICAN USERS
For North American power connection, select a power supply cord that is UL Listed and CSA Certified
3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [5 A], with a minimum
length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply
cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum
mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated
250 V, 3 A..
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North America,
equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,
110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.
INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:
If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.
If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.
This marking or statement includes the following text warning:
CAUTION
RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Caution To Reduce the Risk of Electrical Shock and Fire
1. This equipment is designed to permit connection between the earthed conductor of the DC
supply circuit and the earthing conductor equipment. See Installation Instructions.
2. All servicing must be undertaken only by qualified service personnel. There are not user
serviceable parts inside the unit.
3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit.
4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.
5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label
adjacent to the power inlet, housing the fuse.
6. Do not operate the device in a location where the maximum ambient temperature exceeds
40C/104F.
7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove
and/or check the main power fuse.
CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60
825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001
AC units for Denmark, Finland, Norway, Sweden (marked on product):
Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark
deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket
outlet which is connected to a protective earth. Socket outlets which are not connected to earth
are not to be used!
Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla
varustettuun pistorasiaan
Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt
Unit is intended for connection to IT power systems for Norway only.
Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.
To connect the power connection:
1. Connect the power cable to the main socket, located on the rear panel of the device.
2. Connect the power cable to the grounded AC outlet.
CAUTION
Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one
power supply module. To isolate the unit completely, disconnect all power supplies.
Instructions de scurit
AVERTISSEMENT
Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment.
En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et d'incendie,
chaque procdure impliquant l'ouverture des panneaux ou le remplacement de composants sera
excute par du personnel qualifi.
Pour rduire les risques d'incendie et de chocs lectriques, dconnectez le dispositif du bloc
d'alimentation avant de retirer le couvercle ou les panneaux.
La figure suivante montre l'tiquette d'avertissement appose sur les plateformes Radware dotes
de plus d'une source d'alimentation lectrique.
Figure 1 : tiquette d'avertissement de danger de chocs lectriques
Figure 5: tiquette d'avertissement de danger de chocs lectriques
AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES D'ALIMENTATION
LECTRIQUE (EN CHINOIS)
La figure suivante reprsente l'tiquette d'avertissement pour les plateformes Radware dotes de
deux sources d'alimentation lectrique.
Figure 6: Avertissement de scurit pour les systmes dotes de deux sources d'alimentation
lectrique (en chinois)
Traduction de la Figure 6 - Avertissement de scurit pour les systmes dotes de deux sources
d'alimentation lectrique (en chinois), page 12:
Cette unit est dote de plus d'une source d'alimentation lectrique. Dconnectez toutes les sources
d'alimentation lectrique avant d'entretenir l'appareil ceci pour viter tout choc lectrique.
ENTRETIEN
N'effectuez aucun entretien autre que ceux rpertoris dans le manuel d'instructions, moins d'tre
qualifi en la matire. Aucune pice l'intrieur de l'unit ne peut tre remplace ou rpare.
HAUTE TENSION
Tout rglage, opration d'entretien et rparation de l'instrument ouvert sous tension doit tre vit.
Si cela s'avre indispensable, confiez cette opration une personne qualifie et consciente des
dangers impliqus.
Les condensateurs au sein de l'unit risquent d'tre chargs mme si l'unit a t dconnecte de la
source d'alimentation lectrique.
MISE A LA TERRE
Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de
cette unit doivent tre relies au systme de mise la terre du btiment.
LASER
Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1 : 1993 + A1
:1997 + A2 :2001.
FUSIBLES
Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en
remplacement. L'usage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre
vits. Lorsqu'il est pratiquement certain que la protection offerte par les fusibles a t dtriore,
l'instrument doit tre dsactiv et scuris contre toute opration involontaire.
TENSION DE LIGNE
Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source
d'alimentation correspond aux exigences de l'instrument. Consultez les spcifications propres
l'alimentation nominale correcte du dispositif.
Les plateformes alimentes en 48 CC ont une tolrance d'entre comprise entre 36 et 72 V CC.
MODIFICATIONS DES SPCIFICATIONS
Les spcifications sont sujettes changement sans notice pralable.
Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil
numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022
Classe A, EN 55024, EN 61000-3-2 ; EN 61000-3-3 ; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC
61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une
protection raisonnable contre les interfrences nuisibles, lorsque l'quipement est utilis dans un
environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et,
s'il n'est pas install et utilis conformment au manuel d'instructions, peut entraner des
interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une
zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas l'utilisateur
devra corriger le problme ses propres frais.
DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI
Figure 7: Dclaration pour l'quipement de classe A certifi VCCI
Traduction de la Figure 7 - Dclaration pour l'quipement de classe A certifi VCCI, page 13:
Il s'agit d'un produit de classe A, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Si cet quipement est utilis dans un environnement
domestique, des perturbations radiolectriques sont susceptibles d'apparatre. Si tel est le cas,
l'utilisateur sera tenu de prendre des mesures correctives.
Figure 8: Dclaration pour l'quipement de classe B certifi VCCI
Traduction de la Figure 8 - Dclaration pour l'quipement de classe B certifi VCCI, page 13:
Il s'agit d'un produit de classe B, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). S'il est utilis proximit d'un poste de radio ou d'une
tlvision dans un environnement domestique, il peut entraner des interfrences radio.
Installez et utilisez l'quipement selon le manuel d'instructions.
NOTICE SPCIALE POUR LES UTILISATEURS NORD-AMRICAINS
Pour un raccordement lectrique en Amrique du Nord, slectionnez un cordon d'alimentation
homologu UL et certifi CSA 3 - conducteur, [18 AWG], muni d'une prise moule son extrmit,
de 125 V, [5 A], d'une longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la
connexion europenne, choisissez un cordon d'alimentation mondialement homologu et marqu
"<HAR>", 3 - conducteur, cble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isole. La
prise l'extrmit du cordon, sera dote d'un sceau moul indiquant: 250 V, 3 A.".
ZONE A ACCS RESTREINT
L'quipement aliment en CC ne pourra tre install que dans une zone accs restreint. CODES
D'INSTALLATION
Ce dispositif doit tre install en conformit avec les codes lectriques nationaux. En Amrique du
Nord, l'quipement sera install en conformit avec le code lectrique national amricain, articles
110-16, 110 -17, et 110 -18 et le code lectrique canadien, Section 12. INTERCONNEXION DES
UNTES.
Les cbles de connexion l'unit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou
DP-2. (Remarque- s'ils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES
SURCHARGES.
Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit
tre intgr au cblage du btiment pour chaque puissance consomme.
BATTERIES REMPLAABLES
Si l'quipement est fourni avec une batterie, et qu'elle est remplace par un type de batterie
incorrect, elle est susceptible d'exploser. C'est le cas pour certaines batteries au lithium, les
lments suivants sont donc applicables :
Si la batterie est place dans une zone d'accs oprateur, une marque est indique sur la
batterie ou une remarque est insre, aussi bien dans les instructions d'exploitation que
d'entretien.
Si la batterie est place ailleurs dans l'quipement, une marque est indique sur la batterie ou
une remarque est insre dans les instructions d'entretien.
Cette marque ou remarque inclut l'avertissement textuel suivant : AVERTISSEMENT
RISQUE D'EXPLOSION SI LA BATTERIE EST REMPLACE PAR UN MODLE INCORRECT. METTRE AU
REBUT LES BATTERIES CONFORMMENT AUX INSTRUCTIONS.
Attention - Pour rduire les risques de chocs lectriques et d'incendie
1. Cet quipement est conu pour permettre la connexion entre le conducteur de mise la terre du
circuit lectrique CC et l'quipement de mise la terre. Voir les instructions d'installation.
2. Tout entretien sera entrepris par du personnel qualifi. Aucune pice l'intrieur de l'unit ne
peut tre remplace ou rpare.
3. NE branchez pas, n'allumez pas ou n'essayez pas d'utiliser une unit manifestement
endommage.
4. Vrifiez que l'orifice de ventilation du chssis dans l'unit n'est PAS OBSTRUE.
5. Remplacez le fusible endommag par un modle similaire de mme puissance, tel qu'indiqu sur
l'tiquette de scurit adjacente l'arrive lectrique hbergeant le fusible.
6. Ne faites pas fonctionner l'appareil dans un endroit, o la temprature ambiante dpasse la
valeur maximale autorise. 40C/104F.
7. Dbranchez le cordon lectrique de la prise murale AVANT d'essayer de retirer et/ou de vrifier
le fusible d'alimentation principal.
PRODUIT LASER DE CLASSE 1 ET RFRENCE AUX NORMES LASER LES PLUS RCENTES : IEC 60
825-1:1993 + A1 :1997 + A2 :2001 ET EN 60825-1:1994+A1 :1996+ A2 :2001
Units CA pour le Danemark, la Finlande, la Norvge, la Sude (indiqu sur le produit) :
Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les
dviations du Danemark. Le cordon inclut un conducteur de mise la terre. L'unit sera
branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas
utilises !
Finlande - (tiquette et inscription dans le manuel) - Laite on liitettv
suojamaadoituskoskettimilla varustettuun pistorasiaan"
Norvge (tiquette et inscription dans le manuel) - "Apparatet m tilkoples jordet stikkontakt"
L'unit peut tre connecte un systme lectrique IT (en Norvge uniquement).
Sude (tiquette et inscription dans le manuel) - "Apparaten skall anslutas till jordat uttag."
Pour brancher l'alimentation lectrique :
1. Branchez le cble d'alimentation la prise principale, situe sur le panneau arrire de l'unit.
2. Connectez le cble d'alimentation la prise CA mise la terre. AVERTISSEMENT
Risque de choc lectrique et danger nergtique. La dconnexion d'une source d'alimentation
lectrique ne dbranche qu'un seul module lectrique. Pour isoler compltement l'unit, dbranchez
toutes les sources d'alimentation lectrique.
ATTENTION
Risque de choc et de danger lectriques. Le dbranchement d'une seule alimentation stabilise ne
dbranche qu'un module "Alimentation Stabilise". Pour Isoler compltement le module en cause, il
faut dbrancher toutes les alimentations stabilises.
Attention: Pour Rduire Les Risques d'lectrocution et d'Incendie
1. Toutes les oprations d'entretien seront effectues UNIQUEMENT par du personnel d'entretien
qualifi. Aucun composant ne peut tre entretenu ou remplace par l'utilisateur.
2. NE PAS connecter, mettre sous tension ou essayer d'utiliser une unit visiblement dfectueuse.
3. Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES.
4. Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme
capacit, comme indiqu sur l'tiquette de scurit proche de l'entre de l'alimentation qui
contient le fusible.
5. NE PAS UTILISER l'quipement dans des locaux dont la temprature maximale dpasse 40
degrs Centigrades.
6. Assurez vous que le cordon d'alimentation a t dconnect AVANT d'essayer de l'enlever et/ou
vrifier le fusible de l'alimentation gnrale.
Sicherheitsanweisungen
VORSICHT
Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert
integrieren.
Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge,
in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von
qualifiziertem Servicepersonal durchgefhrt werden.
Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der
Abdeckung oder der Paneele von der Stromversorgung getrennt werden.
Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit
Doppelspeisung angebracht ist.
Figure 9: Warnetikett Stromschlaggefahr
SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FR SYSTEME MIT DOPPELSPEISUNG
Die folgende Abbildung ist die Warnung fr Radware-Plattformen mit Doppelspeisung.
Figure 10: Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung
bersetzung von Figure 10 - Sicherheitshinweis in chinesischer Sprache fr Systeme mit
Doppelspeisung, page 15:
Die Einheit verfgt ber mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von
Stromschlag vor Wartungsarbeiten smtliche Stromversorgungsleitungen ab.
WARTUNG
Fhren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angefhrt sind, es sei
denn, Sie sind dafr qualifiziert. Es gibt innerhalb des Gertes keine wartungsfhigen Teile.
HOCHSPANNUNG
Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geffneten Gert unter
Spannung mssen so weit wie mglich vermieden werden. Sind sie nicht vermeidbar, drfen sie
ausschlielich von qualifizierten Personen ausgefhrt werden, die sich der Gefahr bewusst sind.
Innerhalb des Gertes befindliche Kondensatoren knnen auch dann noch Ladung enthalten, wenn
das Gert von der Stromversorgung abgeschnitten wurde.
ERDUNG
Bevor das Gert an die Stromversorgung angeschlossen wird, mssen die Schrauben der
Erdungsleitung des Gertes an die Erdung der Gebudeverkabelung angeschlossen werden.
LASER
Dieses Gert ist ein Laser-Produkt der Klasse 1 in bereinstimmung mit IEC60825 - 1: 1993 +
A1:1997 + A2:2001 Standard.
SICHERUNGEN
Vergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstrke und der
angefhrten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie die
Kurzschlieung von Sicherungsfassungen muss vermieden werden. In Fllen, in denen
wahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeintrchtigt ist, muss das
Gert abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden.
LEITUNGSSPANNUNG
Vor Anschluss dieses Gertes an die Stromversorgung ist zu gewhrleisten, dass die Spannung der
Stromquelle den Anforderungen des Gertes entspricht. Beachten Sie die technischen Angaben
bezglich der korrekten elektrischen Werte des Gertes.
Plattformen mit 48 V DC verfgen ber eine Eingangstoleranz von 36-72 V DC. NDERUNGEN DER
TECHNISCHEN ANGABEN
nderungen der technischen Spezifikationen bleiben vorbehalten.
Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der
Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC
61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung.
Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb
des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt
elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im
Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn
beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu
schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese
Interferenzen auf eigene Kosten zu korrigieren.
ERKLRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ
Figure 11: Erklrung zu VCCI-zertifizierten Gerten der Klasse A
bersetzung von Figure 11 - Erklrung zu VCCI-zertifizierten Gerten der Klasse A, page 16:
Dies ist ein Produkt der Klasse A gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten. In einem solchen Fall wre der Benutzer
verpflichtet, korrigierend einzugreifen.
Figure 12: Erklrung zu VCCI-zertifizierte Gerte der Klasse B
bersetzung von Figure 12 - Erklrung zu VCCI-zertifizierte Gerte der Klasse B, page 17:
Dies ist ein Produkt der Klasse B gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten.
Montieren und benutzen Sie das Gert laut Anweisungen im Benutzerhandbuch.
BESONDERER HINWEIS FR BENUTZER IN NORDAMERIKA
Whlen Sie fr den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgefhrt
und CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, fr 125 V, [5 A],
mit einer Mindestlnge von 1,5 m [sechs Fu], doch nicht lnger als 4,5 m. Fr europische
Anschlsse verwenden Sie ein international harmonisiertes, mit "<HAR>" markiertes Stromkabel,
mit 3 Leitern von mindestens 0,75 mm2, fr 300 V, mit PVC-Umkleidung. Das Kabel muss in einem
gegossenen Stecker fr 250 V, 3 A enden.
BEREICH MIT EINGESCHRNKTEM ZUGANG
Das mit Gleichstrom betriebene Gert darf nur in einem Bereich mit eingeschrnktem Zugang
montiert werden.
INSTALLATIONSCODES
Dieses Gert muss gem der landesspezifischen elektrischen Codes montiert werden. In
Nordamerika mssen Gerte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 -
17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden.
VERKOPPLUNG VON GERTEN Kabel fr die Verbindung des Gertes mit RS232- und Ethernet-
mssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem
nicht-LPS-Stromkreis)
BERSTROMSCHUTZ
Ein gut zugnglicher aufgefhrter berstromschutz mit Abzweigstromkreis und 15 A Strke muss fr
jede Stromeingabe in der Gebudeverkabelung integriert sein.
AUSTAUSCHBARE BATTERIEN
Wird ein Gert mit einer austauschbaren Batterie geliefert und fr diese Batterie durch einen
falschen Batterietyp ersetzt, knnte dies zu einer Explosion fhren. Dies trifft zu fr manche Arten
von Lithiumsbatterien zu, und das folgende gilt es zu beachten:
Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung.
Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder einer Erklrung in der Wartungsanleitung.
Diese Markierung oder Erklrung enthlt den folgenden Warntext: VORSICHT
EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD.
GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN.
Denmark - "Unit is class I - mit Wechselstromkabel benutzen, dass fr die Abweichungen in
Dnemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine
geerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden!"
Finland - (Markierungsetikett und im Handbuch) - "Laite on liitettv
suojamaadoituskoskettimilla varustettuun pistorasiaan
Norway - (Markierungsetikett und im Handbuch) - "Apparatet m tilkoples jordet stikkontakt
Ausschlielich fr Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen
Sweden - (Markierungsetikett und im Handbuch) - "Apparaten skall anslutas till jordat uttag."
Anschluss des Stromkabels:
1. Schlieen Sie das Stromkabel an den Hauptanschluss auf der Rckseite des Gertes an.
2. Schlieen Sie das Stromkabel an den geerdeten Wechselstromanschluss an.
VORSICHT
Stromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur ein
Stromversorgungsmodul von der Stromversorgung. Um das Gert komplett zu isolieren, muss es
von der gesamten Stromversorgung getrennt werden.
Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr
1. Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des
Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe
Montageanleitung.
2. Wartungsarbeiten jeglicher Art drfen nur von qualifiziertem Servicepersonal ausgefhrt
werden. Es gibt innerhalb des Gertes keine vom Benutzer zu wartenden Teile.
3. Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen,
einzuschalten oder zu betreiben.
4. Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT
SIND.
5. Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der
selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem
Stromkabelanschluss, am Sicherungsgehuse.
6. Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung
40 C berschreitet.
7. Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die
Hauptsicherung entfernen und/oder prfen.
Document Conventions
The following describes the conventions and symbols that this guide uses:
Item Description Description (French) Beschreibung (German)
Example
An example scenario Un scnario d'exemple Ein Beispielszenarium
Caution:
Possible damage to
equipment, software, or
data
Endommagement
possible de l'quipement,
des donnes ou du
logiciel
Mgliche Schden an
Gert, Software oder
Daten
Note:
Additional information Informations
complmentaires
Zustzliche
Informationen
To
A statement and
instructions
Rfrences et
instructions
Eine Erklrung und
Anweisungen
Tip:
A suggestion or
workaround
Une suggestion ou
solution
Ein Vorschlag oder eine
Umgehung
Warning:
Possible physical harm to
the operator
Blessure possible de
l'oprateur
Verletzungsgefahr des
Bedieners
Table of Contents
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Safety Instructions ......................................................................................................... 7
Document Conventions ............................................................................................... 19
Chapter 1 Introduction......................................................................................... 29
Introducing DefensePro ............................................................................................... 29
DefensePro System Components ............................................................................... 29
Radware Security Update Service on the Web ........................................................... 30
Typical Deployment ..................................................................................................... 31
Network Connectivity ................................................................................................... 32
Management InterfacesAPSolute Vision and Others .............................................. 32
DefensePro Features .................................................................................................. 33
Security Protections ............................................................................................................. 33
Bandwidth Management ...................................................................................................... 34
Real-time Security Reporting for DefensePro ...................................................................... 34
Historical Security ReportingAPSolute Vision Reporter .................................................. 34
Related Documentation ............................................................................................... 34
DefensePro Release Notes and Maintenance Release Notes ............................................ 35
Radware Installation and Maintenance Guide ..................................................................... 35
APSolute Vision Documentation .......................................................................................... 35
APSolute Vision Reporter Documentation ........................................................................... 36
Web Based Management Help ............................................................................................ 36
Chapter 2 Getting Started.................................................................................... 37
DefensePro Physical Ports .......................................................................................... 37
DefensePro Platforms and Models .............................................................................. 37
Logging into APSolute Vision ...................................................................................... 38
Changing Password for Local Users ........................................................................... 38
APSolute Vision User Interface Overview ................................................................... 39
Configuration Perspective .................................................................................................... 39
Monitoring Perspective ........................................................................................................ 41
Security Monitoring Perspective .......................................................................................... 43
Asset Management Perspective .......................................................................................... 44
APSolute Vision Sites .......................................................................................................... 44
APSolute Vision Sites and DefensePro Devices ......................................................... 44
Table of Contents
Configuring Inspection Ports ...................................................................................... 44
Configuring Port Pairs ......................................................................................................... 45
Managing the Status of Physical Ports ................................................................................ 46
Internal Bypass for RJ -45 Ports .......................................................................................... 46
Updating the Attack Description File .......................................................................... 47
Chapter 3 Basic Device Configuration............................................................... 49
Locking and Unlocking a Device ................................................................................ 49
DefensePro Device Setup .......................................................................................... 50
Configuring DefensePro Global Parameters ....................................................................... 50
Configuring Date and Time Synchronization ....................................................................... 51
Configuring Daylight Saving ................................................................................................ 52
Configuring Access Protocols ............................................................................................. 52
Configuring SNMP Supported Versions .............................................................................. 54
Upgrading a License for a DefensePro Device ................................................................... 54
Configuring E-mail Settings ................................................................................................. 55
Configuring RADIUS Authentication for Device Management ............................................ 56
Configuring Syslog Settings ................................................................................................ 58
Managing Certificates ......................................................................................................... 60
Configuring High Availability ................................................................................................ 64
Configuring BOOTP ............................................................................................................ 71
Advanced Parameters ................................................................................................ 71
Configuring Advanced Settings ........................................................................................... 72
Configuring Configuration Auditing ...................................................................................... 73
Configuring Dynamic Protocols ........................................................................................... 73
Configuring Tuning Parameters .......................................................................................... 75
Configuring Security Reporting Settings ............................................................................. 84
Configuring Out-of-Path Settings for DefensePro ............................................................... 87
Configuring Session Table Settings .................................................................................... 88
Configuring Suspend Settings ............................................................................................. 90
Configuring the Device Event Scheduler ............................................................................. 91
Configuring Tunneling Inspection ........................................................................................ 92
Configuring SNMP ...................................................................................................... 93
Configuring SNMP Users .................................................................................................... 93
Configuring SNMP Community Settings ............................................................................. 94
Configuring the SNMP Group Table .................................................................................... 95
Configuring SNMP Access Settings .................................................................................... 96
Configuring SNMP Notify Settings ...................................................................................... 97
Configuring SNMP View Settings ........................................................................................ 98
Configuring the SNMP Target Parameters Table ................................................................ 98
Configuring SNMP Target Addresses ................................................................................. 99
Configuring Device Users ......................................................................................... 100
Configuring Access Permissions on Physical Ports ................................................. 101
Configuring Port Pinging ........................................................................................... 102
Table of Contents
Chapter 4 Device Network Configuration ........................................................ 103
Configuring Device IP Interfaces .............................................................................. 103
Managing IP Routing ................................................................................................ 104
Configuring IP Routing ...................................................................................................... 104
Configuring ICMP ............................................................................................................. 105
Configuring the ARP Table ............................................................................................... 106
Configuring Ports ...................................................................................................... 107
Configuring Link Aggregation ........................................................................................... 108
Configuring Port Mirroring ................................................................................................. 110
Configuring the Basic Network ParametersIP Version Mode and IP Fragmentation ...
112
IPv4 and IPv6 Support ...................................................................................................... 112
IP Fragmentation .............................................................................................................. 112
Configuring the Basic Networking Parameters ................................................................. 113
Configuring Port Pairs .............................................................................................. 114
Chapter 5 Security Configuration..................................................................... 117
Security Protections .................................................................................................. 117
Selecting a Device for Security Configuration .......................................................... 118
Configuring Global Security Settings ........................................................................ 118
Configuring Global Signature Protection .......................................................................... 119
Configuring DoS Shield Protection ................................................................................... 119
Configuring Global Behavioral DoS Protection ................................................................. 121
Configuring Global Anti-Scanning Protection Settings ..................................................... 127
Configuring Global SYN Flood Protection ........................................................................ 128
Configuring Global Out of State Protection ....................................................................... 129
Configuring Global HTTP Flood Protection ...................................................................... 131
Configuring Global SIP Cracking Protection ..................................................................... 132
Configuring Global Fraud Protection ................................................................................ 133
Managing Global Packet Anomaly Protection .................................................................. 134
Configuring Global DNS Flood Protection ........................................................................ 138
Managing the Network Protection Policy .................................................................. 144
Configuring the Network Protection Policy ....................................................................... 145
Configuring Signature Protection for Network Protection ................................................. 149
Configuring BDoS Profiles for Network Protection ........................................................... 168
Configuring Anti-Scanning Protection for Network Protection .......................................... 170
Configuring Connection Limit Profiles for Network Protection .......................................... 173
Configuring SYN Profiles for Network Protection ............................................................. 177
Radware-Recommended Verification Type Values .......................................................... 179
Configuring Connection PPS Limit Profiles for Network Protection .................................. 182
Configuring DNS Protection Profiles for Network Protection ............................................ 184
Table of Contents
Managing the Server Protection Policy .................................................................... 187
Configuring the Server Protection Policy ........................................................................... 188
Configuring Server Cracking Profiles for Server Protection .............................................. 189
Viewing Radware-defined Server Cracking Protections .................................................... 191
Configuring HTTP Flood Profiles for Server Protection ..................................................... 192
Configuring White Lists ............................................................................................. 195
Configuring White Lists in Defense Pro ............................................................................. 195
Configuring Black Lists ............................................................................................. 198
Managing the ACL Policy ......................................................................................... 202
Configuring Global ACL Policy Settings ............................................................................ 202
Configuring ACL Policy Rules ........................................................................................... 205
Viewing Active ACL Policy Rules ...................................................................................... 208
Chapter 6 Bandwidth Management .................................................................. 209
Bandwidth Management Overview ........................................................................... 209
Application Classification ................................................................................................... 209
Classification Mode ........................................................................................................... 210
Managing Bandwidth Management Global Settings ................................................. 210
Bandwidth Management Policies ............................................................................. 212
Bandwidth Management Policy Mechanism ...................................................................... 212
Bandwidth Management Classification Criteria ................................................................. 213
Bandwidth Management Rules ......................................................................................... 214
Managing Bandwidth Management Policies ..................................................................... 215
Port Bandwidth ......................................................................................................... 220
Chapter 7 Managing Classes ............................................................................ 221
Configuring Network Classes ................................................................................... 221
Configuring Application Classes ............................................................................... 223
Configuring Physical Port Classes ........................................................................... 224
Configuring VLAN Tag Classes ................................................................................ 224
Configuring MAC Address Classes .......................................................................... 225
Viewing Active Class Configurations ........................................................................ 226
Viewing the Active Network Class Configuration .............................................................. 226
Viewing the Active Application Class Configuration .......................................................... 226
Viewing the Active Physical Port Class Configuration ....................................................... 226
Viewing the Active VLAN Tag Class Configuration ........................................................... 227
Viewing the Active MAC Address Class Configuration ..................................................... 227
Configuring MPLS RD Groups ................................................................................. 227
Table of Contents
Chapter 8 Managing Services for Traffic Filtering .......................................... 229
Basic Filters .............................................................................................................. 229
AND Group Filters .................................................................................................... 235
OR Group Filters ...................................................................................................... 236
Viewing Active Services ........................................................................................... 237
Chapter 9 Managing Device Operations and Maintenance............................ 239
Rebooting a DefensePro Device .............................................................................. 239
Shutting Down a DefensePro Device ....................................................................... 240
Enabling and Disabling APSolute Vision Monitoring ................................................ 240
Viewing and Setting Device Date and Time ............................................................. 241
Upgrading Device Software ...................................................................................... 241
Downloading a Devices Log File to the APSolute Vision Client .............................. 242
Updating a Radware Signature File or RSA Signature File ...................................... 243
Downloading a Technical Support File to the APSolute Vision Client ...................... 244
Managing DefensePro Device Configurations .......................................................... 244
Configuration File Content ................................................................................................ 244
Downloading a Devices Configuration File ...................................................................... 245
Restoring a Devices Configuration .................................................................................. 245
Updating Policy Configurations on a DefensePro Device ........................................ 246
Checking Device Memory Availability ....................................................................... 247
Resetting the Baseline for DefensePro .................................................................... 247
Enabling and Disabling Interfaces ............................................................................ 248
Scheduling APSolute Vision and Device Tasks ....................................................... 248
Overview of Scheduling .................................................................................................... 248
Configuring Tasks in the Scheduler .................................................................................. 249
Task Parameters .............................................................................................................. 250
Chapter 10 Monitoring DefensePro Devices and Interfaces .......................... 257
Monitoring DefensePro Devices ............................................................................... 257
Monitoring General DefensePro Device Information ........................................................ 257
Monitoring DefensePro High Availability ........................................................................... 259
Monitoring the DefensePro Suspend Table ...................................................................... 260
Monitoring DefensePro CPU Utilization ............................................................................ 260
Monitoring and Clearing DefensePro Authentication Tables ............................................ 261
Monitoring DefensePro SNMP Statistics .......................................................................... 262
Monitoring DME Utilization According to Configured Policies .......................................... 263
Monitoring DefensePro Syslog Information ...................................................................... 264
Monitoring Session Table Information .............................................................................. 264
Monitoring DefensePro IP Statistics ................................................................................. 266
Monitoring DefensePro Bandwidth Management Statistics .............................................. 267
Monitoring Routing Table Information ............................................................................... 270
Table of Contents
Monitoring DefensePro ARP Table Information ................................................................ 271
Monitoring MPLS RD Information ...................................................................................... 271
Monitoring Device Interfaces .................................................................................... 272
Chapter 11 Real-Time Security Reporting ....................................................... 275
Viewing the Security Dashboard .............................................................................. 275
Viewing Current Attack Information .......................................................................... 277
Attack Details .................................................................................................................... 280
Sampled Data Dialog Box ................................................................................................. 290
Viewing Real-Time Traffic Statistics ......................................................................... 290
Viewing Traffic Utilization Statistics ................................................................................... 290
Viewing Connection Rate Statistics ................................................................................... 292
Viewing Concurrent Connections Statistics ....................................................................... 292
Monitoring Attack SourcesGeographical Map ...................................................... 293
Protection Monitoring ................................................................................................ 293
Displaying Attack Status Information ................................................................................. 294
Monitoring Network Rule Traffic ........................................................................................ 294
Monitoring DNS Flood Attack Traffic ................................................................................. 296
HTTP Reports ........................................................................................................... 298
Monitoring Continuous Learning Statistics ........................................................................ 299
Monitoring Hour-Specific Learning Statistics ..................................................................... 300
HTTP Request Size Distribution ........................................................................................ 300
Chapter 12 Administering DefensePro ............................................................ 303
Command Line Interface .......................................................................................... 303
CLI Session Time-Out ....................................................................................................... 304
CLI Capabilities ................................................................................................................. 304
CLI Traps .......................................................................................................................... 305
Send Traps To All CLI Users ............................................................................................. 305
Web Based Management ......................................................................................... 305
Web Services ........................................................................................................... 306
API Structure ..................................................................................................................... 306
APSolute API Software Development Kit (SDK) ............................................................... 307
Appendix A Behavioral DoS Advanced Settings ............................................ 309
Appendix B Configuring SSL-Based Protection with AppXcel ..................... 313
Configuring SSL Inspection Layer 4 Ports for DefensePro ...................................... 314
Table of Contents
Appendix C Troubleshooting............................................................................ 315
Diagnostic Tools ....................................................................................................... 315
Traffic Capture Tool .......................................................................................................... 315
Trace-Log ......................................................................................................................... 316
Diagnostic Tools Files Management ................................................................................. 319
Diagnostics Policies .......................................................................................................... 320
Technical Support File .............................................................................................. 322
Appendix D Predefined Basic Filters ............................................................... 325
Appendix E Glossary ......................................................................................... 335
Table of Contents
Chapter 1 Introduction
This guide describes DefensePro 6.02 and how to use it.
Unless specifically stated otherwise, the procedures described in this guide are performed using
APSolute Vision.
This chapter introduces Radwares DefensePro and provides a general explanation of its main
features and modules.
This chapter contains the following sections:
Introducing DefensePro, page 29
DefensePro System Components, page 29
Radware Security Update Service on the Web, page 30
Typical Deployment, page 31
Network Connectivity, page 32
Management InterfacesAPSolute Vision and Others, page 32
DefensePro Features, page 33
Related Documentation, page 34
Introducing DefensePro
Radwares award-wining DefensePro is a real-time Intrusion Prevention System (IPS) and DoS-
protection device, which maintains business continuity by protecting the application infrastructure
against existing and emerging network-based threats that cannot be detected by traditional IPSs
such as: network- and application-resource misuse, malware spreading, authentication defeat and
information theft.
DefensePro features full protection from traditional vulnerability-based attacks through proactive
signature updates, preventing the already known attacks, including worms, trojans, bots, SSL-based
attacks, and VoIP attacks.
Unlike market alternatives that rely on static signatures, DefensePro provides unique behavioral-
based, automatically generated, real-time signatures, preventing non-vulnerabilitybased attacks
and zero-minute attacks such as: network and application floods, HTTP page floods, malware
propagation, Web application hacking, brute force attacks aiming to defeat authentication schemes,
and moreall without blocking legitimate users traffic and with no need for human intervention.
With multiple-segment protection in a single unit, a pay-as-you-grow license-upgrade approach, and
ease of management through hands-off security features such as no-configuration and self-tuning,
DefensePro is the industrys leading IPS for best functionality, maximum affordability, and ease of
management.
DefensePro System Components
Radware DefensePro is an in-line Intrusion Prevention and Denial-of-Service protection system that
detects and prevents network threats in real-time. DefensePro inspects incoming and outgoing
traffic for potential attacks, clearing the network from unwanted malicious traffic. DefensePro also
manages bandwidth and establishes traffic shaping rules.
Introduction
The DefensePro system contains the following components:
DefensePro deviceThe term device refers to the physical platform and the DefensePro product.
Management interfaceAPSolute Vision and others.
Radware Security Update Service on the Web.
Figure 13: DefensePro System Components
Radware Security Update Service on the Web
Radwares Security Update Service delivers immediate and ongoing signature updates, protecting
against the latest network and application security threats including worms, trojans, bots, and
application vulnerabilities, to safeguard your applications, network and users.
The Security Update Service consists of the following key service elements:
24/7 Security Operations Center (SOC) ScanningContinuous threat monitoring, detection, risk
assessment and filter creation for threat mitigation.
Emergency FiltersRapid response filter releases for high impact security events through
Emergency Filters.
Weekly UpdatesScheduled periodic updates to the signature files, with automatic distribution
through Radware APSolute Vision, or on-demand download from
http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.
Custom FiltersCustom filters for environment-specific threats and newly reported attacks
reported to the SOC.
For up-to-date security information, refer to the Radware Security Zone, available from the Radware
Web site:
http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.
Introduction
Typical Deployment
The following illustration shows an in-line installation of DefensePro IPS in an enterprise. In this
deployment, DefensePro is located at the gateway, protecting hosts, servers and network resources
against incoming network attacks. DefensePro also protects DMZ servers against attacks targeting
Web, e-mail, VoIP and other services. This Radware deployment is at the enterprise gateway, in
front of the DMZ servers, where DefensePro provides perimeter protection for the enterprise
servers, users, routers and firewalls.
Figure 14: Typical DefensePro Deployment
Introduction
Network Connectivity
The following figure shows the typical network topology of DefensePro.
Figure 15: Typical Network Connectivity
Management InterfacesAPSolute Vision and Others
APSolute Vision is the main management interface for DefensePro.
Additional management interfaces for DefensePro devices include:
Web-Based Management (WBM)
Command-Line Interface (CLI)
You can perform most tasks using any of the management systems. However, for the most part, this
guide describes management tasks by means of APSolute Vision.
APSolute Vision is a graphical application that enables you to configure, modify, monitor, and
generate reports centrally for single or multiple DefensePro deployments.
You can connect a DefensePro device to management interfaces through network physical interfaces
or through serial ports. DefensePro supports the following port types:
Using the network connection: SNMP, HTTP, HTTPS, Telnet, SSH
Using the serial port connection: RS-232 up to 115 Kbit/s (default is 19,200 Kbit/s)
Introduction
The following table lists the DefensePro physical interfaces and supporting management interfaces:
Note: For more information, see Administering DefensePro, page 303.
DefensePro Features
This section provides a brief description of the main DefensePro features and includes the following
topics:
Security Protections, page 33
Bandwidth Management, page 34
Real-time Security Reporting for DefensePro, page 34
Historical Security ReportingAPSolute Vision Reporter, page 34
Security Protections
DefensePros multi-layer security approach combines a set of features detecting and mitigating a
wide range of network attacks.
DefensePro supports the following types of security protections:
Network-wide protectionsProtects against the following:
Behavioral DoSProtects against zero-day flood attacks, including SYN Floods, TCP Floods,
UDP floods, ICMP and IGMP floods.
Scanning and worm protectionZero-day protection against self-propagating worms,
horizontal and vertical TCP and UDP scanning, and ping sweeps.
SYN protectionProtects against any type of SYN flood attack using advanced SYN cookies.
A SYN flood attack is usually aimed at specific servers with the intention of consuming the
servers resources. However, you configure SYN Protection as a Network Protection to allow
easier protection of multiple network elements.
Server protectionsProtects against the following:
Connection limitProtects against session-based attacks, such as half open SYN attacks,
request attacks and connection attacks.
Server-cracking protectionZero-day protection against application-vulnerability scanning,
brute-force and dictionary attacks.
HTTP mitigatorMitigates zero-day HTTP page flood attacks.
DefensePro Interfaces
Protocol APSolute Vision Web Based Management Command Line Interface
SNMPv1, SNMPv3

HTTP

Secure Web

Telnet

SSH

RS-232

Introduction
Signature-based protectionsProtects against known application vulnerabilities, and common
malware, such as worms, trojans, spyware, and DoS.
Access Control ListProvides stateful access control.
Bandwidth Management
Using DefensePros Bandwidth Management module, you can define policies to restrict or maintain
the bandwidth that can be sent or received by each application, user, or segment.
You can configure Bandwidth Management policies to guarantee bandwidth for each critical
application or limit non-critical traffic such as P2P. You can also set rules to block or allow specific
traffic types.
Real-time Security Reporting for DefensePro
APSolute Vision provides real-time attack views and security service alarms for DefensePro devices.
When DefensePro detects an attack, the attack is reported as a security event. DefensePros security
monitoring enables you to analyze real-time and historical attacks. When DefensePro detects an
attack, it automatically generates counter-measures that you can observe and analyze using various
monitoring tools.
DefensePro provides you with monitoring tools that show real-time network traffic and application-
behavior parameters. Security monitoring also provides statistical parameters that represent normal
behavior baselines, which are generated using advanced statistical algorithms.
Historical Security ReportingAPSolute Vision Reporter
APSolute Vision supports the APSolute Vision Reporter for DefensePro.
APSolute Vision Reporter is a historical security reporting engine, which provides the following:
Customizable dashboards, reports, and notifications
Advanced incident handling for security operating centers (SOCs) and network operating centers
(NOCs)
Standard security reports
In-depth forensics capabilities
Ticket workflow management
Related Documentation
See the following documents for information related to DefensePro:
DefensePro Release Notes and Maintenance Release Notes
Radware Installation and Maintenance Guide
APSolute Vision Documentation
APSolute Vision Reporter Documentation
Web Based Management Help
Introduction
DefensePro Release Notes and Maintenance Release Notes
See the DefensePro Release Notes and DefensePro Maintenance Release Notes for information about
the relevant DefensePro version.
Radware Installation and Maintenance Guide
See the Radware Installation and Maintenance Guide for the following:
Pre-installation procedures, which include:
Mounting the platform
Verifying accessibility of management ports
Connecting and installing DefensePro, which includes:
Information on DefensePro physical platforms
Connecting the Management port cable
Connecting the inspection ports cables
Installing APSolute Vision
Initializing DefensePro using APSolute Vision, which comprises the following:
Connecting DefensePro using APSolute Vision
Adding a DefensePro device
The Radware Installation and Maintenance Guide includes additional useful information on the
following:
Maintenance and software upgrade
Troubleshooting
Hardware upgrades
Specifications
APSolute Vision Documentation
APSolute Vision documentation includes the following:
APSolute Vision Administrator GuideSee this for information about:
APSolute Vision features
User managementfor example, adding users and defining their permissions.
Adding and removing DefensePro devices.
Configuring siteswhich is a physical or logical representation of a group of managed
devices.
Administration and maintenance tasks on managed devices; such as, scheduling tasks,
making backups, and so on.
APSolute Vision CLI
APSolute Vision User GuideSee this for information about:
APSolute Vision features
APSolute Vision interface navigation
Monitoring APSolute Visionfor example, version, server, database, device-configuration
files, controlling APSolute Vision operations, backing up the APSolute Vision database
Managing auditing and alerts
Scheduling all APSolute Vision and device tasks
APSolute Vision online helpSee this for information about monitoring managed devices
Introduction
APSolute Vision Reporter Documentation
See the APSolute Vision Reporter online help and APSolute Vision Reporter User Guide for
information about APSolute Vision Reporter and how to use it.
Web Based Management Help
DefensePro Web Based Management supports Help for each page.
Chapter 2 Getting Started
This chapter describes what to do before you configure DefensePro with security policies.
The Radware Installation and Maintenance Guide covers the information and procedures related to
the physical specifications and basic setup of APSolute Vision server and DefensePro platforms. Read
the relevant information and follow the instructions in the Radware Installation and Maintenance
Guide before you perform the other tasks covered in this chapter.
DefensePro Physical Ports, page 37
DefensePro Platforms and Models, page 37
APSolute Vision User Interface Overview, page 39
APSolute Vision Sites and DefensePro Devices, page 44
Configuring Inspection Ports, page 44
Updating the Attack Description File, page 47
DefensePro Physical Ports
DefensePro platforms are equipped with 8P8C (RJ-45) and fiber-optic ports for inspecting traffic. By
default, the RJ-45 traffic ports are configured in pairs, configured to operate in Process mode, and
they are displayed in the Static Forwarding table (see Configuring Inspection Ports, page 44). You
cannot delete the RJ-45 traffic ports from the Static Forwarding table. You must manually add fiber-
optic ports to the Static Forwarding table, and you can delete the fiber-optic ports from the table as
required. All DefensePro models support CLI commands for managing the status of physical ports.
For more information, see Managing the Status of Physical Ports, page 46.
DefensePro Platforms and Models
DefensePro platforms are equipped with 8P8C (RJ-45) and fiber-optic ports for inspecting traffic.
DefensePro models 1016, 2016, and 3016 are based on the OnDemand Switch 2 S1 platform or
OnDemand Switch 2 S2 platform. OnDemand Switch 2 S1 is 1U. OnDemand Switch 2 S2 is 2U. The
OnDemand Switch 2 platforms are equipped with four (4) SFP Gigabit Ethernet (GbE) ports, twelve
(12) RJ-45 GbE ports for inspecting traffic, and two (2) RJ-45 10/100/1000 Ethernet ports for
management only. The twelve RJ-45 GbE traffic ports include a configurable internal bypass
mechanism (see Internal Bypass for RJ-45 Ports, page 46).
DefensePro x412 Behavioral Protections seriesmodels 4412, 8412, and 12412run on
OnDemand Switch 3 S1. DefensePro x412 IPS and Behavioral Protections series (model numbers
4412 and 8412) run on OnDemand Switch 3 S2 and are equipped with a String Matching Engine
(SME) card. The OnDemand Switch 3 S platforms are equipped with four (4) XFP 10-Gigabit
Ethernet (10GbE) ports, four (4) SFP GbE ports, and eight (8) RJ-45 GbE ports for inspecting traffic,
and two (2) RJ-45 10/100/1000 Ethernet ports for management only. The eight RJ-45 GbE traffic
ports include a configurable internal bypass mechanism (see Internal Bypass for RJ-45 Ports,
page 46).
Getting Started
Logging into APSolute Vision
To start working with APSolute Vision, you log into the APSolute Vision client.
After successfully logging in with a username and authenticated password, the APSolute Vision client
application opens. The APSolute Vision client connects to the specified APSolute Vision server. This
means that you always works online with APSolute Vision and its managed network elements.
Up to 10 users can access the APSolute Vision server simultaneously.
APSolute Vision supports role-based access control (RBAC) to manage user privileges. Your
credentials and privileges may be managed through a RADIUS Authentication server or through the
local APSolute Vision user database.
For RBAC users, after successful authentication of your username and password, your role is
determined together with the devices that you are authorized to manage. The assigned role remains
fixed throughout your user session, and you can access only the content panes, menus, and
operations that the role allows.
Depending on the configuration of the APSolute Vision server, you may be prompted to change your
user password when you log in for the first time.
If you enter the credentials incorrectly, you are is prompted to re-enter the information. After a
globally defined number of consecutive failures, the APSolute Vision server locks you out of the
system. If you use local user credentials, a user administrator can release the lockout by resetting
the password to the global default password. If you use RADIUS credentials, you must contact the
RADIUS administrator.
To log into APSolute Vision as an existing user
1. Click the APSolute Vision Client program icon.
2. In the login dialog box, specify the following:
User NameThe name of the user.
PasswordThe password for the user. Depending on the configuration of the server, you
may be required to change your password immediately. Default: r adwar e.
Vision ServerThe name or IP address of the APSolute Vision server. This parameter is
displayed if you click Options. Otherwise, the login procedure tries to connect to the
APSolute Vision server that was specified previously.
AuthenticationThe method to authenticate the user: Local or RADIUS. That is, select
whether to use the credential stored in the APSolute Vision server or the credentials
managed by the specified RADIUS Authentication server. This parameter is displayed if you
click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server
using the authentication method that was specified previously.
3. Click OK.
Changing Password for Local Users
If your user credentials are managed through the local APSolute Vision Users table (not RADIUS),
you can change your user password at the login.
Getting Started
To change a password for a local user
1. Click the APSolute Vision Client program icon.
2. Click Options.
3. Click Change Password.
4. In the Change Password dialog box, enter your username, old password, new password, and
confirm the new password.
5. Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.
APSolute Vision User Interface Overview
The APSolute Vision interface follows a consistent hierarchical structure, organized functionally to
enable easy access to options. You start at a high functional level and drill down to a specific
module, function, or object.
Each high-level function, such as device configuration, monitoring, or viewing real-time reports, is
accessible from a separate perspective.
APSolute Vision supports the following perspectives:
Configuration Perspective, page 39
Monitoring Perspective, page 41
Security Monitoring Perspective, page 43
Asset Management Perspective, page 44
Note: You can configure which perspective is displayed by default when you start an APSolute
Vision client session.
Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to
configure in the Configuration perspective system pane Organization tab. You can view and modify
device settings in the content pane tabs, which have their own navigation panes for easier
navigation through configuration tasks.
The Configuration perspective also includes the Properties pane, which displays information about
the currently selected device.
When APSolute Vision manages Alteon, you choose the standalone, vADC or VA device to configure
in the Configuration perspective system pane Organization tab. You manage ADC-VXs and the
hosted vADCs in the Configuration perspective system pane Physical tab.
Getting Started
Figure 16: Configuration PerspectiveDefensePro
Configuration buttonOpens
the Configuration perspective
Content area
Navigation area for the tab
Properties pane
System pane Organization tab
Includes the site tree, configured
sites, and configured devices
Button that opens
the APSolute
Vision Reporter
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.
Getting Started
The following points apply to all configuration tasks in the Configuration perspective:
To configure a device, you must lock it. For more information, see the APSolute Vision
documentation.
When you change a field value, the field label is displayed in italics.
Mandatory fields are displayed in red. You must enter data, or select an option in these fields.
After setting a mandatory field, the field label changes to black.
By default, tables display up to 20 rows per table page. You can change the number of rows per
table up to a maximum of 100 rows.
You can perform one or more of the following operations on table entries:
Add a new entry to the table, and define its parameters.
Edit one or more parameters of an existing table entry.
Delete a table entry.
Device configuration information is saved only on the DefensePro device, not in the APSolute
Vision database. To commit information to the device, you must do the following:
Click OK when you modify settings in a configuration dialog box.
Click (Submit) when you modify settings in a configuration page.
Some configuration changes require an immediate device reboot. When you submit the
configuration change the device will reboot immediately.
Some configuration changes require a device reboot to take effect, but you can save the
change without an immediate reboot. When you submit a change without a reboot, the
Properties pane displays a Reboot Required notification until you reboot the device.
For AppDirector and DefensePro, click Update Policies to implement policy-configuration
changes if necessary. Policy-configuration changes for a device are saved on the DefensePro
device, but are not applied until you perform a device configuration update.
For Alteon, APSolute Vision supports the configuration-management options: Apply, Save,
Diff, Diff Flash, Revert, Revert Apply, and Dump.
Example Device selection in the Configuration perspective
The following example shows the selections you would make to view or change configuration
parameters for a Radware device:
1. Open the Configuration perspective by clicking at the top of the window.
2. Select the required device in the system pane by drilling down through the sites and subsites.
3. Right-click the device name, and select Lock Device.
4. Select the required configuration tab in the content pane. Each tab displays a tab navigation
pane and configuration options.
5. Select an option in the navigation pane.
6. You can now view and change configuration parameters.
Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects,
such as farms and servers. The Monitoring perspective navigation pane contains two navigation
tabs. The System tab contains the physical devices and interfaces. The Properties pane displays
information about the currently selected device. The content pane for each type of entity contains
tabs in which you can view different types of information. Some tabs contain a navigation pane.
Getting Started
Figure 17: Monitoring PerspectiveDefensePro
Monitoring buttonopens
Monitoring perspective
Content area
Navigation area for tab
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.
System paneIncludes the Organization,
Application Delivery, and Physical tabs. The
Organization tabs is relevant for DefensePro.
Getting Started
Security Monitoring Perspective
The Security Monitoring perspective is displayed only for devices that support the relevant Security
module.
In the Security Monitoring perspective, you can access a collection of real-time security-monitoring
tools that provide visibility regarding current attacks that the DefensePro device has detected. The
Properties pane displays information about the currently selected device.
The Security Monitoring perspective includes the following tabs:
Security DashboardA graphical summary view of all current active attacks in the network with
color-coded attack-category identification, graphical threat-level indication, and instant drill-
down to attack details.
Current AttacksA view of the current attacks in a tabular format with graphical notations of
attack categories, threat-level indication, drill-down to attack details, and easy access to the
protecting rules for immediate fine-tuning.
Traffic MonitoringA real-time graph and table displaying network information, with the attack
traffic and legitimate traffic filtered according to specified traffic direction and protocol.
Geo MapA graphical map view that displays threats by origin with hierarchical drill-down to IP
level.
Protection MonitoringReal-time graphs and tables with statistics on rules, protections
according to specified traffic direction and protocol, along with learned traffic baselines.
HTTP ReportsReal-time graphs and tables with statistics on rules, protections according to
specified traffic direction and protocol, along with learned traffic baselines.
Figure 18: Security Monitoring PerspectiveShowing the Security Dashboard
Getting Started
Asset Management Perspective
The Asset Management perspective is displayed only to users with the Administrator or User
Administrator role. A user with the User Administrator role can only view and configure local users.
For more information about roles and the Asset Management perspective, see the APSolute Vision
Administrator Guide.
APSolute Vision Sites
You can organize the Radware devices that APSolute Vision manages according to sites. APSolute
Vision displays the sites and managed devices in the system tab. Typically, a site is a group of
devices that share properties, such as location, services, or device type. You can nest sites; that is,
each site can contain subsites and devices.
In the context of role-based access control (RBAC), sites enable administrators to define the scope
of each user.
Sites also play a role in the context of vADCs and ADC-VXs. When you manage a vADC hosted by an
ADC-VX in the Physical tab, you specify the site under which that vADC is displayed in the
Organization tab.
APSolute Vision Sites and DefensePro Devices
A site in APSolute Vision is a physical or logical representation of a group of managed devices, such
as managed DefensePro devices. A site can be based on a geographical location, an administrative
function, device type, and so on. Each site can contain nested sites and devices.
Before you can configure a DefensePro device and security policies through APSolute Vision, the
DefensePro device must be exist on and connected to the APSolute Vision server. The sites and
DefensePro devices are displayed in the System tab.
Only users with the proper permissions can add sites and DefensePro devices to an APSolute Vision
server.
See the APSolute Vision Administrator Guide for information on the following topics:
APSolute Vision sites
Configuring sites
Adding and removing devices
Administration and maintenance tasks on managed devices; such as, scheduling tasks, making
backups, and so on
Monitor managed devices through APSolute Vision. For more information, see the APSolute
Vision online help
Configuring Inspection Ports
An inspection port is a port on a DefensePro device that you can configure to receive, inspect, and
transmit traffic.
This section contains the following:
Configuring Port Pairs
Managing the Status of Physical Ports
Internal Bypass for RJ-45 Ports
Getting Started
You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic
from the receiving port is always sent out of the device from its corresponding transmitting port. The
ports are paired; one port receives traffic while another transmits traffic.
You can set the operation mode of a port pair. When the port pair operates in Process mode, the
traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates
in Forward mode, the traffic is forwarded to the destination port without any inspection.
To configure a pair of ports
1. In the Configuration perspective Networking tab navigation pane, select Port Pairs.
2. Do one of the following:
To add a pair of ports, click the (Add) button.
To edit a pair of ports, double-click the row.
3. Configure the parameters; and then, click OK.
Table 1: Port Pair Parameters
Parameter Description
Port Pairs
Source Port The user-defined source port for received traffic.
Destination Port The user-defined destination port for transmitted traffic.
Operation The operation mode assigned to a pair of ports.
Values:
ForwardThe traffic is forwarded without any inspection.
ProcessThe traffic passes thought the CPU and is inspected for attacks,
bandwidth, and so on.
Failure Mode Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
Note: For more information, see Internal Bypass for RJ-45 Ports, page 46.
In Port Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.
Getting Started
Managing the Status of Physical Ports
You can manage the status of physical ports using CLI.
To view the status of a physical port using CLI
Run the following command:
devi ce ent er - f ai l ur e- st at e get <por t >
where por t is the identifier of the physical port.
To set the status of a physical port using CLI
Run the following command:
devi ce ent er - f ai l ur e- st at e set <por t > - f s <f ai l ur e- st at e>
where por t is the identifier of the physical port and the value for the f ai l ur e- st at e flag can
be:
1enable
2disable
Example
device enter-failure-state set 2 -fs 1
sets the status of port 2 on the device to fail. The port will fail to the state that is defined in the
Static Forwarding table (for OnDemand Switch devices).
Internal Bypass for RJ -45 Ports
You can configure whether the traffic passes through (bypasses) a pair of RJ-45 ports when the
platform is rebooting or is powered down (for example, if the device fails). You can choose from two
failure modes: Fail-Close or Fail-Open.
Advanced Parameters
Enable Interface
Grouping
Specifies whether the device groups the statuses of the port-pair interfaces.
When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also. Therefore,
When the option is enabled; so a remote device connected to the DefensePro
device perceives the same disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy; interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled
Getting Started
With the Fail-Close option, traffic does not pass through when the platform is powered down. When
a pair of ports enters fail-close state, traffic is blocked and the link appears to be down (no power),
and switches connected to DefensePro detect the link as being down.
With the Fail-Open option, traffic passes through (not inspected by DefensePro) when the platform is
powered down.
When you configure a port pair to use the Fail-Open option, you cannot do the following:
Assign the ports into a link aggregation.
Use either of the ports for management purposes.
Configure either of the ports as a copied destination port. Configure the ports for SSL inspection.
Note: By default, all the interfaces that support configurable failure modeexcept the last
pairare configured with the Process option for Port Operation with the failure mode set
to Fail-Open.
For network debugging or testing purposes, using CLI, you can manually force a pair of ports into
the failure statewithout turning the power off or rebooting the device.
DefensePro sends appropriate notifications at the following times:
When the configuration of a port pair changes from Fail-Close to Fail-Open.
With the Fail-Open option, when:
A port changes status from up to down.
A port changes status from down to up.
For the procedure for configuring the failure mode, see Configuring Port Pairs, page 45.
Updating the Attack Description File
The Attack Description file contains descriptions of all the different attacks. You can view a specific
description by entering the attack name. When you first configure APSolute Vision, you should
download the latest Attack Description file to the APSolute Vision server. The file is used for real-
time and historical reports to show attack descriptions for attacks coming from DefensePro devices.
The file versions on APSolute Vision and on the DefensePro devices should be identical; Radware
recommends synchronizing regular updates of the file at regular intervals on APSolute Vision and on
the individual devices.
When you update the Attack Description file, APSolute Vision downloads the file directly from
Radware.com or from the enabled proxy file server.
To update the Attack Description file
In the Asset Management perspective system pane, select General Settings; and then, in
the content pane, select the Overview tab and click Update in the Attack Description group
box.
In the Asset Management perspective system pane, right-click General Settings; and then,
select Update Attack Description File.
Getting Started
To update the Attack Description file from Radware, select the Radware.com radio button.
To update the files from the APSolute Vision client host:
a. Select the Client radio button.
b. In the File Name text box, enter the file path of the Attack Description file or click
Browse to navigate to and select the file.
3. Click Send and OK.
4. The Alerts pane displays a success or failure notification and whether the operation was
performed using a proxy server.
Chapter 3 Basic Device Configuration
Users with the proper permissions can add DefensePro devices to the sites tree and configure them.
The following topics describe basic device-configuration tasks:
Locking and Unlocking a Device, page 49
DefensePro Device Setup, page 50
Advanced Parameters, page 71
Configuring SNMP, page 93
Configuring Device Users, page 100
Configuring Access Permissions on Physical Ports, page 101
Configuring Port Pinging, page 102
Locking and Unlocking a Device
When you have permissions to perform device configuration on a specific device, you must lock the
device before you can configure it. Locking the device ensures that other users cannot make
configuration changes at the same time. The device remains locked until you unlock the device, you
disconnect, until the Device Lock Timeout elapses, or an Administrator unlocks it. Locking a device
does not apply to the same device that is configured on another APSolute Vision server, using WBM,
or using CLI.
Note: Only one APSolute Vision server should manage any one Radware device. For more
information, see the APSolute Vision Administrator Guide.
While the device is locked:
The device icon in the main navigation pane System tab includes a small lock symbol for
DefensePro.
Configuration panes are displayed in read-only mode to other users with configuration
permissions for the device.
If applicable, the (Commit) button is displayed.
If applicable, the (Add) button is displayed.
To lock a device
In the Configuration perspective main navigation pane System tab, right-click the device name,
and select Lock Device.
To unlock a device
In the Configuration perspective main navigation pane System tab, right-click the device name,
and select Unlock Device.
Basic Device Configuration
DefensePro Device Setup
You can configure the following setup parameters for a selected DefensePro device:
Configuring DefensePro Global Parameters, page 50
Configuring Date and Time Synchronization, page 51
Configuring Daylight Saving, page 52
Configuring Access Protocols, page 52
Configuring SNMP Supported Versions, page 54
Upgrading a License for a DefensePro Device, page 54
Configuring E-mail Settings, page 55
Configuring RADIUS Authentication for Device Management, page 56
Configuring Syslog Settings, page 58
Managing Certificates, page 60
Configuring High Availability, page 64
Configuring BOOTP, page 71
Configuring DefensePro Global Parameters
You can view the following device information:
Basic device parameters
The time and date settings on the device
Device hardware and software versions
To view and configure DefensePro global parameters
1. In the Configuration perspective Setup tab navigation pane, select Global Parameters.
2. Configure location and contact information, if required; and then, click (Submit) to submit
the changes.
Table 2: DefensePro Global Parameters
Basic Parameters
Device Description (Read-only) The description configured on the device.
Device Name (Read-only) The device name configured in APSolute Vision.
Location Enter the device location, if required.
Contact Information Enter contact information, if required.
System Up Time (Read-only) The length of time since that the device has been up
since last device reboot.
Date and Time
Device Time (Read-only) The time setting on the device.
Device Date (Read-only) The date setting on the device.
Configuring Date and Time Synchronization
DefensePro uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device
synchronization by distributing an accurate clock across the network. At predefined intervals, a
device sends time query messages to the NTP Server. The server sends the date and time to the
device.
Enabling or disabling the NTP capability results in different levels of accuracy.
Note: When NTP is disabled, the time and date must be set manually for the device.
To configure DefensePro date and time synchronization
1. In the Configuration perspective Setup tab navigation pane, select Time Settings.
2. Configure the parameters; and then, click (Submit) to submit the changes.
Version Information
Software Version (Read-only) The version of the product software on the device.
Hardware Version (Read-only) The version of device hardware.
Table 3: NTP Parameters
Enable NTP Enables or disables the NTP feature.
Default: Disabled
Note: The NTP Server Address must be configured to enable the NTP
feature.
Server Name The IP address of the NTP server.
L4 Port The NTP server port.
Default: 123
Polling Interval The interval, in seconds, between time query messages sent to the NTP
server.
Default: 64
Time Zone The time-zone offset from GMT (-12:00 to + 12:00 hours).
Default: 00:00
Table 2: DefensePro Global Parameters
Configuring Daylight Saving
DefensePro supports daylight savings time. You can configure the daylight savings time start and
end dates and times. During daylight savings time, the device automatically adds one hour to the
system clock. The device also indicates whether it is on standard time or daylight saving time.
Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.
To configure DefensePro daylight saving
1. In the Configuration perspective Setup tab navigation pane, select Time Settings > DayLight
Saving.
Configuring Access Protocols
In addition to managing DefensePro devices using APSolute Vision, you can also use Web Based
Management (WBM) and Command Line Interface (CLI).
You can connect DefensePro devices to the following:
WBM on the device through HTTP and HTTPS
CLI through Telnet and SSH
Web services
To configure access protocols for WBM and CLI
1. In the Configuration perspective Setup tab navigation pane, select Access Protocols.
Table 4: Daylight Saving Parameters
Enabled Enables or disables daylight saving time.
Default: Disabled
Begins at The start date and time for daylight saving time.
Ends at The end date and time for daylight saving time.
Current Mode Specifies whether the device is on standard time or daylight saving
time.
Table 5: Access Protocol Parameters
Web Access
Enable Web Access Enables access to the Web server.
Default: disabled
L4 Port The port to which WBM is assigned.
Default: 80
Web Help URL The location (path) of the Web help files.
Secured Web Access
Enable Secured Web Access Enables secured access to the Web server.
Default: disabled
L4 Port The port through which HTTPS gets requests.
Default: 443
Certificate The certificate file used by the secure Web server for encryption.
Telnet
Enable Telnet Enables Telnet access to the device.
Default: disabled
L4 Port The TCP port used by the Telnet.
Default: 23
Session Timeout The period of time, in minutes, the device maintains a connection
during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout
can be up to 10 seconds longer than the configured time.
Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 1060
Default: 30
SSH
Enable SSH Enables SSH access to the device.
Default: disabled
L4 Port Source port for the SSH server connection.
Default: 22
Configuring SNMP Supported Versions
APSolute Vision connects to DefensePro devices using SNMP. For information about SNMP, and
configuring SNMP for the DefensePro devices, see Configuring SNMP, page 93.
To configure SNMP supported versions
1. In the Configuration perspective Setup tab navigation pane, select SNMP Versions.

Upgrading a License for a DefensePro Device
You can upgrade the capabilities of a DefensePro device using the licensing procedure.
The license provided to you, is a one-time license. To change licenses, you must use a new license
key, after which, the old license key cannot be reused.
Session Timeout The period of time, in minutes, the device maintains a connection
during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore the actual timeout can
be up to 10 seconds longer than the configured time.
Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 1060
Default: 30
Web Services
Enable Web Services Enables access to Web services.
Default: Enabled
Table 6: SNMP Supported Version Parameters
Supported SNMP Versions The currently supported SNMP versions.
Supported SNMP Versions
after Reset
The SNMP versions supported by the SNMP agent after resetting the
device. Select the SNMP version to support. Clear the versions that
are not supported.
Table 5: Access Protocol Parameters
Each license is based on the devices MAC address and on a license ID that is changed every time a
new license is used. To obtain a license upgrade or downgrade, you must include the MAC address
and the current license ID of the device when you order the required license part number. This
information is displayed in the License Upgrade window.
You will receive the new license string by e-mail. After you enter the new license information in the
License Upgrade pane, the old license cannot be reused.
To upgrade a license after receiving new license keys
1. In the Configuration perspective Setup tab navigation pane, select License Upgrade.
2. Configure license upgrade parameters for the new license keys; and then, click (Submit) to
submit the changes.
Configuring E-mail Settings
You can configure the device to send information messages via e-mail to device users. This feature
can be used for sending trap information via e-mail. When you configure device users, you can
specify whether an individual user should receive notifications via e-mail and the minimal event
severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity
and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the device.
Note: The device optimizes the mailing process by gathering security and system events,
which it sends in a single notification message when the buffer is full, or when a timeout
of 60 seconds expires.
Table 7: DefensePro License Upgrade Parameters
Basic Information
Base MAC Address The MAC address of the first port on the device. This is the MAC
address on which the license is based.
License Upgrade
License ID Reports the device software license ID and must be provided to
Radware when requesting a new license.
New License Key The device software license allows you to activate advanced software
functionality.
Throughput License ID Manages the device throughput license ID and must be provided to
Radware when requesting a new throughput license.
Throughput License Key Manages the device throughput level license.
To configure DefensePro e-mail settings
1. In the Configuration perspective Setup tab navigation pane, select Email Settings.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 154.
Configuring RADIUS Authentication for Device Management
DefensePro provides additional security by authenticating the users who access a device for
management purposes. With RADIUS authentication, you can use RADIUS servers to determine
whether a user is allowed to access device management using CLI, Telnet, SSH or Web Based
Management. You can also select whether to use the device User Table when RADIUS servers are
not available.
Note: The DefensePro devices must have access to the RADIUS server and must allow device
access.
Table 8: DefensePro E-mail Parameters
Basic SMTP Parameters
Enable Email Client Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled
Enable Sending Email upon
Errors
Enables sending notifications via e-mail.
Default: Disabled
SMTP Server Parameters
Primary Server Address IP address of the SMTP Server.
Alternate Server Address An IP address of an alternative SMTP Server. The alternate SMTP
server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP server
closed the connection. The device tries to establish connection to the
main SMTP server, and starts re-using it when available.
SMTP Client Parameters
Email Address Mail address that will appear in the Sender field of e-mail messages
generated by the device, for example device1@domain.com.
To configure RADIUS authentication for device management
1. In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.
2. Configure RADIUS authentication parameters for the managed Radware device, and then,
click (Submit) to submit the changes.
Table 9: RADIUS Authentication Parameters
Main
Server IP Address The IP address of the primary RADIUS server.
L4 Port The access port number of the primary RADIUS server.
Values: 1645, 1812
Default: 1645
Secret The authentication password for the primary RADIUS server.
Verify Secret When defining the password, reenter for verification.
Backup
Server IP Address The IP address of the backup RADIUS server.
L4 Port The access port number of the backup RADIUS server.
Values: 1645, 1812
Default: 1645
Secret The authentication password for the backup RADIUS server.
Verify Secret When defining the password, reenter for verification.
Basic Parameters
Timeout The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1
Retries The number of connection retries to the RADIUS server, after the
RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2
Client Lifetime The time, in seconds, of the clients authentication. After the client
lifetime expires, the device re-authenticates the user.
Default: 30
Configuring Syslog Settings
Event traps can be mirrored to up to five syslog servers. For each DefensePro device, you can
configure the appropriate information. Any traps generated by the device will be mirrored to the
specified syslog servers.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the
type of device of the sender. Severity specifies the importance or impact of the reported event. The
user-defined Facility value is used when the device sends syslog messages; the Severity value is
determined dynamically by the device for each message that is sent.
Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.
To configure syslog
1. In the Configuration perspective Setup tab, select Syslog.
To enable the syslog feature, select the Enable Syslog checkbox.
To disable the syslog feature, clear the Enable Syslog checkbox.
Default: Enabled
To add an entry, click the (Add) button.
To modify an entry, double-click the entry in the table.
Table 10: Syslog Parameters
Enable Syslog Server Specifies whether the syslog server is enabled.
Default: Enabled
Server Address The IP address or hostname of the device running the syslog service
(syslogd).
Source Port The syslog source port.
Default: 514
Note: Port 0 specifies a random port.
Destination Port The syslog destination port.
Default: 514
Facility The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Clock Daemon
Clock Daemon2
FTP Daemon
Kernel Messages
Line Printer Subsystem
Local 0
Local 1
Local 2
Local 3
Local 4
Local 5
Default: Local Use 6
Local 6
Local 7
Log Alert
Log Audit
Mail System
Network News Subsystem
NTP Daemon
Syslogd Messages
System Daemons
User Level Messages
UUCP
Protocol The protocol that the device uses to send syslog messages.
Values:
UDPThe device sends syslog messages using UDP. That is, the
device sends syslog messages with no verification of message
delivery.
TCPThe device sends syslog messages using TCP. That is, the device
verifies the message delivery. The device holds undelivered messages
in a backlog. As soon as the connection to the syslog server is re-
established, the device sends them. If the backlog is full (100
messages, non-configurable), the device replaces lower-priority
messages with higher-priority messages (FIFO).
TLSThe device sends syslog messages using TCP with Transport
Layer Security (TLS) and uses the CA certificate specified in the CA
Certificate Name field. That is, the device verifies message delivery.
The device holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the device sends
them. If the backlog is full (100 messages, non-configurable), the
device replaces lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Note: Report notification of lost syslog messages to your network
administrator.
Managing Certificates
This section describes certificates and how to manage them using APSolute Vision.
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It can also include information from a third-party
verifying identity. Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
A basic certificate includes the following:
The certificate holders identity
The certificates serial number
The certificate expiry date
A copy of the certificate holders public key
The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency
Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the
Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only
by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or
interpret the data. The recipient also uses the key to authenticate that the data comes from the
sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. DefensePro
supports the following key size lengths: 512, 1024, or 2048 bytes.
Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an
HTTPS session, the DefensePro device uses a certificate for identification. By default, the device has
self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
CA Certificate Name The name of the CA certificate in the Certificate Table that the device uses
to send syslog messages when TLS is selected in the Protocol field.
To configure a new CA certificate, from the drop-down list, select New.
To view the existing certificates, click . And then, to edit a certificate
in the dialog box, double-click on it.
For information on configuring certificates, Managing Certificates,
page 60.
Modifying Certificate Information for a Selected Device
To view and modify certificate information for a selected device
In the Configuration perspective Setup tab navigation pane, select Certificates.
The Certificates table displays information for each certificate stored on the device. From here,
you can add, edit, and delete certificates. You can also import and export certificates, and show
certificate text.
Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management
(WBM).
You can also create certificate signing requests and keys for new certificates.
To create or modify a certificate or key
1. In the Configuration perspective Setup tab navigation pane, select Certificates.
To add a certificate, click the (Add) button.
To edit a certificate, double-click the certificate name.
3. Configure certificate parameters and click OK.
Table 11: Certificate Parameters
Name The name of Key or Certificate.
Type The type of certification.
Values:
Certificate
Certificate of Client CA
1
Certificate Signing Request
Intermediate CA Certificate
1
KeyWhen you select Key, only the Key Size and Passphrase fields
are available.
Key Size The key size, in bytes.
Larger key sizes offer an increased level of security. Radware
recommends that certificates have a key size of 1024 bits or more.
Using a certificate of this size makes it extremely difficult to forge a
digital signature or decode an encrypted message.
Values: 512, 1024, 2048
Common Name The domain name of the organization, for example, www.radware.com,
or IP address.
Organization The name of the organization.
Configuring Default Certificate Attributes
Use certificate defaults to define your organizations default parameters to be used when creating
signing requests or self-signed certificates.
To configure default attributes, the connection between the APSolute Vision server and the relevant
device must use SNMPv3.
To configure the default certificate attributes
1. In the Configuration perspective Setup tab navigation pane, select Certificates > Default
Attributes.
Email Address Any e-mail address that you want to include within the certificate.
Key Passphrase The Key Passphrase encrypts the key in storage and is required to
export the key. Since Private Keys are the most sensitive parts of PKI
data they must be protected by a passphrase. The passphrase should
be at least four characters and Radware recommends using stronger
passphrases than that based on letters, numbers and signs.
Verify Key Passphrase After you define the key passphrase, re-enter for verification.
Locality The name of the city.
State / Province The state or province.
Organization Unit The department or unit within the organization.
Country Name The organization country.
Certificate Expiration The duration, in days, that a certificate remains valid.
Values: 1365
Default: 365
1 If you select this option when it is not allowed (according to the type of certificate you
are using), the device alerts you with an error message.
Table 12: Default Certificate Parameters
Common Name The domain name of the organization. For example, www.radware.com.
Locality The name of the city.
State / Province The state or province.
Organization The name of the organization.
Organization Unit The department or unit within the organization.
Country Name The organization country.
Email Address Any e-mail address to include in the certificate.
Table 11: Certificate Parameters
Importing Certificates
You can import keys and certificates from another machine, and import a certificate to an existing
Signing Request to complete its process.
Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for
certificate, you must to import them consecutively with the same entry name.
To import a certificate or key
2. Click the Import button below the table.
3. Configure import certificate parameters, and click OK to start the import.
Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing
configurations to another system or for completion of Signing Request processes. You can export
certificates from a device by copying and pasting a key or by downloading a file. Keys and
certificates are exported to PEM format.
Note: The Radware key is created without a Radware password at system startup, thus it can
be exported without a Radware password.
Table 13: Import Certificate Parameters
Entry Name Input new entry name to create by import, or existing entry name to
overwrite or complete Key or CSR.
Entry Type Values:
CertificateImports a certificate from backup or exported from
another machine. The certificate must be imported onto a matching
key or signing request.
KeyImports a key from backup or exported from another system.
To complete the configuration, you will need to import a certificate
into this key.
Passphrase
(For Key entry type
only)
Since Private Keys are the most sensitive parts of PKI data they must be
protected by a passphrase. The passphrase should be at least four
characters, and Radware recommends using stronger passwords than that
based on letters, numbers, and signs.
Verify Passphrase
(For Key entry type
only)
Since Private Keys are the most sensitive parts of PKI data they must be
protected by a passphrase. The passphrase should be at least four
characters, and Radware recommends using stronger passwords than that
based on letters, numbers, and signs.
File Name Browse to the certificate file to import.
To export a certificate or key
2. Click the Export button below the table.
3. Configure export certificate parameters, and click OK to start the export.
Showing Certificate Content
You can display the content of keys, certificates, or signing requests listed in the Certificates table.
The content is displayed in encrypted text format for copy-paste purposes, for example sending
signing requests to a certificate signing authority.
To display certificate content
2. Click the Show button below the table.
3. Select the entry name to show. By default, the name of the selected certificate in the
Certificates table is displayed.
4. Select the entry type, and password for the key, if required.
5. Click Show to display the content in the Certificate field.
Configuring High Availability
This section contains the following topics:
High-Availability in DefenseProOverview, page 65
Monitoring DefensePro Cluster in the System Tab, page 66
Configuring the Settings for a DefensePro High-Availability Cluster, page 67
Switching the Device States, page 69
Table 14: Export Certificate Parameters
Entry Name Select the name of the entry to export. By default, the name of the
selected certificate in the Certificates table is displayed.
Entry Type According to the selected entry name, you can export Certificate,
Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request.
Passphrase Required when exporting Keys. Use the passphrase entered when the key
was created or imported. You must enter the key passphrase to validate
that you are authorized to export the key.
High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in
a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software
license, throughput license, and Radware signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary.
When you configure a cluster and submit the configuration, the newly designated primary device
configures the required parameters on the designated secondary device.
You can configure a DefensePro high-availability cluster in the following ways:
To configure the primary device of the cluster, the failover parameters, and the advanced
parameters, you can use the High Availability pane (Configuration perspective > Setup >
High Availability). When you specify the primary device, you specify the peer device, which
becomes the secondary member of the cluster.
To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and
Associated Management Ports), you can use the Configuration perspective system pane.
The members of a cluster work in an active-passive architecture.
When a cluster is created:
The primary device becomes the active member.
The secondary device becomes the passive member.
The primary device transfers the relevant configuration objects to the secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, and routing.
A primary device immediately transfers each relevant change to its secondary device. For example,
after you make a change to a Network Protection policy, the primary device immediately transfers
the change to the secondary device. However, if you change the list of device users on the primary
device, the primary device transfers nothing (because the secondary device maintains its own list of
device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
The following situations trigger the active device and the passive device to switch states (active to
passive and passive to active):
The passive device does not detect the active device according to the specified Heartbeat
Timeout.
All links are identified as down on the active device according to the specified Link Down
Timeout.
Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the
specified Idle Line Timeout.
You issue the Switch Over command. To switch the device states, in the Monitoring perspective
system pane, right-click the cluster node; and then select Switch Over.)
You cannot perform many actions on a secondary device.
You can perform only the following actions on a secondary device:
Switch the device state (that is, switch over active to passive and passive to active)
Break the cluster if the primary device is unavailable
Configure management IP addresses and routing
Manage device users
Download a device configuration
Upload a signature file
Download the device log file
Download the support log file
Reboot
Shut down
Change the device name
Change the device time
Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.
Notes
>> You can initiate a baseline synchronization if a cluster member is passive, using CLI or
Web Based Management.
>> In an existing cluster, you cannot change the role of a device (primary to secondary or
vice versa). To change the role of a device, you need to break the cluster (that is,
ungroup the two devices), and then, reconfigure the cluster as you require.
>> If the devices of a cluster belong to different sites, APSolute Vision creates the cluster
node under the site where the primary device resides; and APSolute Vision removes the
secondary device from the site where it was configured.
>> APSolute Vision issues an alert if the state of the device clusters is ambiguous. For
example, if there has been no trigger for switchover and both cluster members detect
traffic. This state is normal during the initial synchronization process.
>> There is no failback mechanism. There is only the automatic switchover action and the
manual Switch Over command.
>> When a passive device becomes active, any grace time resets to 0 (for example, the
time of the Graceful Startup Mode Startup Timer).
>> You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
>> The Properties pane displays the high-availability information of the selected device.
Monitoring DefensePro Cluster in the SystemTab
In the system pane, APSolute Vision identifies the high-availability cluster elements, roles, modes,
and states using various combinations of icons and icon elements.
Note: You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
The following table describes the icons that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.

Table 15: Icons in the System Pane High-Availability Clusters
Icon Description
Cluster
Primary device
Secondary device
The following table describes the icon elements that APSolute Vision displays in the system pane for

The following table describes some icons that APSolute Vision can displays in the system pane for

Configuring the Settings for a DefensePro High-Availability Cluster
You can use the High Availability pane in the Configuration perspective to specify the primary device
of the cluster, and configured the failover parameters and advanced parameters.
When you specify the primary device, you specify the peer device, which becomes the secondary
member of the cluster.
Table 16: Icons Elements in the System Pane High-Availability Clusters
Icon Element Description
Active device
Synchronizing
Unavailable
Table 17: Icons in the System Pane High-Availability ClustersExamples
Icon Description
The cluster is operating nominally.
The cluster is synchronizing its members.
The cluster is unavailable.
The primary device is active, unlocked, and operating nominally.
The primary device is passive, unlocked, and operating nominally.
The secondary device is passive, unlocked, and operating nominally.
The secondary device is active, unlocked, and operating nominally.
The secondary device is unlocked and unavailable.
To configure the settings for a high-availability cluster
1. In the Configuration perspective Setup tab navigation pane, select High Availability.
2. Configure the parameters; and then, click (Submit) to submit the changes. APSolute Vision
names the cluster Cl ust er _<I P addr ess of pr i mar y devi ce>.
Note: To rename the cluster, in the Configuration perspective system pane, right-click the
cluster node, and select Rename <Cluster Name>. Rename the cluster (up to
32 characters); and then, click outside the cluster node.
Table 18: High Availability Parameters
Cluster Definition
Cluster Member Specifies whether the device is a member of a two-node cluster for high
availability. If you clear the Cluster Member checkbox in the configuration
(of the primary or secondary member), APSolute Vision breaks the cluster
(after you submit the changes).
Note: You can clear the Cluster Member checkbox in the configuration
of the secondary only when the primary member is unavailable.
Peer Device The name of the other device in the cluster. The drop-down list contains
the names of all the DefensePro devices that are not part of a cluster.
When the device is a member of an existing high-availability cluster, the
drop-down list is unavailable.
Associated
Management Ports
Specifies the management (MNG) port or ports through which the primary
and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if the
cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.
Failover
Heartbeat Timeout The time, in seconds, that the passive device detects no heartbeat from the
active device before the passive device becomes active.
Values: 110
Default: 5
Link Down Timeout The time, in seconds, after all links to the active device are identified as
being down before the devices switch states.
Values: 165,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members,
there is no switchover.
Switching the Device States
To switch the device states
1. In the Monitoring perspective system pane, right-click the cluster node.
2. Select Switch Over.
Use Idle Line
Detection
Specifies whether the devices switch states due to an idle line detected on
the active device.
Default: Disabled
Note: If an idle line is detected on both cluster members, there is no
switchover.
Idle Line Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover when the
Use Idle Line Detection option is enabled.
Values: 5124,294,967,296
Default: 512
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Idle Line Timeout The time, in seconds, with line bandwidth below the Idle Line Threshold
that triggers a switchover when the Use Idle Line Detection option is
enabled.
Values: 365,535
Default: 10
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Advanced Configuration
Baseline Sync.
Interval
The interval, in seconds, that the active device synchronizes the BDoS and
HTTP Mitigator baselines.
Values: 360086400
Default: 3600
Note: The active device synchronizes the baselines also when the
cluster is created.
Switchover Sustain
Timeout
The time, in seconds, after a manual switchover that the cluster members
will not change states.
Values: 303600
Default: 180
Table 18: High Availability Parameters
Configuring a High-Availability Cluster in the SystemTab
In the Configuration perspective system pane, you can configure the basic parameters of a cluster
(Cluster Name, Primary Device, and Associated Management Ports).
Note: Before you can configure a cluster, the devices must be locked.
To create a DefensePro high-availability cluster from the system pane
1. In the Configuration perspective system pane.
2. Select a DefensePro device.
3. Press Ctrl and click the other device for the cluster.
4. Right-click one of the selected devices and select Create Cluster.
5. Configure the parameters; and then click OK.
To break a DefensePro high-availability cluster from the system pane
In the Configuration perspective system pane, right-click the cluster node and select Break
Cluster.
After your confirmation, the cluster node is removed from the tree, and the DefensePro devices
are displayed under the parent node.
To rename an DefensePro high-availability cluster from the system pane
1. In the Configuration perspective system pane, right-click the cluster node, and select Rename
<Cluster Name>.
2. Rename the cluster (up to 32 characters); and then, click outside the cluster node.
Cluster Setup Parameters
Cluster Name The name for the cluster (up to 32 characters).
Primary Device Specifies which of the cluster members is the primary device.
Associated Management Ports Specifies the management (MNG) port or ports through which the
primary and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For
example, if the cluster is configured with MNG1+2, and
MNG1 is in use, you cannot change the value to MNG2.
To change the associated management ports of a DefensePro high-availability cluster
from the system pane
1. In the Configuration perspective system pane, select the cluster node and click Edit Cluster.
Note: You cannot change the value if the currently specified management port is being
used by the cluster. For example, if the cluster is configured with MNG1+2, and
MNG1 is in use, you cannot change the value to MNG2.
Configuring BOOTP
BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.
To configure BOOTP settings
1. In the Configuration perspective Setup tab navigation pane, select BootP.
Advanced Parameters
This section describes the advanced parameters that are relevant for the basic configuration of a
DefensePro device.
Configuring Advanced Settings, page 72
Configuring Configuration Auditing, page 73
Configuring Dynamic Protocols, page 73
Configuring Tuning Parameters, page 75
Configuring Security Reporting Settings, page 84
Configuring Out-of-Path Settings for DefensePro, page 87
Configuring Session Table Settings, page 88
Configuring Suspend Settings, page 90
Table 19: BOOTP Parameters for DefensePro
Server Address The IP address of the BootP server. The device forwards BootP requests to
the BootP server and acts as a BootP relay.
Relay Threshold The time, in seconds, that the device waits before relaying requests to the
BootP server. This delay allows local BootP servers to answer first.
Configuring the Device Event Scheduler, page 91
Configuring Tunneling Inspection, page 92
Configuring Advanced Settings
The advanced settings comprise the following parameters:
Accept Weak SSL Ciphers
Enable Overload Mechanism
SRP Management Host IP Address
The Overload Mechanismthat is, the overload-protection mechanismidentifies and reports
overload conditions, and acts to reduce operations with high resource consumption.
DefensePro device uses the overload-protection mechanism to prevent the following:
SME OverloadWhen the overload occurs in the string-matching engine (SME), the
accelerator reduces the number of new sessions sent to the SME. The existing sessions continue
to pass through the SME and are inspected. Features that require the SME, including some of
the attack signatures, will not be applied to some of the sessions.
Master OverloadWhen the overload occurs in the Master CPU, only a percentage of the
traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data,
ensuring the continuation of the feature, but SYN Protection does not work.
Accelerator OverloadWhen the overload occurs in the Accelerator CPU, only a percentage of
the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is
passed to the Master and SME if they are not overloaded.
System Wide OverloadIf all offload operations have failed to prevent overloaded conditions,
then a full bypass is implemented. Every device application is bypassed, including Bandwidth
Management, Statistics, Security, and so on.
To configure advanced settings
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Advanced
Parameters.
2. Configure the overload mechanism and SRP parameters; and then, click (Submit) to submit
the changes.
Table 20: Advanced Settings Parameters
Accept Weak SSL Ciphers Specifies whether the device allows management connections over
secure protocols with ciphers shorter than 128 bits.
Default: Enabled
Configuring Configuration Auditing
When configuration auditing for devices is enabled on the APSolute Vision server and on the device,
any configuration change on a device using APSolute Vision creates two records in the Audit
database, one from the APSolute Vision server, and one from the device audit message.
Note: To prevent overloading the managed device and prevent degraded performance, the
feature is disabled by default.
To enable configuration auditing for a managed device
1. In the Configuration perspective system pane, select the device for which you want to configure
auditing.
2. In the Advanced Parameters tab navigation pane, select Configuration Audit.
3. To enable configuration auditing, select the Enable Configuration Auditing checkbox.
4. Click (Submit) to submit changes.
Configuring Dynamic Protocols
Dynamic protocols use control or signaling channels that handle data, voice, and audio streaming
channels. For example, FTP has control session and data session; SIP has signaling sessions, data
sessions (RTP), and control sessions (RTCP).
Some dynamic sessions are in the Session Table longer than regular sessions. With VoIP, SIP and
H255, there are times with no traffic, however, the call is still active and the session does not age.
You can configure different aging times for various dynamic protocols, and different policies for
different connections of the same session. In FTP, for example, you can set one policy for FTP data
and another policy for FTP control.
Before you configure dynamic protocols, ensure that the Session table Lookup Mode is Full L4 (which
is the default). To change settings, see Configuring Session Table Settings, page 88.
Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which
identifies and reports overload conditions.
Radware recommends that the overload-protection mechanism
always be enabled.
SRP Management Host IP
Address
The IP address to which the device sends Statistics Reporting
Protocol (SRP) data. SRP is a private Radware protocol for efficient
transmission of statistical data from the device to the APSolute Vision
server.
Enter the APSolute Vision server IP address.
This parameter must be configured to view real-time reports and
attack details in APSolute Vision.
Table 20: Advanced Settings Parameters
To configure dynamic protocols
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic
Protocols.
Table 21: Dynamic Protocol Parameters
FTP
Enable FTP Enables/disables FTP Dynamic Protocol.
Default: Enabled
Control Session Aging Time Specifies the Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time Specifies the Data Session Aging Time, in seconds.
Default: 0
TFTP
Enable TFTP Enables/disables TFTP Dynamic Protocol.
Default: Enabled
Default: 0
Rshell
Enable Rshell Enables/disables Rshell Dynamic Protocol.
Default: Enabled
Default: 0
Data Session Aging Time Enter a value for Data Session Aging Time, in seconds.
Rexec
Enable Rexec Enables/disables Rexec Dynamic Protocol.
Default: Enabled
Default: 0
H.225
Enable H.225 Enables/disables H.225 Dynamic Protocol.
Default: Enabled
Default: 0
H.245 Data Session Aging
Time
Specifies the Data Session Aging Time, in seconds.
Default: 0
Configuring Tuning Parameters
You can adjusting tuning parameters to use memory resources more efficiently, to conserve memory
resources.
Caution: Radware strongly recommends that you perform any device tuning only after
consulting with Radware Technical Support.
This section contains the following:
Configuring Device Tuning, page 76
Configuring Security Tuning, page 77
Configuring SYN Protection Tuning, page 80
Configuring Classifier Tuning, page 81
Configuring Classifier Tuning, page 81
SIP
Enable SIP Enables/disables SIP Dynamic Protocol.
Session Initiation Protocol (SIP) is an IETF standard for initiating an
interactive user session involving multimedia elements such as video,
voice, chat, gaming, and so on. SIP can establish, modify, or
terminate multimedia sessions or Internet telephony calls.
When a policy for SIP is configured to block traffic from one direction,
it is not possible to open a SIP connection from another direction (SIP
uses the same port number for both source and destination).
Default: Disabled
Signaling Session Aging
Time
Specifies the Signaling Session Aging Time, in seconds.
When the clients communicate directly with each other, or work with
non-standard SIP ports, increase the aging time of the Signaling
Session Aging Time parameter.
Default: 20
RTCP Session Aging Time Specifies the RTCP Session Aging Time, in seconds.
Default: 0
TCP Segments Aging Time Specifies the SIP TCP Segments Aging Time, in seconds.
Default: 5
Table 21: Dynamic Protocol Parameters
Configuring Device Tuning
To configure device tuning parameters
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.
2. To change the current setting, enter the new value in the After Reset column.
3. Click (Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.
Note: Radware recommends performing a memory check before rebooting the device.
Table 22: Device Tuning Parameters
IP Fragmentation Table The maximum number of IP fragments that the device stores.
Values: 1256,000
Default: 1240
Session Table The maximum number of sessions that the device can track.
Values: 204,000,000
Default per model:
x0162,000,000
x412-NL-O3,000,000
x412-NL-Q3,100,000
x412-BP-O3,000,000
x412-BP-Q2,900,000
Session Resets Entries The maximum number of sessions that the device tracks to
send RESET when Send Reset To Server is enabled in the
Session table.
Values: 110,000
Default: 1000
Routing Table The maximum number of entries in the Routing table.
Values: 2032,767
Default: 64
Pending Table The maximum number of new simultaneous dynamic sessions
the device can open.
Values: 1616,000
Default: 1024
Configuring Security Tuning
The security tables store information about sessions passing through the device and their sizes,
correlating them to the number of sessions. Some tables store Layer 3 information for every source-
destination address pair of traffic going through the device requiring an entry for each combination.
Some tables keep information about Layer 4 sessions. Every combination of source address, source
port, destination address and destination port requires its own entry in the table.
Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several
TCP sessions to one destination address.
Each security table is responsible for clearing tables of old entries that are no longer required, and
ensuring that traffic is properly classified and inspected.
To configure security tuning
Parameters > Security.
2. Configure the tuning parameters.
SIP Call Table The maximum number of SIP calls the device can track.
Values: 16256,000
Default: 1024
TCP Segmentation Table The maximum number of TCP Segments. This parameter is
used when SIP Protocol is enabled and SIP is running over TCP.
Values: 132,768
Default: 256
Table 23: Security Tuning Parameters
Max. Number of HTTP Mitigator
Suspect Sources
The maximum number of suspect sources in HTTP Mitigation
policies.
Values: 1000500,000
Default: 100,000
Max. Number of Server
Protection Servers
The maximum number of entries in the Server Protection policy.
Values: 10010,000
Default: 350
Max. Number of BDoS Policies The maximum number of configurable Behavioral DoS policies.
Values: 1100
Default: 10
Table 22: Device Tuning Parameters
Max. Number of DNS Policies The maximum number of configurable DNS Flood Protection
policies.
Values: 1100
Default: 10
Max. Number of Anti-Scanning IP
Pairs
The maximum number of source IP addresses that the device
stores for anti-scanning purposes.
Values: 10,0001,000,000
Default: 100,000
Max. Number of Entries in
Counter Target Table
The maximum number of sessions in which a Destination address
is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Counter Source Table
The maximum number of sessions in which a source address is
tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Counter Source and Target Table
The maximum number of sessions in which Source and
Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Max. Number of Concurrent
Active DoS Shield Protections
The maximum number of filters tracked.
DoS Shield filters use thresholds for activation. This table counts
the number of times traffic matches a DoS Shield signature per
policy. When the number of packets exceeds the predefined limit,
it is identified as an attack.
Values: 10016,000
Default: 10,000
Counters Report
The maximum number of entries for reports on active concurrent
Tracking Signatures attacks.
Values: 10064,000
Default: 20,000
Counters Server Cracking
Protection
The maximum number of entries for concurrent active Server
Cracking protections.
Values: 10065,536
Default: 100
Max. Number of Entries in DHCP
Table
The number of MAC addresses to check for IP requests.
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 10064,000
Default: 100
Generic Signature Table
The maximum number of entries for concurrent active scanning
protections.
Values: 100100,000
Default: 10,000
Max. Number of Signatures
Configured by User
The maximum number of user-configurable IPS signatures and
RSA signatures. DefensePro can store up to 500 concurrent RSA
signatures.
Values: 1010,000
Default with fraud protection not enabled: 100
Default with fraud protection not enabled: 3,000
Note: RSA signatures on the device accumulate until the
device ages them. The device ages RSA signatures
according to the specified aging times, Phishing
Signatures Aging, Drop Points Aging, and Malicious
Download Aging. If the Max. Number of Signatures
Configured by User is greater than 500, and number of
RSA signatures reaches 500, you cannot add any new
RSA signature. If you must add new RSA signatures
immediately, you can reduce the aging time, add the
RSA signature, and increase the aging time as
appropriate.
Configuring SYN Protection Tuning
SYN tables are used to define SYN Flood protection.
To configure SYN Protection tuning
Parameters > SYN Protection.
Max. Number of Source IPs in
Suspend Table
The maximum number of hosts that the Suspend Table is able to
block simultaneously.
This value affects the abilities of other defenses, such as, anti-
scanning, server cracking, and SYN protection.
Values: 1000100,000
Default: 10,000
Max. Number of Concurrent
Connection Packet Rate Limit
Attacks
The maximum number of concurrent Connection Packet Rate
Limit attacks that the device can handle.
Values: 51000
Default: 50
Table 24: SYN Protection Tuning Parameters
SYN Protection Table The number of entries in the table that stores data regarding the
delayed binding process. An entry exists in the table from the
time a client starts the three-way handshake until the handshake
is complete.
Values: 10500,000
Default: 200,000
SYN Protection Requests Table The number of entries in the table that stores the ACK, or data
packet, the client sends, until the handshake with the server is
complete and the packet is sent to the server.
The Request table and the SYN Protection table are
approximately the same size while the Triggers table is much
smaller.
Values: 10500,000
Default: 200,000
Configuring Authentication Table Tuning
To configure Authentication Table tuning
Parameters > Authentication Tables.
Configuring Classifier Tuning
APSolute Vision supports the classifier (that is, Classes) module.
A Classifier packet first flows into the system through the classifier. The classifier handles the packet
according to the Bandwidth Management policy that best matches the packet and by these tuning
parameters. You can view and edit the Classifier tuning parameters. The changes take effect after a
device reset.
SYN Protection Signature
Detection Entries
The number of entries in the table that stores active triggers
that is, the destination IPs/ports from which the device identifies
an ongoing attack.
Values: 100020,000
Default: 1000
SYN Statistics Entries The number of entries in the SYN Flood Statistics table.
Values: 100020,000
Default: 1000
Table 25: Authentication Table Tuning Parameters
HTTP Authentication Table Size The number of source in the HTTP Authentication table.
DefensePro uses the HTTP Authentication table in HTTP Flood
profiles and the HTTP Authentication feature in a SYN Protection
profile.
Values: 500,0002,000,000
Default: 2,000,000
TCP Authentication Table Size The number of source in the TCP Authentication table.
DefensePro uses the TCP Authentication table for the Safe Reset
Authentication Method feature in SYN Protection profiles.
Values: 500,0002,000,000
Default: 2,000,000
Note: For x412 platforms, the value is fixed at the default
2,000,000, and cannot be tuned.
Table 24: SYN Protection Tuning Parameters
To configure classifier tuning
Parameters > Classifier.
Table 26: Classifier Tuning Parameters
Max. Number of Networks The maximum number of entries in the table for ranges.
Values: 3210,000
Default: 256
Max. Number of Discrete IP
Addresses per Network
The maximum number of entries in the table for IP addresses
that are allocated to a network.
Values: 161024
Default: 64
Max. Number of Subnets per
Network
The maximum number of entries in the table for network
subnets.
Values: 16256
Default: 64
Max. Number of MAC Groups The maximum number of entries in the table for MAC groups.
Values:162048
Default: 128
Max. Number of Filter Entries The maximum number of entries in the table for basic filters.
Values:5122048
Default: 512
Max. Number of AND Groups The maximum number of entries in the advanced filters table for
AND groups.
Values: 2562048
Default: 256
Max. Number of OR Groups The maximum number of entries in the advanced filters table for
OR groups.
Values: 2562048
Default: 256
Configuring BWM Tuning
You can view and edit the bandwidth-management (BWM) tuning parameters. The changes take
effect after a device reset.
To configure BWM tuning
Parameters > BWM.
Max. Number of Application
Ports Groups
The maximum number of entries in the table for application port
groups.
Values: 322000
Default: 512
Max. Number of Content Entries The maximum number of content entries in the table.
Values: 164096
Default: 256
Table 27: BWM Tuning Parameters
Policy Table The number of policy entries in the table.
Values for AppDirector: 210,000
Values for DefensePro: 256150,000
Default: 1024
Policy Leaves The percentage of hierarchical BWM leaves (that is, hierarchical
BWM policies without a child policy) out of the total number of
policies that the device supports.
Values: 50100
Default: 100
Table 26: Classifier Tuning Parameters
Configuring SDM Tuning
To configure SDM tuning
1. In the Configuration perspective Advanced Parameters tab navigation pane, select
Tuning Parameters > SDM.
2. Configure the tuning parameter.
Configuring Security Reporting Settings
To support historical and real-time security-monitoring capabilities and provide in-depth attack
information for each attack event, the DefensePro device establishes a data-reporting protocol
between the device and APSolute Vision. This protocol, called Statistical Real-time Protocol (SRP),
uses UDP packets to send attack information.
You can enable the reporting channels used by DefensePro devices to receive information about
attacks, and to report detected attacks based on their various risk levels.
You can also configure DefensePro devices to send captured attack packets along with the attack
event for further offline analysis. Packet reporting and SRP use the same default port, 2088.
To configure security reporting channels
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Security
Reporting Settings.
BW per Traffic Flow sessions
tracking
The number of traffic flows for which the device can provide
bandwidth or limit the number of sessions.
Values: 16400,000
Default: 2048
Destination Table Displays the number of destination address entries in the table.
Values: 64128,000
Default: 256
Table 28: SDM Tuning Parameter
SDM Table Size The size of the SDM table.
Values: Small, Medium, Large
Default: Medium
Table 27: BWM Tuning Parameters
Table 29: Security Reporting Parameters
Basic Parameters
Report Interval The frequency, in seconds, the reports are sent though the
reporting channels.
Values: 165,535
Default: 5
Maximal Number of Alerts per
Report
The maximum number of attack events that can appear in
each report (sent within the reporting interval).
Values: 12000
Default: 1000
Report per Attack Aggregation
Threshold
The number of events for a specific attack during a reporting
interval, before the events are aggregated to a report. When
the number of the generated events exceeds the Aggregation
Threshold value, the IP address value for the event is
displayed as 0.0.0.0, which specifies any IP address.
Values: 165,535
Default: 5
L4 Port for Reporting The port used for packet reporting using SRP.
Values: 165,535
Default: 2088
Enable Sending Traps When selected, the device uses the traps reporting channel.
Default: Enabled
Minimal Risk Level for Sending
Traps
The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low
Enable Sending Syslog When selected, the device uses the syslog reporting channel.
Default: Disabled
Syslog
Default: Low
Enable Sending Terminal Echo When selected, the device uses the Terminal Echo reporting
channel.
Default: Disabled
Terminal Echo
Default: Low
Enable Sending Email When selected, the device uses the e-mail reporting channel.
Default: Disabled
Email
Default: Low
Enable Security Logging When selected, the device uses the security logging reporting
channel.
Default: Low
Packet Reporting and Packet Trace
Enable Packet Reporting Specifies whether the DefensePro device sends sampled
attack packets along with the attack event.
Default: Enabled
Maximum Packets per Report The maximum number of packets that the device can send
within the Report Interval.
Values: 165,535
Default: 100
Destination IP Address The destination IP address for the packet reports.
Default: The destination IP address of the management
station
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the
feature and specifies the physical port to which the
DefensePro device sends identified attack traffic (when the
Packet Trace feature is enabled in the policy rule or profile).
Values:
noneThe Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the
management ports)
Default: none
Caution: A change to this parameter takes effect only
after you update policies.
Maximum Rate The maximum number of packets per second that the Packet
Trace feature sends.
Values: 1200,000
Default: 50,000
Maximum Length of Dropped
Packets
The maximum length, in bytes, of dropped packets that the
Packet Trace feature sends. DefensePro can limit the size of
Packet Trace sent packets only for dropped packets. That is,
when a rule is configured with Report Only (as opposed to
Block), the Packet Trace feature sends the whole packets.
Values: 641550
Default: 1550
Tip: If you are interested only in the packet headers of the
dropped packets, to conserve resources, modify the minimal
value, 64.
netForensics Reporting
Enable netForensics Reporting When selected, enables reporting using netForensics
reporting agent.
Default: Disabled
Configuring Out-of-Path Settings for DefensePro
When you install DefensePro outside the critical path of the traffic, you can configure the Out-of-Path
Mode to mitigate DoS attacks using the capabilities of the routers access list. When the device
operates in the Out-of-Path mode, the traffic is copied to the device and verified separately from the
main traffic route. When an attack is identified, Behavioral DoS translates the footprint into a router
Access List (ACL) command and configures the router accordingly.
Note: The feature works on Cisco routers that have the capability to mirror an interface and
accept ACL commands to reroute traffic. This feature was tested on Cisco 6509
IOS 12.2.
To configure out-of-path settings
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Out of Path.
Agent IP Address The IP address of the netForensics agent.
L4 Port The port used for netForensics reporting.
Values: 165,535
Default: 555
Data Reporting Destinations
Destination IP Address The target addresses for data reporting.
The table can contain up to 10 addresses. By default, when
there is room in the table, addresses are added automatically
when you add a DefensePro device to the tree in the system
pane.
To add an address, click the (Add) button. Enter the
destination IP address; and then, click OK.
Table 30: Out of Path Parameters
Enable Out of Path
Mode
You must enable and reboot the device before you can configure out-of-
path settings.
When Out of Path is enabled, the only available protection is BDoS.
Router IP Address The IP address of the organization router that manages all the incoming
traffic.
Routers Enable
Password
Administrators password for the router.
Verify Password Verification of password for the router.
Configuring Session Table Settings
DefensePro includes a Session table, which tracks sessions bridged and forwarded by the device.
To configure Session table settings
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.
SSH User Name The name of the SSH user.
SSH Password The password of the SSH user.
Verify SSH Password Verification of password for the SSH user.
Router Interface for
Receiving Traffic
The router interface that is being monitored, and traffic from it will be
redirected.
Table 31: Session Table Parameters
Enable Session Table When enabled, the device uses the Session table.
Default: Enabled
Remove Session Entry at
Session End
When enabled, the device removes sessions from the Session
Table five seconds after receiving a FIN or RST packet if no
additional packets are received on the same session within the
five seconds. This option is available only for Full Layer 4 Lookup
Mode (default mode).
Default: Enabled
Send Reset to Destination When
No Data is Received
Specifies whether the DefensePro device sends a RST packet for
TCP sessions where the device has seen the three-way
handshake (SYN and then ACK from the source) but has not seen
subsequent data packets.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled
Table 30: Out of Path Parameters
Lookup Mode The layer of address information that is used to categorize
packets in the Session Table.
Values:
Full Layer 4An entry exists in the Session Table for each
source IP, source port, destination IP, and destination port
combination of packets passing through the device. This is
the default mode for the Session Table. Radware
recommends that you always use this option.
L4 Destination PortEnables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session Table resources (only one entry for each
port that is secured).
Note: When Session Table Lookup Mode is set to Layer 4
Destination Port, the following Protections do not
work:
ACL
Anti Scanning
Connection Packet Rate Limit
Connection Rate Limit
HTTP Mitigator
HTTP Replies Signatures
Out-of-State protection
Server Cracking
SYN Protection
Aging Time The time, in seconds, that the device keeps a non-active session
in the Session Table.
Default: 100
Note: When the Access Control List (ACL) feature is enabled,
Session table aging is determined by the relevant ACL
parameter.
Advanced Parameters
TCP Handshake Timeout How long, in seconds, the device waits for the three-way
handshake to be achieved for a new TCP-session. When the
timeout elapses, the device deletes the session and, if the Send
Reset To Server checkbox is selected, sends a reset packet to
the server.
Values:
0The device uses the specified Session Aging Time.
110The TCP Handshake Timeout in seconds.
Default: 10
Configuring Suspend Settings
DefensePro can suspend traffic from an IP address that was the source of an attack, for a defined
period of time.
Dynamic blocking duration is implemented by the anti-scan and server cracking protections based
on the suspend settings that you configure. (Although connection rate limits and intrusion
signatures can be set manually to suspend the source, they do not support dynamic duration.)
The dynamic blocking duration is usually set by the DefensePro anti-scan and server cracking
protections:
The initial suspend time period cannot be lower than the Minimal Aging Timeout.
Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.
When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.
To configure Suspend Table settings
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.
Session Table Full Action The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold The percentage of full capacity of the Session Table when the
device starts issuing alerts.
Default: 95
Alert-Stop Threshold The percentage of full capacity of the Session Table when the
device stops issuing alerts.
Default: 90
Configuring the Device Event Scheduler
Some network policy rules remain inactive during certain hours of the day, or are activated only
during others. For example, a school library may want to block instant messaging during school
hours, but allow it after school hours, or an enterprise may assign high priority to mail traffic
between 08:00 and 10:00.
You can schedule the activation and inactivation of specific policy rules on the device by using the
Event Scheduler, to create schedules, and then attach them to a policy rules configuration.
Schedules define a date and time for specific actions.
To configure the event scheduler
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Event
Scheduler.
To add a schedule, click the (Add) button.
To edit an entry, double-click the row.
Table 32: Suspend Table Parameters
Minimal Aging Timeout The time, in seconds, for which the DefensePro suspends first-time
offending source IP addresses.
Default: 10
Maximal Aging Timeout The maximal time, in seconds, for which the DefensePro suspends a
specific source. Each time the DefensePro suspends the same source,
the suspension length doubles until it reaches the Maximal Aging
Timeout.
Default: 600
Maximum Entries with Same
Source IP
The number of times the DefensePro suspends the same source IP
address before the DefensePro suspends all traffic from that source
IP addressregardless of the specified Suspend Action. For example,
if the value for this parameter is 4 and the specified Suspend Action
is SrcIP-DstIP-SrcPort-DstPort, the DefensePro suspends all traffic
from a source IP address that had an entry in the Suspend list more
than four times, even if the destination IP address, source port, and
destination ports were different for the previous updates to the
Suspend Table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0
Configuring Tunneling Inspection
Carriers, service providers, and large organizations use various tunneling protocols to transmit data
from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS devices and load balancers cannot locate the relevant information because
their decisions are based on information located inside the IP packet in a known offset, and the
original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning
DefensePro in peering points and carrier network access points.
You can install DefensePro in different environments, which might include encapsulated traffic using
different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their
tunneling, and mobile operators deploy GRE and GTP.
DefensePro can inspect traffic that may use various encapsulation protocols. In some cases, the
external header (tunnel data) is the data that DefensePro needs to inspect. In other cases,
DefensePro needs to inspect the internal data (IP header and even the payload). You can configure
DefensePro to meet your specific inspection requirements.
To configure tunneling inspection
1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tunneling
Inspection.
Table 33: Scheduled Event Parameters
Task Name The name of the schedule.
Frequency How often the event occurs.
Values: daily, once, weekly
Default: once
Time The time on the designated day in the format HHMM.
When multiple days are selected, the value is the same for all the
configured days.
Date If the event frequency is once, configure the date that the event occurs
in the DD/MM/YYYY format.
Days of Week If the selected event frequency is weekly, select the day or days the
event occurs.
Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between APSolute Vision and network devices.
Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2 and SNMPv3.
The default Radware user is configured in SNMPv1.
Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and
authentication details must match one of the users configured on the device.
The following topics describe the procedures to configure SNMP on a selected device:
Configuring SNMP Users, page 93
Configuring SNMP Community Settings, page 94
Configuring the SNMP Group Table, page 95
Configuring SNMP Access Settings, page 96
Configuring SNMP Notify Settings, page 97
Configuring SNMP View Settings, page 98
Configuring the SNMP Target Parameters Table, page 98
Configuring SNMP Target Addresses, page 99
Configuring SNMP Users
With SNMPv3 user-based management, each user can have different permissions based on the user
name and authentication method. You define the users who can connect to the device, and store the
access parameters for each SNMP user.
Note: In the SNMP configuration, a user name is also known as a security name.
To configure an SNMP users for a device connected with SNMPv3 with Authentication
and Privacy
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP
User Table.
To add a user, click the (Add) button.
3. Configure SNMP user parameters and click OK.

Configuring SNMP Community Settings
The SNMP Community Table is used only for SNMP versions 1 and 2 to associate community strings
to users. When a user is connected to a device with SNMPv1 or SNMPv2, the device checks the
community string sent in the SNMP packet. Based on a specific community string, the device maps
the community string to a predefined user, which belongs to a group with certain access rights.
Therefore, when working with SNMPv1 or SNMPv2, users, groups, and access must be defined.
Use the Community Table to associate community strings with user names and vice versa, and to
restrict the range of addresses from which SNMP requests are accepted and to which traps can be
sent.
Note: You cannot change the community string associated with the user name that you are
currently using.
To configure SNMP community settings
1. In the Configuration perspective Device Security tab navigation pane, select SNMP >
Community.
To add an SNMP community entry, click the (Add) button.
3. Configure SNMP community parameters and click OK.
Table 34: SNMP User Parameters
User Name The user name, also known as a security name. The name can be up
to 18 characters.
Authentication Protocol Protocol used during authentication process.
Values:
None
MD5
SHA
Default: None
Authentication Password If an authentication protocol is specified, enter an authentication
password.
Privacy Protocol Algorithm to be used for encryption.
Values:
NoneThe data is not encrypted.
DESThe device uses Data Encryption Standard.
Default: None
Privacy Password If a privacy protocol is specified, enter a user privacy password.

Configuring the SNMP Group Table
SNMPv3 permissions are defined for groups of users. If, based on the connection method, there is a
need to grant different permissions to the same user, you can associate a user to more than one
group. You can create multiple entries with the same group name for different users and security
models.
Access rights are defined for groups of users in the SNMP Access table.
To configure SNMP group settings
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Group
Table.
To add a group entry, click the (Add) button.
3. Configure SNMP group parameters and click OK.
Table 35: SNMP Community Parameters
Index A descriptive name for this entry. This name cannot be modified after
creation.
Default: public
Community Name The community string.
Default: public
Security Name The security name identifies the SNMP community used when the
notification is generated.
Default: public
Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. The target addresses identified by
this tag are defined in the SNMP Target Addresses table. At least one entry
in the SNMP Target Addresses table must include the specified transport tag.
If no tag is specified, addresses are not checked when an SNMP request is
received or when a trap is sent.

Configuring SNMP Access Settings
The SNMP Access table binds groups and security models with SNMP views, which define subsets of
MIB objects. You can define which MIB objects can be accessed for each group and security model.
MIB objects can be accessed for a read, write, or notify action based on the Read View Name, Write
View Name, and Notify View Name parameters.
To configure SNMP access settings
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Access.
To add an access entry, click the (Add) button.
3. Configure SNMP access parameters and click OK.
Table 36: SNMP Group Parameters
Group Name The name of the SNMP group.
Security Model The SNMP version that represents the required security model. Security models
are predefined sets of permissions that can be used by the groups. These sets
are defined according to the SNMP versions. By selecting the SNMP version for
this parameter, you determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based (SNMPv3)
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.
Table 37: SNMP Access Parameters
Group Name The name of the group.
Security Model Security models are predefined sets of permissions that can be used by
the groups. These sets are defined according to the SNMP versions.
Select the SNMP version that represents the required Security Model to
determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based (SNMPv3)
Default: SNMPv1
Configuring SNMP Notify Settings
You can select management targets that receive notifications and the type of notification to be sent
to each selected management target. The Tag parameter identifies a set of target addresses. An
entry in the Target Address table that contains a tag specified in the Notify table receives
notifications.
To configure SNMP notification settings
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Notify.
To add an SNMP notify entry, click the (Add) button.
3. Configure SNMP notify parameters and click OK.

Security Level The security level required for access.
Values:
No AuthenticationNo authentication or privacy are required.
Authentication & No PrivacyAuthentication is required, but privacy
is not required.
Authentication & PrivacyBoth authentication and privacy are
required.
Default: No Authentication
Read View Name The name of the View that specifies which objects in the MIB tree are
readable by this group.
Write View Name The name of the View that specifies which objects in the MIB tree are
writable by this group.
Notify View Name The name of the View that specifies which objects in the MIB tree can be
accessed in notifications (traps) by this group.
Table 38: SNMP Notify Parameters
Name A descriptive name for this entry, for example, the type of notification.
Tag A string that defines the target addresses that are sent this notification. All
the target addresses that have this tag in their tag list are sent this
notification.
Table 37: SNMP Access Parameters
Configuring SNMP View Settings
You can define subsets of the MIB tree for use in the Access Table. Different entries may have the
same name. The union of all entries with the same name defines the subset of the MIB tree and can
be referenced in the Access Table through its name.
To configure SNMP view settings
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > View.
To add an SNMP view entry, click the (Add) button.
3. Configure SNMP view parameters and click OK.

Configuring the SNMP Target Parameters Table
The Target Parameters Table defines message processing and security parameters that are used in
sending notifications to a particular management target. Entries in this table are referenced in the
Target Address Table.
To configure SNMP target parameters
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Parameters Table.
To add a target parameters entry, click the (Add) button.
3. Configure target parameter settings and click OK.
Table 39: SNMP View Parameters
View Name Name of this entry.
Sub-Tree Note: Object ID of a subtree of the MIB.
Type Specifies whether the object defined in the entry is included or excluded in the
MIB view.
Values: Included, Excluded
Default: Included
Configuring SNMP Target Addresses
In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of
traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for
reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of
addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the
Transport Tag of an entry in the community table is not empty it must be included in one or more
entries in the Target Address Table.
To configure SNMP target addresses
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Address.
To add a target address, click the (Add) button.
3. Configure target address parameters and click OK.
Table 40: SNMP Target Parameters
Name Name of the target parameters entry.
Message Processing
Model
Specifies which version of SNMP to use when generating SNMP notifications.
Values: SNMPv1, SNMPv2c, SNMPv3
Default: SNMPv1
Security Model Select the SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to
be used.
Values: SNMPv1, SNMPv2c, User Based (SNMPv3)
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the
user that is used when the notification is generated. For other security
models, the security name identifies the SNMP community used when the
notification is generated.
Security Level Specifies whether the trap is authenticated and encrypted before it is sent.
Values:
No AuthenticationNo authentication or privacy are required.
Authentication and No PrivacyAuthentication is required, but privacy
is not required.
Authentication and PrivacyBoth authentication and privacy are
required.
Default: No Authentication
Configuring Device Users
For each DefensePro device, you can create a list of users who are authorized to access that device
through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is
enabled, users can receive e-mail notifications of changes made to the device.
To configure device users for a selected device
1. In the Configuration perspective Device Security tab navigation pane, select Users Table.
To add a user, click the (Add) button.
3. Configure device user parameters and click OK.
Table 41: SNMP Target Address Parameters
Name Name of the target address entry.
IP Address and L4 Port
[IP-port number]
The IP address of the management station (APSolute Vision server)
and TCP port to be used as the target of SNMP traps. The format of the
values is <I P addr ess >- <TCP por t >, where <TCP por t >must be
162. For example, if the value for IP Address and L4 Port is 1.2.3.4-
162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is
the port number for SNMP traps.
Note: APSolute Vision listens for traps only on port 162.
Mask A subnet mask of the management station.
Tag List Specifies sets of target addresses. Tags are separated by spaces. The
tags contained in the list may be either tags from the Notify table or
Transport tags from the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network device, the tag list identifies the targets to which
a notification is sent.
Default: v3Traps
Target Parameters Name The set of target parameters to be used when sending SNMP Traps.
Target parameters are defined in the Target Parameters table.
Table 42: Device User Parameters
User Name The name of the user.
Password Enter the password of the user, then repeat to verify.
Email Address The e-mail address of the user to which notifications will be sent.
Configuring Access Permissions on Physical Ports
Access to devices can be limited to specified physical interfaces. Interfaces connected to insecure
network segments can be configured to discard some or all management traffic directed at the
device itself. Administrators can allow certain types of management traffic to a device (for example,
SSH), while denying others such as SNMP. If an intruder attempts to access the device through a
disabled port, the device denies access, and generates syslog and CLI traps as notification.
To configure access permissions for a selected device
1. In the Configuration perspective Device Security tab navigation pane, select Advanced.
2. To edit permissions for a port, double-click the relevant row.
3. Select or clear the checkboxes to allow or deny access; and then, click OK.
Minimal Severity for
Sending Traps
The minimum severity level of traps sent to this user.
Values:
NoneThe user receives no traps.
InfoThe user receives traps with severity info or higher.
WarningThe user receives Warning, Error, and Fatal traps.
ErrorThe user receives Error and Fatal traps.
FatalThe user receives Fatal traps only.
Default: None
Enable Configuration Tracing When selected, the specified user receives notifications of
configuration changes made in the device.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The device gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
Name of the MIB variable that was changed.
New value of the variable.
Time of configuration change.
Configuration tool that was used (APSolute Vision, Telnet, SSH,
WBM).
User name, when applicable.
Access Level The users level of access to the WBM and CLI.
Values: Read-Write, Read-Only, None
Default: Read-Write
Table 42: Device User Parameters
Configuring Port Pinging
You can define which physical interfaces can be pinged. When a ping is sent to an interface for which
ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.
To define the ports to be pinged
1. In the Configuration perspective Device Security tab navigation pane, select Advanced > Ping
Ports.
2. To edit port ping settings, double-click the relevant row.
3. Select or clear the checkbox to allow or not allow pinging, then click OK.
Table 43: Port Permission Parameters
Port (Read-only) The name of the physical port.
SNMP Access When selected, allows access to the port using SNMP.
Telnet Access When selected, allows access to the port using Telnet.
SSH Access When selected, allows access to the port using SSH.
Web Access When selected, allows access to the port using WBM.
SSL Access When selected, allows access to the port using SSL.
Chapter 4 Device Network Configuration
You can perform the following networking configuration tasks for managed devices:
Configuring Device IP Interfaces, page 103
Managing IP Routing, page 104
Configuring Ports, page 107
Configuring the Basic Network ParametersIP Version Mode and IP Fragmentation, page 112
Configuring Port Pairs, page 114
Configuring Device IPInterfaces
DefensePro performs routing between all IP interfaces defined on its Layer 2 interfaces (ports,
trunks, and VLANs). DefensePro also performs routing based on other network layers, such as
Layer 4 and Layer 7.
To configure IP interfaces
1. In the Configuration perspective Networking tab navigation pane, select IP Management.
To add an IP interface, click the (Add) button.
To edit an IP interface, double-click the row.
Table 44: IP Interface Parameters
IP Address IP address of the interface.
Mask The associated subnet mask.
Port The interface identifier, for example, G-1.
Forward Broadcast Specifies whether the device forwards incoming broadcasts to
this interface.
Default: Enabled
Broadcast Address Specifies whether to fill the host ID in the broadcast address
with ones or zeros.
Values:
Fill 1Fill the host ID in the broadcast address with ones.
Fill 0Fill the host ID in the broadcast address with zeros.
Default: Fill 1
Device Network Configuration
Managing IP Routing
DefensePro devices forward IP packets to their destination using an IP routing table. This table
stores information about the destinations and how they can be reached. By default, all networks
directly attached to the device are registered in the IP routing table. Other entries can either be
statically configured or dynamically created through the routing protocol.
Configuring IP Routing
IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP
interface that contains an IP address associated with a VLAN.
To configure IP routing
1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing.
To add a static route, click the (Add) button.
To edit a static route, double-click the row.
3. Configure the static route settings and click OK.
4. Configure global advanced parameters, if required.
Notes
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.
VLAN Tag The VLAN tag to be associated with this IP Interface. When
multiple VLANs are associated with the same switch port, the
switch must identify to which VLAN to direct incoming traffic
from that specific port. VLAN tagging provides an indication in
the Layer 2 header that enables the switch to make the correct
decision.
Peer Address The IP address of the interface on the peer device, which is
required in a redundant configurationthat is, a cluster for high
availability.
Default: 0.0.0.0
Table 44: IP Interface Parameters
Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite
and is used by networked computers operating systems to send error messagesindicating, for
instance, that a requested service is not available or that a host or router could not be reached.
To modify ICMP interface parameters
1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing > ICMP.
2. Double-click the row.
3. Configure the ICMP settings and click OK.
Enable Proxy ARP When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on
ICMP Error
The Internet Control Message Protocol (ICMP) is one of the core protocols
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
Default: Enabled
Note: When this option is enabled, a trap is sent when there is an ICMP
error message.
Table 45: ICMP Interface Settings
IP Address IP address of the interface.
Destination Address IP destination address for multicast Router Advertisements sent from the
interface.
Values:
224.0.0.1The All Hosts multicast group that contains all systems on
the same network segment
255.255.255.255The limited-broadcast address
Advertise Interval
Minimum The minimum time, in seconds, between sending unsolicited multicast
Router Advertisements from the interface.
Values: 3maximum specified interval
Default: 75% of the maximum specified interval
Configuring the ARP Table
When Proxy ARP is enabled, a network host answers ARP queries for the network address that is not
configured on the receiving interface. Proxying ARP requests on behalf of another host effectively
directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed
to the destination host via another interface.
You can configure and manage the static ARP entries on the local router.
To configure the ARP table
1. In the Configuration perspective Networking tab navigation pane, select IP Management >
ARP Table.
To add a new entry, click the (Add) button.
3. Configure the ARP parameters and click OK.
4. Modify advanced parameters, if required; and then click (Submit) to submit the changes.
Maximum The maximum time, in seconds, between multicast Router
Advertisements from the interface.
Values: minimum specified interval 1800
Lifetime The maximum time, in seconds, that the advertised addresses are
considered valid.
Values: Maximum specified interval9000
Default: Three times (3) the maximum interval
Advertise this Interface Enables you to advertise the device IP using ICMP Router Advertise.
Preference Level The preference level of the address as the default router address, relative
to other router addresses on same subnet.
Reset all Parameters to
Default
Resets ICMP interface parameters to default values.
Table 46: ARP Parameters
Port The interface number where the station resides.
IP Address The stations IP address.
Table 45: ICMP Interface Settings
Configuring Ports
You can change the physical attributes of each port on the DefensePro devicefor example, speed
and duplex mode.
You can also configure port trunking to combine physical network links into a single logical link for
increased bandwidth.
To configure ports
1. In the Configuration perspective Networking tab navigation pane, select Port Configuration.
2. To change a ports configuration, double-click the row.
3. Configure the port settings and click OK.
MAC Address The stations MAC address.
Type Entry type.
Values:
OtherNot Dynamic or Static.
InvalidInvalidates ARP entry and effectively deletes it.
DynamicEntry is learned from ARP protocol. If the entry is not active for a
predetermined time, the node is deleted from the table.
StaticEntry has been configured by the network management station and
is permanent.
Table 47: Advanced Parameters
Inactive ARP Timeout The time, in seconds, that inactive ARP cache entries can remain in the
ARP table before the device deletes them. If an ARP cache entry is not
refreshed within a specified period, it is assumed that there is a problem
with that address.
Values: 19999999
Default: 60000
Table 48: Port Configuration Parameters
Port The index number of the port.
Speed The traffic speed of the port.
Values: Ethernet, Fast Ethernet, Giga Ethernet, XG Ethernet
Note: According to standards, this parameter can be changed only for
copper ports. After this parameter is changed, auto-negotiation is
disabled.
Table 46: ARP Parameters
Configuring Link Aggregation
Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth.
Notes
>> The same algorithm must be applied on the other switch in the trunk.
>> OnDemand Switch 1 and VL implement link aggregation via software and not at the
switch level, (these platforms do not include a Layer 2 switch hardware component).
Therefore, you cannot define trunks as port mirroring participants, on these platforms.
About Link Aggregation
Link aggregation, or port trunking, is a method of combining physical network links into a single
logical link for increased bandwidth. With link aggregation you can increase the capacity and
availability of the communications channel between devices (both switches and end stations) using
existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of multiple
parallel physical links between two devices grouped together to form a single logical link.
Link aggregation also provides load balancing where the processing and communications activity is
distributed across several links in a trunk, ensuring that no single link is overwhelmed. By taking
multiple LAN connections and treating them as a unified, aggregated link, you can achieve higher
link availability and increased link capacity.
Port trunking is supported according to the IEEE 802.3ad standard for link aggregation as follows:
Link aggregation is supported only on links using the IEEE 802.3 MAC.
Link aggregation is supported only on point-to-point links.
Link aggregation is supported only on links operating in Full Duplex mode.
Link aggregation is permitted only among links with the same speed and direction. On the
device bandwidth, increments are provided in units of 100Mbps and 1Gbps respectively.
The failure or replacement of a single link within a Link Aggregation Group will not cause failure
from the perspective of a MAC client.
MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one conversation must be transmitted
through the same physical link. The algorithm for assigning frames to a conversation depends on the
application environment. Radware devices can define conversations on Layer 2, 3, or 4 information,
or on combined layers.
Duplex Mode Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Note: According to standards, this parameter can be changed only for
copper ports with a speed lower than Gigabit Ethernet. After this
parameter is changed, auto-negotiation is disabled.
Auto Negotiation Specifies whether the port automatically detects and configures the speed
and duplex mode for the interface.
Table 48: Port Configuration Parameters
Using link aggregation, depending on the platform, you can define up to seven trunks. Up to eight
physical links can be aggregated into one trunk. In DefensePro, all trunk configurations are static. To
provide optimal distribution for different scenarios, the load sharing algorithm allows decisions
based on source or destination (or both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4
address (TCP/UDP port numbers). These parameters are used as input for a hashing function.
Notes
>> Only connected ports (Link Up) operating in Full Duplex mode can be attached to a
trunk.
>> You can define a management trunk (T-MNG) that includes only the management ports
(MNG-1 and MNG-2). The management ports cannot be a part of any other trunk. Using
the management trunk provides redundancy at the physical level for connectivity to the
management network. One link is active while the other is in backup mode. Failure of
the active link seamlessly activates the backup.
>> A port belonging to a trunk cannot be copied to another port (copy port).
>> Management ports that have preconfigured IP addresses cannot be assigned to a trunk.
Before attaching a physical port to a trunk, make sure that the port is not used in any
configuration (port mirroring, static forwarding).
>> When a trunk is part of a protected segment definition, Port Operation in the Port Pairs
table must be set to Process mode for both directions of this segment.
>> A trunk cannot be assigned with an IP address for management.
>> Ports with internal bypass cannot be assigned into a trunk.
>> It is not possible to set a port within a trunk as the Source or Destination of SSL
inspection.
Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.
Note: When a port is added into a trunk, the port receives the trunk operation status. When a
port is removed from a trunk, the port maintains its operational status.
To configure link aggregation
1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation.
You can view the MAC address of each trunk and the ports bound to it in the Link Aggregation
Ports table.
2. To change a port assignment, double-click the corresponding row.
3. Configure the port assignment; and then, click OK. When a port is added into a trunk, it receives
the trunk operation status. When a port is removed from a trunk, it maintains its operational
status. When a trunk operational status is set to down, a port removed from the trunk keeps its
down status.
Configuring Port Mirroring
Port Mirroring enables the device to duplicate traffic from one physical port on the device to another
physical port on the device. This is useful when an intrusion detection system (IDS) device is
connected to one of the ports on the device. You can choose to mirror either received and
transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether to
duplicate the received broadcast packets.
Notes
>> Port mirroring requires that the input port be configured to Static-Forwarding Process
mode. When the input port is configured to Static-Forwarding Forward mode, traffic is
not mirrored.
>> In Static Forwarding mode, traffic with the same destination MAC address as the device
is not mirrored (rare).
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the
DefensePro device) to a dedicated sniffer port. This allows collecting packet data during an attack
and sending the data to Radwares Security Operation Center (SOC) to develop an attack signature.
DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate
port mirroring when the device is under attack. Traffic-rate port mirroring is based on a specified
traffic threshold. When the threshold value is reached, the DefensePro device starts copying traffic
from the interface to its mirroring output port. The process continues for the specified time, and
then the copying process stops. For example, if you have a single network segment connected
between interfaces 1 and 2, whenever traffic reaches the configured threshold, DefensePro device
copies the traffic arriving on interface #1 to interface #3.
Table 49: Link Aggregation Port Parameters
Port (Read-only) The physical port index.
Port MAC Address (Read-only) The MAC address assigned to the port.
Trunk Name The trunk to which the port is attached.
Values:
0Specifies unattached
AB: This legacy description was wrong. The values depend on the
platform.
T1T7The range of values depends on the platform. That is, the
number of trunks that you can configure depends on the device
platform.
T-MNG
Default: 0
Port Status (Read-only)
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.
To configure port mirroring
1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Port Mirroring.
To add a pair of ports to mirror traffic, click the (Add) button.
3. Configure the port mirroring settings; and then, click OK.
4. To configure advanced parameters for port mirroring, in the navigation pane, select
Port Mirroring > Advanced Parameters.
5. Configure the advanced parameters; and then, click (Submit) to submit the changes.
Note: The Threshold Units parameter and the Threshold Interval parameter are defined
globally for each device and not for each pair of ports.
Table 50: Port Mirroring Parameters
Input Interface The traffic port.
Output Port The port for the mirrored traffic.
Traffic to Mirror The direction of the traffic that the device mirrors.
Values: Transmit and Receive, Receive Only, Transmit Only
Enable Promiscuous
Mode
Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled
Backup Port The backup port for the mirrored traffic.
Mode The mode of port mirroring.
Values: Enabled, Traffic Rate
Threshold The number of threshold units (PPS/Kbps) that can pass through the
specified input port (Input Interface) before the mirroring process starts.
Configuring the Basic Network ParametersIP Version
Mode and IP Fragmentation
Use the Basic pane to do the following:
Specify the IP Version Mode (IPv4 or IPv6)
Specify whether to pass jumbo frames
Configure the IP Fragmentation parameters
IPv4 and IPv6 Support
DefensePro supports IPv6 and IPv4 protocols and provides a fully functional IPS and DoS prevention
solution for IPv6/IPv4 packets. Management works only in IPv4.
DefensePro supports processing of IPv6 packets and ICMPv6 packets, including:
Setting networks with IPv6 addresses
Applying security policies
Blocking attacks
Security reporting
IP Fragmentation
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the DefensePro device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments belong to same datagram, then classifies and forwards them
accordingly. The device does not reassemble the original IP packet, but forwards the fragmented
datagrams to their destination, even if the datagrams arrive at the device out of order.
Table 51: Port Mirroring Advanced Parameters
Traffic Threshold Units The units in which the threshold is measured.
Values:
PPSPackets per second
KbpsKilobits per second
Threshold Interval How long, in seconds, mirroring continues after the traffic rate falls below
the specified threshold.
Default: 30
Reset Traffic Rate Click to set the device to record the traffic that exceeds the predefined limit
within a new Threshold Interval.
Configuring the Basic Networking Parameters
To configure the Basic Networking parameters
1. In the Configuration perspective Networking tab navigation pane, select Basic.
Table 52: Basic Networking Parameters
Basic Parameters
IP Version Mode The IP version that the device supports.
Values:
IPv4The device processes IPv4 packets only.
IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are
configured, all IPv6 policies (rules) are automatically
disabled. Policies applied on both IPv4 and IPv6 traffic
continue to process IPv4 traffic only. The IPv6 information
remains visible.
Jumbo Frames Support
Bypass Jumbo Frames
(This parameter is available
only in devices with the DoS
Mitigation Enginethat is,
the DME.)
Specifies whether the device passes jumbo frames through the
device.
Values:
EnabledThe device passes frames of 155010,000 bytes
through the device without any inspection or monitoring.
DisabledThe device discards frames that are larger than 1550
bytes.
Default: Disabled
Notes:
>> Changing the configuration of the option takes effect only
after a device reset.
>> When the option is enabled on an x412 platform, there may
be some negative effect on the following features: Packet
Anomalies, Black and White Lists, and BDoS real-time
signatures.
>> When the option is enabled on an x016 platform, there may
be some negative effect on Black and White lists.
>> When the option is enabled, TCP SYN Protection may not
behave as expected because the third packet in the TCP
three-way-handshake can include data and be in itself a
jumbo frame.
>> When the option is enabled, some protections that rely on
the DefensePro session table might produce false-negatives
and drop traffic when all the session traffic bypasses the
device in both directions for a period longer than Session
Aging Time.
You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic
from the receiving port is always sent out of the device from its corresponding transmitting port. The
ports are paired; one port receives traffic while another transmits traffic.
You can set the operation mode of a port pair. When the port pair operates in Process mode, the
traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates
in Forward mode, the traffic is forwarded to the destination port without any inspection.
To configure a pair of ports
1. In the Configuration perspective Networking tab navigation pane, select Port Pairs.
To add a pair of ports, click the (Add) button.
To edit a pair of ports, double-click the row.
IP Fragmentation
Enable IP Fragmentation When selected, enables IP fragmentation.
Default: Enabled
Queuing Limit The percentage of IP packets the device allocates for out-of-sequence
fragmented IP datagrams.
Values: 0100
Default: 25
Aging Time The time, in seconds, that the device keeps the fragmented
datagrams in the queue.
Values: 1255
Default: 1
Traffic Exclusion
This group box is available only on x412 platforms with the DME.
Traffic Exclusion Specifies whether the device passes through all traffic that matches
no network policy configured on the deviceregardless of any other
protection configured.
Default: Enabled
Caution: If Traffic Exclusion is enabled, to inspect traffic that
matches a Server Protection policy, you must configure
the Server Protection policy as a subset of the Network
Protection Policy rule.
Table 52: Basic Networking Parameters
Port Pairs
Source Port The user-defined source port for received traffic.
Destination Port The user-defined destination port for transmitted traffic.
Operation The operation mode assigned to a pair of ports.
Values:
ForwardThe traffic is forwarded without any inspection.
ProcessThe traffic passes thought the CPU and is inspected for attacks,
bandwidth, and so on.
Failure Mode Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
Note: For more information, see Internal Bypass for RJ-45 Ports, page 46.
In Port Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.
Advanced Parameters
Enable Interface
Grouping
Specifies whether the device groups the statuses of the port-pair interfaces.
When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also. Therefore,
When the option is enabled; so a remote device connected to the DefensePro
device perceives the same disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy; interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled
Chapter 5 Security Configuration
A security policy in an organization is a set of rules and regulations that defines what constitutes a
secure network and how it reacts to security violations. You implement a security policy for your
organization by using the global security settings, network-protection policy, and server-protection
policy. You can adjust a security policy to suit the security needs of different network segments
down to a single server, providing comprehensive protection for your organization.
Each policy consists of multiple rules. Each rule in a policy defines a network segment or server, one
or more protection profiles to be applied, and the action to be taken when the device detects an
attack.
Each protection profile defines the security defenses that provide protection against a specific
network threat. For example, the Signature Protection profile prevents intrusion attempts, and the
Behavioral DoS profile prevents flood attacks aimed at creating denial of service.
Note: All the configuration procedures in this section assume that the relevant device is
selected in the Configuration perspective navigation pane.
Security Protections, page 117
Selecting a Device for Security Configuration, page 118
Configuring Global Security Settings, page 118
Managing the Network Protection Policy, page 144
Managing the Server Protection Policy, page 187
Configuring White Lists, page 195
Configuring Black Lists, page 198
Managing the ACL Policy, page 202
Security Protections
DefensePros multi-layer security approach combines features for detecting and mitigating a wide
range of network and server attacks.
DefensePro supports three types of security protections: Network-wide protections, Server
protections, and Access-control policies.
Network-wide protections comprise the following:
Behavioral DoSProtects against zero-day flood attacks, including SYN Floods, TCP Floods,
UDP floods, ICMP and IGMP floods.
SYN-flood protectionProtects against any type of SYN flood attack using SYN cookies. A
SYN flood attack is usually aimed at specific servers with the intention of consuming the servers
resources. However, you configure SYN Protection as a Network Protection to allow easier
protection of multiple network elements.
Signature-based protectionProtects against known application vulnerabilities, and common
malware, such as worms, trojans, spyware, and DoS.
Fraud protection using RSA feeds.
Packet-anomaly protections.
Security Configuration
Scanning and worm-propagation protectionProvides zero-day protection against self-
propagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps.
Connection limitProtects against session-based attacks, such as half-open SYN attacks,
request attacks, and connection attacks.
Connection PPS Limit protectionProtects against attacks that use a high PPS rates on one
or several connections to flood a server.
Server protections include the following:
Server-cracking protectionProvides zero-day protection against application-vulnerability
scanning, brute-force, and dictionary attacks.
HTTP-flood protectionMitigates zero-day HTTP page flood attacks.
Access control (ACL) policies block or allow traffic to or from specified networks, based on protocols,
applications, and other criteria.
Selecting a Device for Security Configuration
You configure a security policy in the Configuration perspective.
Before you configure a security policy, select the device in the Configuration perspective navigation
pane.
To select the device for security configuration
Select the required device in the Configuration perspective system pane.
Configuring Global Security Settings
Before you configure the Server Protection Policy or the Network Protection Policy and their
protection profiles, you must enable the protection features you want to use and configure the
global parameters for the protection features.
Note: After a protection feature is enabled on a device, the device requires a reboot; however,
you need to reboot only once after enabling features within the same navigation branch.
Use APSolute Vision to configure the following protection features on a selected device:
Configuring Global Signature Protection, page 119
Configuring DoS Shield Protection, page 119
Configuring Global Behavioral DoS Protection, page 121
Configuring Global Anti-Scanning Protection Settings, page 127
Configuring Global SYN Flood Protection, page 128
Configuring Global Out of State Protection, page 129
Configuring Global HTTP Flood Protection, page 131
Configuring Global SIP Cracking Protection, page 132
Configuring Global Fraud Protection, page 133
Managing Global Packet Anomaly Protection, page 134
Managing Global Packet Anomaly Protection, page 134
Configuring Global Signature Protection
Signature Protection is enabled by default for all models that support it.
Note: Signature protection (IPS) is not available in DefensePro x412-BP models.
To configure Signature Protection
1. In the Configuration perspective Security Settings tab navigation pane, select Signature
Protection.
Configuring DoS Shield Protection
The DoS Shield mechanism protects against known flood attacks and flood-attack tools that cause a
denial of service effect, making computer resources unavailable to its intended users.
Note: DoS Shield protection is enabled by default.
Table 54: Signature Protection Settings
Enable Application Security
Protection
If the protection is disabled, enable it before setting up the
protection profiles.
Note: Changing the setting of this parameter requires a
reboot to take effect.
Reassemble Fragmented TCP
Packets
Specifies whether the device tries to reassemble fragmented
TCP packets.
Default: Enabled
Encoding The encoding (the language and character set) to use for
detecting security events.
Enable Session Drop Mechanism Enable dropping of all session packets when a signature was
detected in one of the session packets.
Minimum Fragment URI Size The minimum permitted size, in bytes, of the fragment.
Security Tracking Tables Free-Up
Frequency
How often, in milliseconds, the device clears unnecessary
entries from the table, and stores information about newly
detected security events.
Default: 1250
DoS Shield profiles prevent the following:
Known TCP, UDP, and ICMP floods
Known attack tools available in the Internet
Known floods created by BOTs, which are automated attacks
DoS Shield protection uses signatures from the Radware Signatures database. This database is
continuously updated and protects against all known threats.
Radware Signature profiles include all DoS Shield signatures as part of the signature database and
Radware predefined profiles that already include DoS Shield protection. To create a profile that
includes DoS Shield protection, you configure a profile with the Threat Type attribute set to Floods.
Radware also supplies a predefined profile, the All-DoS-Shield profile, which provides protection
against all known DoS attacks. The All-DoS-Shield profile is applied when a DoS-only solution is
required. Note that if the DoS Shield Radware-defined profile is applied, you cannot apply other
Signature profiles in the same security policy.
To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the
bandwidth of traffic recognized as a DoS attack with predefined actions.
Most networks can tolerate sporadic attacks that consume negligible amounts of bandwidth. Such
attacks do not require any counter action. An attack becomes a threat to the network when it starts
to consume large amounts of the networks bandwidth. DoS Shield detects such events using an
advanced sampling algorithm for optimized performance, acting automatically to solve the problem.
The DoS Shield considers two protection states:
Dormant stateIndicates that Sampling mechanism is used for recognition prior to active
intervention. A protection in Dormant state becomes active only if the number of packets
entering the network exceeds the predefined limit.
Active stateIndicates that the action is implemented on each packet matching the Attack
Signature, without sampling.
DoS Shield counts packets matching Dormant and Active states. Samples of the traffic are compared
with the list of protections in Dormant state. When a specified number of packets is reached, the
status of the protection changes to Active.
The DoS Shield module uses two processes working in parallel. One process statistically monitors
traffic to check if any dormant protection has become active. Then, when DoS Shield detects the
protection as active, the module compares each packet that passes through the device to the list of
Currently Active Protections. The module compares some of the packets that do not match the
Active signature with the Dormant protections list. The module forwards the rest of the packets to
the network without inspection.
In DefensePro, to configure DoS Shield protection, you must enable Signature Protection. For more
information, see Configuring Global Signature Protection, page 119.
To configure DoS Shield protection
1. In the Configuration perspective Security Settings tab navigation pane, select DoS Shield.
To include DoS Shield protection in the network-protection policy
1. In the Configuration perspective Network Protection tab navigation pane, select Network
Protection Rules.
2. In the Add New Network Protection Rule dialog box, from the Signature Protection Profile
drop-down list, select All-DoS-Shield.
For more information, see Configuring the Network Protection Policy, page 145.
Configuring Global Behavioral DoS Protection
Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your network-
protection policy, defends your network from zero-day network-flood attacks. These attacks fill
available network bandwidth with irrelevant traffic, denying use of network resources to legitimate
users. The attacks originate in the public network and threaten Internet-connected organizations.
The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks
by identifying the footprint of the anomalous traffic.
Network-flood protection types include:
TCP floodswhich include TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and
TCP Fragmentation Flood
UDP flood
ICMP flood
IGMP flood
The main advantage of BDoS Protection is the ability to detect statistical traffic anomalies and
generate an accurate DoS-attack footprint based on a heuristic protocol information analysis. This
ensures accurate attack filtering with minimal risk of false positives. The default average time for a
new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood
attacks can last for minutes and sometimes hours.
Table 55: DoS Shield Parameters
Enable DoS Shield Specifies whether the DoS Shield feature is enabled.
Note: If the protection is disabled, enable it before configuring the
protection profiles.
Sampling Time How often, in seconds, DoS Shield compares the predefined thresholds
for each dormant attack to the current value of packet counters
matching the attack.
Default: 5
Note: If the sampling time is very short, there are frequent
comparisons of counters to thresholds, so regular traffic bursts
might be considered attacks. If the sampling time is too long,
the DoS Shield mechanism cannot detect real attacks quickly
enough.
Packet Sampling Ratio The packet-sampling frequency. For example, if the specified value is
5001, the DoS Shield mechanism checks 1 out of 5001 packets.
The default value depends on the device model. For x016 and x412
modules, the value is 5001.
Enabling BDoS Protection
Before you configure BDoS Protection profiles, enable BDoS Protection. You can also change the
default global device settings for BDoS Protection. The BDoS Protection global settings apply to all
the network protection-policy rules with BDoS profiles on the device.
To enable BDoS Protection and configure global settings
1. In the Configuration perspective Security Settings tab navigation pane, select BDoS
Protection.
Table 56: BDoS Protection Global Parameters
Basic Parameters
Enable BDoS Protection Specifies whether BDoS Protection is enabled.
Note: Changing the setting of this parameter requires a reboot to
take effect.
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: Day, Week, Month
Default: Week
Enable Traffic Statistics
Sampling
Specifies whether the BDoS module uses traffic-statistics sampling
during the creation phase of the BDoS footprint. When the BDoS
module is trying to generate a real-time signature and there is a high
rate of traffic, the device evaluates only a portion of the traffic. The
BDoS module tunes the sampling factor automatically, according to
the traffic rate. The BDoS module screens all traffic at low traffic
rates (below 100K PPS) and only a portion of the traffic at higher
rates (above 100K PPS).
Default: Enabled
Note: For best performance, Radware recommends that the
parameter be Enabled.
Footprint Strictness When DefensePro detects a new attack, the Behavioral DoS module
generates an attack footprint to block the attack traffic. If DefensePro
is unable to generate a footprint that meets the footprint-strictness
condition, the device issues a notification for the attack but does not
block it. The higher the strictness, the more accurate the footprint.
However, higher strictness increases the probability that the device
cannot generate a footprint.
Values:
HighEnforces at least three Boolean ANDs and no other
Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
MediumEnforces at least two Boolean ANDs and no more than
two additional Boolean OR values in the footprint.
LowAllows any footprint suggested by the Behavioral DoS
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Note: Footprint Strictness Examples, page 124 shows examples of
footprint strictness requirements.
Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block
these attack types.
Duration of Non-attack
Traffic in Analysis State
The time, in seconds, at which the degree of attack falls below and
stays below the hard-coded threshold in the Analysis state. When the
time elapses, DefensePro declares the attack to be terminated.
Values:
0DefensePro declares the attack to be terminated
immediately.
130
Default: 0
Traffic in Blocking State
stays below the hard-coded threshold in the Blocking state. When the
Values:
immediately.
1300
Default: 10
Note: There is no typical use case for reducing the value from the
default.
Configuring BDoS Footprint Bypass
You can define footprint bypass types and values that will not be used as part of a real-time
signature. The types and values not be used in OR or in AND operations within the blocking rule
(real-time signature) even when the protection-engine suggests that the traffic is a real-time
signature candidate.
To configure footprint bypass
1. In the Configuration perspective Security Settings tab navigation pane, select
BDoS Protection > BDoS Footprint Bypass.
2. From the Footprint Bypass Controller drop-down list, select the attack protection for which
you want to configure footprint bypass, and click Go. The table displays the bypass types and
values for the selected attack protection.
3. To edit bypass type settings, double-click the corresponding row.
4. Configure the footprint bypass parameters for the selected bypass type; and then, click OK.
Traffic in Anomaly or Non-
Strictness State
stays below the hard-coded threshold in the Anomaly state or the
Non-strictness state. When the time elapses, DefensePro declares
the attack to be terminated.
Values:
immediately.
1300
Default: 10
Table 57: Footprint Strictness Examples
Footprint Example Strictness Level
Low Medium High
TTL Yes No No
TTL AND Packet Size Yes Yes No
TTL AND Packet Size AND Destination Port Yes Yes Yes
Table 58: BDoS Footprint Bypass Parameters
Footprint Bypass
Controller
(Read-only) The selected attack protection for which you are configuring
footprint bypass.
Bypass Field (Read-only) The selected bypass type to configure.
Configuring Early Blocking of DoS Traffic
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair
the accuracy of the DoS-attack footprint that DefensePro generates.
When DefensePro detects a new DoS attack (by default, after 10 seconds), DefensePro generates a
DoS-attack footprint and then blocks or drops the relevant flood traffic.
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start
blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DoS Traffic,
you can configure thresholds for generating DoS-attack footprints, which shorten the time to start
blocking the relevant traffic.
DefensePro generates each footprint using values from fields (parameters) in the packet header (for
example: Sequence Number, Checksum, and IP ID). The values from fields in the packet header
characterize the attack.
The thresholds that you can configure for the protection to change from the Analysis state to the
Blocking state are Packet-header fields or Packet-header-field values:
The Packet-header fields threshold is the anomalously distributed packet-header fields that
DefensePro must detect to generate a footprint and start early blocking prior to the default 10
seconds. (The transition after 10 seconds occurs even if the condition is not met.) You can define
either the number of packet-header fields, or the specific fields that DefensePro must detect. For
more information, see Selecting Packet Header Fields for Early Blocking of DoS Traffic,
page 126.
The Packet-header-field values threshold is the number of anomalous packet-header-field values
that DefensePro must detect to generate a footprint and start early blocking.
Note: The threshold (that is, the packet-header fields or number of packet-header fields)
cannot conflict with the Footprint Strictness level. You cannot change the specified
Footprint Strictness to one that is lower than the strictness necessary for the BDoS
mechanism to operate properly. Likewise, you cannot configure fewer packet-header
fields than the specified strictness level requires for the BDoS mechanism to operate
properly.
Bypass Status The bypass option.
Values:
BypassThe Behavioral DoS module bypasses all possible values of
the selected Bypass Field when generating a footprint.
AcceptThe Behavioral DoS module bypasses only the specified
values (if such a value exists) of the selected Bypass Field when
generating a footprint.
Bypass Values Used if the value of the Bypass Status parameter is Accept. Behavioral
DoS bypasses only the values of a selected Bypass Type, while it may use
all other values. These values vary according to the Bypass Field selected.
The values in the field must be comma-delimited.
Table 58: BDoS Footprint Bypass Parameters
To configure early blocking for BDoS
BDoS Protection > Early Blocking.
2. To modify a protection type for early blocking, double-click the row.
Selecting Packet Header Fields for Early Blocking of DoS Traffic
You can select specific packet header fields be included in the set of specific packet headers that
DefensePro must detect to generate a footprint and start early blocking.
To select packet header fields for early blocking
1. In the Configuration perspective Security Settings tab navigation pane, select BDoS
Protection > Packet Header.
2. Select the protection type and click Go. The BDoS Packet Header table displays the relevant
packet header fields.
3. To change the early blocking enabling setting for a field, double-click the row, change the setting
in the dialog box, and click OK.
Table 59: Early Blocking Parameters
Protection Type (Read-only) The protection for which you are configuring early
blocking.
Any Packet Header Field When selected, DefensePro blocks DoS traffic early based on the
specified number of packet-header fields and number of packet-
header-field values thresholds.
Clear the selection to use specific packet header fields that you select
in the BDoS Packet Header table.
Any Packet Header Field
Threshold
The number of anomalous packet-header fields that DefensePro must
detect to generate a footprint and start early blocking.
Values: 120
Default (per protection): ICMP17, IGMP16, TCP-ACK-FIN17,
TCP-FRAG17, TCP-RST17, TCP-SYN17, TCP-SYN-ACK17,
UDP20.
Packet Header Field Values The number of anomalous packet-header-field values that
DefensePro must detect to generate a footprint and start early
blocking.
The number of packet-header-field values must not be less than the
specified packet-header field threshold.
Values: 11000
Default 500
Configuring Global Anti-Scanning Protection Settings
Anti-Scanning Protection protects against malicious, scanning activity, which includes zero-day self-
propagating network worms, horizontal scans, and vertical scans. When Anti-Scanning Protection is
enabled, upon detecting an attack, the protection implements the blocking footprint rule for a
predefined, initial blocking duration. When the protection identifies repeated scanning activities from
the same source, the protection extends the blocking duration based on a dynamic blocking-
duration mechanism. This mechanism includes a random factor that sets an unpredictable blocking
duration. When a source continues to scan the network, the device can restart the global Maximal
Blocking Duration.
To configure global Anti-Scanning Protection settings
1. In the Configuration perspective Security Settings tab navigation pane, select Anti-Scanning.
Table 60: Packet Header Field Parameters
blocking.
Packet Header Field (Read-only) The packet header field.
Enable Early Blocking
Condition
When selected, the packet header is included in the set of specific
packet headers that DefensePro must detect to generate a footprint
and start early blocking.
Table 61: Global Anti-Scanning Settings
Anti-Scanning Parameters
Enable Anti-Scanning
Protection
Specifies whether Anti-Scanning Protection is enabled. Anti-Scanning
Protection prevents zero-day self-propagating network worms, horizontal
scans, and vertical scans.
Default: Enabled
Note: Changing the setting of this parameter requires a reboot to take
effect.
Enable Protection for
Very Slow Scans
Specifies whether Anti-Scanning Protection blocks slow scans, which can
result in very long blocking periods. When enabled, Anti-Scanning
Protection adapts the blocking interval based on the scanner-activity
frequency. Thus, the device will redetect the scanner activity before the
blocking duration elapses. The blocking duration is calculated as the time
between scanning events multiplied by the Attack Trigger value.
Radware recommends using this option only in exceptional circumstances,
when one scan attempt in 20 minutes is considered a security threat.
Default: Disabled
Configuring Global SYN Flood Protection
A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers
resources. However, you configure SYN Protection as a Network Protection to allow easier protection
of multiple network elements.
Before you configure SYN profiles for the network-protection policy, ensure the following:
SYN Protection is enabled the SYN Flood Protection global parameters are configured.
The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session
Table Settings, page 88.
To configure global SYN Flood Protection
1. In the Configuration perspective Security Settings tab navigation pane, select SYN Flood
Protection Settings.
Enable High Port
Response
Specifies whether the Anti-Scanning Protection emphasizes inspecting
scans aimed at ports greater than 1024 (that is, usually unassigned
ports).
Values:
EnabledThe Anti-Scanning Protection emphasizes inspecting scans
aimed at ports greater than 1024. Select this checkbox when using
applications that utilize standard system ports (that is, port values
less than 1024).
DisabledThe Anti-Scanning Protection treats all the scan activities
equally. Clear this checkbox when using applications utilizing non-
standard ports (that is, port values greater than 1024).
Default: Enabled
Note: When the parameter is enabled and you have legitimate
applications using high-range ports, the DefensePro device is
prone to more false positives.
Maximal Blocking
Duration
The maximum time, in seconds, that the Anti-Scanning Protection blocks
the source of a scanif that source continues to scan the network.
Values: 203600
Default: 80
Note: This setting overrides the maximum time set in the suspend
table parameters.
Table 61: Global Anti-Scanning Settings
Configuring Global Out of State Protection
Out of State Protection detects out-of-state packets to provide additional protection for application-
level attacks.
To configure global Out of State Protection
1. In the Configuration perspective Security Settings tab navigation pane, select Out of State.
Table 63: Out-of-State Protection Parameters
Table 62: SYN Flood Protection Settings Parameters
Basic Parameters
Enable SYN Flood Protection Specifies whether SYN Flood Protection is enabled on the device.
Default: Enabled
take effect.
Advanced Parameters
Tracking Time The number of SYN packets directed to same destination must be
lower than the value of the Termination Threshold for this amount of
time, in seconds, to stop the protection of the destination.
Values: 110
Default: 5
SSL Parameters
For more information on the SSL Mitigation feature, see Configuring SSL Mitigation Policies,
page 180.
Enable SSL Mitigation Specifies whether the device enables the SSL Mitigation mechanism
with an Alteon device.
Alteon MNG IP The IP address of the Alteon management port.
Health-Check Port The health-check port (that is, the SNMP Traps port) on the Alteon
device.
DefensePro Assigned Ports The table that displays the pair of static-forwarding ports.
Global Parameters
Enable Out-of-State
Protection
Specifies whether the device enables Out-of-State Protection
learning.
Default: Disabled
Activate (Without Reboot) Specifies whether the device starts and stops Out-of-State Protection
without rebooting the device.
Default: Enabled
Startup Mode The behavior of the device after startup. Out-of-State Protection
cannot be applied to existing traffic; therefore, the device can either
drop existing traffic and apply Out-of-State Protection to all new
traffic, or suspend Out-of-State Protection for a period of time, which
is used to learn traffic and sessions.
Values:
OnStart the protection immediately. Existing sessions are
dropped and only new sessions are allowed.
OffDo not protect.
GracefulStart the protection while maintaining existing
sessions for the time specified by the Startup Timer parameter.
Default: Graceful
Startup Timer For Graceful startup mode, this parameter specifies the time, in
seconds, after startup when the device ignores Out-of-State
Protection and registers all sessions in the Session table, including
those whose initiation was not registered (for example, SYN with
TCP). After this time, the device drops new sessions whose initiation
was not registered (for example, SYN with TCP).
Values: 065,535
Default: 1800
Advanced Parameters
Enable Out of State Status Enables the specified Action for Out-of-State Protection.
Default: Disabled
Action The action that the device takes when it encounters out-of-state
packets.
Values: Block, Report Only
Default: Report Only
Activation Threshold The rate, in PPS, of out-of-state packets above which the device
considers the packets to be part of a flood attack. When the device
detects an attack, it issues an appropriate alert and drops the out-of-
state packets that exceed the threshold. Packets that do not exceed
the threshold bypass the DefensePro device.
Default: 5000
Termination Threshold The rate, in PPS, of out-of-state packets below which the device
considers the flood attack to have stopped; and the device resumes
normal operation.
Default: 4000
Packet Trace Specifies whether the DefensePro device sends out-of-state packets
to the specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled
(Configuration perspective > Advanced
Parameters > Security Reporting Settings >
Enable Packet Trace). In addition, a change to this
parameter takes effect only after you update policies.
Configuring Global HTTP Flood Protection
The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The
HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using
fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the
malicious sources.
To configure global HTTP Flood Protection
1. In the Configuration perspective Security Settings tab navigation pane, select HTTP Flood
Protections.
Table 64: HTTP Mitigator Parameters
Basic Parameters
Enable HTTP Mitigator Specifies whether the HTTP Mitigator is enabled on the device.
HTTP flood protection must be enabled to set HTTP flood protection
parameters.
Default: Enabled
Learning Period before
Activation
The time, in days, DefensePro takes to collect the data needed to
establish the baseline that HTTP Mitigation uses.
Values: 065,536
Default: 7
Learning Mode The learning mode of the HTTP Mitigator.
Values:
Continuous OnlyThe learning process about the traffic
environment is continuous.
AutomaticDefensePro can switch to 24x7 learning when it
detects a recurring pattern per hour of the day of the week in a
period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity The period from which DefensePro establishes baselines. Select the
time unit based on the site characteristics. For example, if the site
traffic fluctuates during the course of a day, but fluctuates the same
way each day, select Day; but if there are significant fluctuations
between the days of the week, select Week.
Default: Week
Mitigation Failure Condition The number of automatic attempts the device makes before
announcing it cannot mitigate the attack.
Values: 1100
Default: 3
Configuring Global SIP Cracking Protection
SIP Cracking protection, which provides VoIP protection similar to FTP, POP3, and server-based
crack protections, is designed to detect and mitigate the following types of threats:
Brute-force and dictionary attacksOn registrar and proxies SIP servers.
SIP application scanning activitiesOn SIP servers and SIP phones.
SIP DoS flood attacksOn SIP servers and SIP phones. The types of attacks that are detected
through the SIP crack mechanism include those that use repeated spoofed register and invite
messages.
Pre-SPIT (Spam over IP Telephony) activitiesTO TAG Invite messages are used.
DefensePro detects attacks based on the frequency and quantity of SIP reply codes.
DefensePro performs analysis of authentication, call initiation, registration processes, and reply
codes per source IP address and the SIP URI (SIP FROM).
A SIP server can send replies and error responses to clients either on the same connection or open a
new connection for this purpose. This is also applicable for UDP, where either the same flow or a new
one is used. To support such environments, the SIP Server Cracking Protection can monitor all
outgoing messages from the protected server to the SIP Application Port Group or from the SIP
Application Port Group.
When DefensePro detects an attack, it does the following:
Adds the source IP address of the attacker to the Suspend table. The suspend entry will have
both the SIP port and the server IP address.
Blocks all traffic from the attacker to the protected server and to the SIP Application Port group.
The device also drops existing sessions or flows from the attacker to the protected server and to
the Application Port Group.
Before you configure global SIP Cracking Protection, you must configure a profile that includes SIP
protection. For more information, see Configuring Server Cracking Profiles for Server Protection,
page 189.
To configure global SIP Cracking Protection
1. In the Configuration perspective Security Settings tab navigation pane, select SIP Cracking.
Configuring Global Fraud Protection
Fraud Protection uses RSA-signature feeds to protect your network from malicious, fraudulent sites.
Such sites include phishing sites, trojan drop points, and malicious-download sites.
Note: RSA updates require purchasing a relevant license.
DefensePro can periodically receive the RSA-signature feeds by means of a scheduled task, Update
RSA Security Signature. You can also trigger an update of RSA signatures manuallyusing the
Update Security Signature operation.
DefensePro can store up to 500 concurrent RSA signatures.
When RSA finds a new malicious server or URL, RSA approaches the hosting provider or service
provider to take the site down. DefensePro expects that the feeds it receives become irrelevant after
a certain time. DefensePro ages the stored signatures according to the specified estimated time for
bringing down various types of malicious sites.
When Fraud Protection is enabled, you can configure Network Protection with a Signature Profile rule
that uses one or more of the following threat-type attribute values:
Fraud - Phishing
Fraud - Drop Points
Fraud - Malicious Download
Table 65: SIP Cracking Parameters
Tracking Type The data that the SIP Cracking feature monitors.
Values: SIP-URI, Source IP, Both
Application Code for Reset The SIP error code that is sent back to the source IP address.
Values:
AmbiguousEvent number 485.
Busy EverywhereEvent number 600
Busy HereEvent number 486
DeclineEvent number 603
Forbidden
Not Acceptable ErrorEvent number 606
Not Acceptable Fail
Not Acceptable HereEvent number 488
Not FoundEvent number 404
Request TerminatedEvent number 487
Temporarily UnavailableEvent number 480
Default: Not Acceptable Error
Detect Error Codes in Server
Originated Sessions
Enables detection of error codes on sessions that originate from
the server to the client.
Default: Disabled
To configure fraud protection
1. In the Configuration perspective Security Settings tab navigation pane, select Fraud
Protection.
Managing Global Packet Anomaly Protection
Packet Anomaly protection detects and provides protection against packet anomalies.
Enabling and Disabling the Packet Trace Feature for Packet Anomaly Protection
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends
anomalous packets to the specified physical port.
You enable or disable the Packet Trace feature for all the packet-anomaly types configured on the
device.
Table 66: Fraud Protection Parameters
General Settings
Enable Fraud Protection Specifies whether fraud protection is enabled.
Default: Disabled
Advanced Settings
Error Reporting Frequency How often, in hours, the device sends a trap notifying when an
expected feed was not received.
Values: 124
Default: 1
Phishing Signatures Aging How often, in hours, the device deletes the signatures of phishing
sites.
Values: 1168
Default: 48
Drop Points Aging How often, in hours, the device deletes the addresses of drop points.
Values: 1168
Default: 70
Malicious Download Aging How often, in hours, the device deletes the addresses of malicious-
download sites.
Values: 1168
Default: 48
Notes
>> When this feature is enabled, for the feature to take effect, the global setting must be
enabled (Configuration perspective > Advanced Parameters > Security Reporting
Settings > Enable Packet Trace).
>> A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for Packet Anomaly Protection
1. In the Configuration perspective Security Settings tab navigation pane, select Packet
Anomaly.
2. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.
Configuring Protection Settings for a Packet-Anomaly Type
To configure protection settings for a packet-anomaly type
1. In the Configuration perspective Security Settings tab navigation pane, select Packet
Anomaly.
2. Double-click the relevant row.
3. Configure the parameters, and then, click OK.
For more information about packet anomalies and their default configurations, see Table 68 -
Default Configuration of Packet Anomaly Types, page 136.
Table 67: Packet Anomaly Protection Parameters
ID (Read-only) The ID number for the anomaly protection. The ID is a
Radware ID that appears in the trap sent to APSolute Vision Security logs.
Protection Name (Read-only) The name of the packet-anomaly protection.
Action The action that the device takes when the packet anomaly is detected.
The action is only for the specified anomaly.
Values:
DropThe device discards the anomalous packets.
ReportIf the device cannot handle the anomaly type, the packet
bypasses the rest of the device modules, and the device issues a
trap. If the device can handle the anomaly type, the packet goes
to the rest of the device modules, and the device issues a trap.
No ReportIf the device cannot handle the anomaly type, the
packet bypasses the rest of the device modules. If the device can
handle the anomaly type, the packet goes to the rest of the device
modules.
Note: Click Drop All to set the action for all anomaly types to Drop.
Click Report All to set the action for all anomaly types to
Report. Click No Report All to set the action for all anomaly
types to No Report.
Risk The risk associated with the trap for the specific anomaly.
Values: Info, Low, Medium, High
Default: Info.
Table 68: Default Configuration of Packet Anomaly Types
Anomaly Type Description
Unrecognized L2 Format
1
Packets with more than two VLAN tags or MPLS labels, L2 broadcast,
or L2 multicast traffic.
ID: 100
Default Action: No Report
Default Risk: Info
Incorrect IPv4 Checksum
1
The IP packet header checksum does not match the packet header.
ID: 103
Default Action: Drop
Default Risk: Info
Invalid IPv4 Header or
Total Length
The IP packet header length does not match the actual header length,
or the IP packet total length does not match the actual packet length.
ID: 104
Default Risk: Info
Note: All DefensePro platforms support this anomaly type.
TTL Less Than or Equal to
1
1
The TTL field value is less than or equal to 1.
ID: 105
Default Action: Report
Default Risk: Info
Table 67: Packet Anomaly Protection Parameters
Inconsistent IPv6 Headers Inconsistent IPv6 headers.
ID: 107
Default Risk: Info
IPv6 Hop Limit Reached
1
IPv6 hop limit is not be greater than 1.
ID: 108
Default Action: Report
Default Risk: Info
Unsupported L4 Protocol
1
Traffic other than UDP, TCP, ICMP, or IGMP.
ID: 110
Default Action: No Report
Default Risk: Info
Invalid TCP Header Length The TCP header length is not greater than or equal to 20 bytes.
ID: 112
Default Risk: Info
Invalid TCP Flags
1
The TCP flags combination is not according to the standard.
ID: 113
Default Risk: Info
Invalid UDP Header
Length
1
The UDP header length is less than eight bytes.
ID: 116
Default Risk: Info
Source or Dest. Address
same as Local Host
The IP packet source address or destination address is equal to the
local host.
ID: 119
Default Risk: Info
Configuring Global DNS Flood Protection
DNS Flood Protection, which you can use in your network-protection policy, defends your network
from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant traffic,
denying legitimate users DNS lookups. The attacks originate in the public network and threaten
Internet-connected organizations.
The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood attacks
by identifying the footprint of the anomalous traffic.
DNS Flood Protection types can include the following DNS query types:
A
MX
PTR
AAAA
Text
SOA
NAPTR
SRV
Other
DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack
footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering
with minimal risk of false positives. The default average time for a new signature creation is between
10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and
sometimes hours.
Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You
can also change the default global device settings for DNS Flood Protection. The DNS Flood
Protection global settings apply to all the network protection-policy rules with DNS Flood profiles on
the device.
Source Address same as
Dest. Address (Land
Attack)
The source IP address and the destination IP address in the packet
header are the same. This is referred to as a LAND, Land, or LanD
attack.
ID: 120
Default Risk: Info
L4 Source or Dest. Port
Zero
The Layer 4 source port or destination port equals zero.
ID: 125
Default Risk: Info
1 This parameter is available only on OnDemand Switch 3 platforms with the hardware-based
mitigator component.
To enable DNS Flood Protection and configure global settings
1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood
Protection.
Table 69: DNS Flood Protection Global Parameters
Basic Parameters
Enable DNS Flood Protection Specifies whether DNS Flood Protection is enabled.
take effect.
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Default: Week
Footprint Strictness When DefensePro detects a new attack, the DNS Flood Protection
module generates an attack footprint to block the attack traffic. If
DefensePro is unable to generate a footprint that meets the footprint-
strictness condition, the device issues a notification for the attack but
does not block it. The higher the strictness, the more accurate the
footprint. However, higher strictness increases the probability that
the device cannot generate a footprint.
Values:
HighEnforces at least three Boolean ANDs and no other
Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
MediumEnforces at least two Boolean ANDs and no more than
two additional Boolean OR values in the footprint.
LowAllows any footprint suggested by the DNS Flood Protection
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Note: Table 70 - DNS Footprint Strictness Examples, page 141
shows examples of footprint strictness requirements.
Mitigation Actions
When the protection is enabled and the device detects that a DNS-flood attack has started, the
device implements the Mitigation Actions in escalating orderin the order that they appear in the
group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a
certain Escalation Period), the device implements the next more-severe enabled Mitigation Action
and so on. As the most severe Mitigation Action, the device always implements the Collective Rate
Limit, which limits the rate of all DNS queries to the protected server.
Enable Signature Challenge Specifies whether the device challenges suspect DNS queries that
match the real-time signature.
Default: Enabled
Note: DefensePro challenges only A and AAAA query types.
Enable Signature Rate Limit Specifies whether the device limits the rate of DNS queries that
match the real-time signature.
Default: Enabled
Enable Collective Challenge Specifies whether the device challenges all unauthenticated DNS
queries to the protected server.
Default: Enabled
Note: DefensePro challenges only A and AAAA query types.
Enable Collective Rate Limit (Read-only) The device limits the rate of all DNS queries to the
protected server.
Value: Enabled
Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block
these attack types.
Traffic in Analysis State
stays below the hard-coded threshold in the Analysis state. When the
Values:
immediately.
130
Default: 0
Traffic in Blocking State
stays below the hard-coded threshold in the Blocking state. When the
Values:
immediately.
1300
Default: 10
Note: There is no typical use case for reducing the value from the
default.
Configuring DNS Footprint Bypass
You can define footprint bypass types and values that will not be used as part of a real-time
signature. The types and values not be used in OR or in AND operations within the blocking rule
(real-time signature) even when the protection-engine suggests that the traffic is a real-time
signature candidate.
To configure DNS footprint bypass
Protection > DNS Footprint Bypass.
2. From the Footprint Bypass Controller list, select the DNS query type for which you want to
configure footprint bypass, and click Go. The table displays the bypass fields for the selected
DNS query type.
3. To edit bypass type settings, double-click the corresponding row.
4. Configure the footprint bypass parameters for the selected bypass field; and then, click OK.
Traffic in Anomaly or Non-
Strictness State
stays below the hard-coded threshold in the Anomaly state or the
Non-strictness state. When the time elapses, DefensePro declares
the attack to be terminated.
Values:
immediately.
1300
Default: 10
Enable DNS Protocol
Compliance Checks
only when the SDM table is
enabled.)
Specifies whether the device checks each DNS query for DNS
protocol compliance and drops the non-compliant queries.
Default: Disabled
Table 70: DNS Footprint Strictness Examples
Footprint Example Strictness Level
Low Medium High
DNS Query Yes No No
DNS Query AND DNS ID Yes Yes No
DNS Query AND DNS ID AND Packet Size Yes Yes Yes
Configuring Early Blocking of DNS Traffic
Caution: Modifying the values exposed in the Early Blocking of DNS Traffic feature may impair
the accuracy of the DNS-Flood-attack footprint that DefensePro generates.
When DefensePro detects a new DNS-flood attack (by default, after 10 seconds), the device
generates a DNS-flood-attack footprint and then blocks or drops the relevant flood traffic.
In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start
blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DNS Traffic,
you can configure thresholds for generating DNS-flood-attack footprints, which shorten the time to
start blocking the relevant traffic.
DefensePro generates each footprint using values from fields in the packet header (for example:
Sequence Number, Checksum, and IP ID). The values from fields in the packet header characterize
the attack.
Table 71: DNS Footprint Bypass Parameters
Footprint Bypass
Controller
(Read-only) The selected DNS query type for which you are configuring
footprint bypass.
Bypass Field (Read-only) The selected Bypass Field to configure.
Bypass Status The bypass option.
Values:
BypassThe DNS Flood Protection module bypasses all possible
values of the selected Bypass Field when generating a footprint.
AcceptThe DNS Flood Protection module bypasses only the
specified values (if such a value exists) of the selected Bypass Field
when generating a footprint.
Bypass Values Used if the value of the Bypass Status parameter is Accept. DNS Flood
Protection bypasses only the values of a selected Bypass Type, while it
may use all other values. These values vary according to the Bypass Field
selected. The values in the field must be comma-delimited.
The thresholds that you can configure for the protection to change from the Analysis state to the
Blocking state are Packet-header fields or Packet-header-field values:
The Packet-header fields threshold is the anomalously distributed packet-header fields that the
DefensePro device must detect to generate a footprint and start early blocking prior to the
default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You
can define either the number of packet-header fields, or the specific fields that the DefensePro
device must detect. For more information, see Selecting Packet Header Fields for Early Blocking
of DNS Traffic, page 144.
The Packet-header-field values threshold is the number of anomalous packet-header-field values
that the DefensePro device must detect to generate a footprint and start early blocking.
Note: The threshold (that is, the packet-header fields or number of packet-header fields)
cannot conflict with the Footprint Strictness level. You cannot change the specified
Footprint Strictness to one that is lower than the strictness necessary for the DNS Flood
Protection mechanism to operate properly. Likewise, you cannot configure fewer packet-
header fields than the specified strictness level requires for the DNS Flood Protection
mechanism to operate properly.
To configure early blocking for DNS Flood Protection
BDoS Protection > DNS Early Blocking.
2. To modify a protection type for early blocking, double-click the row.
Table 72: DNS Early Blocking Parameters
blocking.
Any Packet Header Field When selected, DefensePro blocks DNS traffic early based on the
specified number of packet-header fields and number of packet-
header-field values thresholds.
Clear the selection to use specific packet header fields that you select
in the DNS Packet Header table.
Any Packet Header Field
Threshold
The number of anomalous packet-header fields that DefensePro must
detect to generate a footprint and start early blocking.
Values: 030
Default: 21
Packet Header Field Values The number of anomalous packet-header-field values that
DefensePro must detect to generate a footprint and start early
blocking.
The number of packet-header-field values must not be less than the
specified packet-header field threshold.
Values: 11000
Default 500
Selecting Packet Header Fields for Early Blocking of DNS Traffic
You can select specific packet header fields be included in the set of specific packet headers that the
DefensePro device must detect to generate a footprint and start early blocking.
To select packet header fields for early blocking
Protection > Packet Header.
2. From the Protection Type drop-down list, select the protection type and click Go. The DNS
Packet Header table displays the relevant packet header fields.
3. To change the early blocking enabling setting for a field, double-click the row, change the setting
in the dialog box, and click OK.
Managing the Network Protection Policy
The network-protection policy protects your configured networks using protection profiles.
Individual network protection rules make up the network-protection policy. Each rule uses one or
more protection profiles that are applied on a predefined network segment. In addition, each rule
includes the action to take when an attack is detected.
There are two main types of network protections, Intrusion Preventions (see Table 74 - Intrusion
Prevention Protections, page 144) and Denial of Service protection (see Table 75 - Denial of Service
Protections, page 144).
Table 73: DNS Packet Header Field Parameters
blocking.
Packet Header Field (Read-only) The packet header field.
Enable Early Blocking
Condition
When selected, the packet header is included in the set of specific
packet headers that DefensePro must detect to generate a footprint
and start early blocking.
Table 74: Intrusion Prevention Protections
Protection Description
Signatures Prevents known application vulnerabilities, exploitation attempts, and
protects against known DoS/DDoS flood attacks.
Anti-Scanning Prevents zero-day self-propagating network worms, horizontal scans,
and vertical scans.
Table 75: Denial of Service Protections
Behavioral DoS Detects and prevents zero-day DoS/DDoS flood attacks.
Connection Limit Protects against connection flood attacks.
Before you configure rules and profiles for the network-protection policy, ensure that you have
enabled all the required protections and configured the corresponding global protection parameters
in the Security Settings tab.
Configuring the Network Protection Policy
Each rule in a network-protection policy consists of two parts:
The classification that defines the protected network segment.
The action to be applied when an attack is detected on the matching network segment. The
action defines the protection profiles to be applied to the network segment, and whether the
malicious traffic should be blocked. Malicious traffic is always reported.
Before you configure a rule, ensure that you have configured the following:
The Classes that will be required to define the protected network segment. For more
information, see Managing Classes, page 221.
The Network Protection profiles. For more information see:
Configuring Signature Protection for Network Protection, page 149
Configuring BDoS Profiles for Network Protection, page 168
Configuring Anti-Scanning Protection for Network Protection, page 170
Configuring Connection Limit Profiles for Network Protection, page 173
Configuring SYN Profiles for Network Protection, page 177
Configuring Connection PPS Limit Profiles for Network Protection, page 182
Configuring DNS Protection Profiles for Network Protection, page 184
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but
it does not download your configuration changes to the device. To apply changes onto
the device, you must activate the configuration changes.
To configure a network-protection rule
1. In the Configuration perspective Network Protection tab navigation pane, select Network
Protection Rules.
2. To add or modify a network-protection rule, do one of the following:
To add an entry to the table, click the (Add) button.
To edit an entry in the table, double-click the entry.
SYN Protection Prevents SYN flood attacks using SYN cookies.
Connection PPS Limit Protects against DoS attacks that use a high PPS rate in a certain
connection.
DoS Shield Protects against known flood attacks and flood attack tools that cause a
denial of service effect.
DNS Protection Detects and prevents zero-day DNS-flood attacks.
Table 75: Denial of Service Protections
3. Configure the network-protection rule parameters; and then, click OK.
4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more
information, see Updating Policy Configurations on a DefensePro Device, page 246.
Table 76: Network Protection Rule Parameters
Basic Parameters
Enabled Specifies whether the rule is enabled.
Rule Name The name of the network-protection rule.
Classification
SRC Network The source of the packets that the rule uses.
Values:
A Network class displayed in the Classes tab
An IP address
any
DST Network The destination of the packets that the rule uses.
Values:
An IP address
any
Port Group The Physical Port class or physical port that the rule uses.
Values:
A Physical Port class displayed in the Classes tab
The physical ports on the device
None
Direction The direction of the traffic to which the rule relates.
Values:
One WayThe protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
Two WayThe protection applies to sessions that match the network
definitions of the policy regardless of their direction.
Default: One Way
VLAN Tag Group The VLAN Tag class that the rule uses.
Values:
A VLAN Tag class displayed in the Classes tab
None
Note: If you specify a VLAN group, you cannot specify an MPLS RD
group.
MPLS RD Group The MPLS route distinguisher (RD) class that the rule uses. The device
dynamically associates the MPLS tag value with configured MPLS RD
values installed between P and PE routers in the providers MPLS
backbone.
Values:
An MPLS RD class displayed in the Classes tab
None
Note: If you specify a MPLS RD group, you cannot specify an VLAN
group.
Action
Protection Profile (Displayed in the table) The profile to be applied to the network segment
defined in this rule.
BDoS Profile The BDoS profile to be applied to the network segment defined in this
rule.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
DNS Profile The DNS Protection profile to be applied to the network segment defined
in this rule.
Anti Scanning Profile The Anti-Scanning profile to be applied to the network segment defined
in this rule.
Signature Protection
Profile
The Signature Protection profile to be applied to the network segment
Connection Limit Profile The Connection Limit profile to be applied to the network segment
SYN Flood Profile The SYN Flood profile to be applied to the network segment defined in
this rule.
Connection PPS Limit
Profiles
The Connection PPS Limit profile to be applied to the network segment
Web Quarantine
(This parameter is
available only in devices
with an SME.)
Specifies whether the device quarantines all outbound Web traffic from
internal hosts in the destination segment in the network policy after
matching a signature configured with Web-quarantine option enabled
(Network Protection tab > Signature Protection > Signatures > Web
Quarantine Option).
To enable this option, the value for the Direction field must be Two
Way.
Values: Enable, Disable
Default: Disable
Note: For more information, see Configuring Signature Protection
Signatures, page 151 and Configuring Web Quarantine Actions
and Quarantined Sources, page 163.
Action The default action for all attacks under this policy. Values:
Block and ReportThe malicious traffic is terminated and a security
event is generated and logged.
Report OnlyThe malicious traffic is forwarded to its destination and
a security event is generated and logged.
Default: Block and Report
Note: Signature-specific actions override the default action for the
policy.
Packet Reporting and Trace Setting
Packet Reporting Specifies whether the device sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
effect, the global setting must be enabled (Configuration
perspective > Advanced Parameters > Security
Reporting Settings > Enable Packet Reporting).
Packet Reporting
Configuration on Policy
Takes Precedence
Specifies whether the configuration of the Packet Reporting feature here,
on this policy rule takes precedence over the configuration of the Packet
Reporting feature in the associated profiles.
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Reporting Settings > Enable Packet Trace). In addition,
a change to this parameter takes effect only after you
update policies.
Packet Trace
Configuration on Policy
Takes Precedence
Specifies whether the configuration of the Packet Trace feature here, on
this policy rule, takes precedence over the configuration of the Packet
Trace feature in the associated profiles.
Caution: A change to this parameter takes effect only after you
update policies.
Configuring Signature Protection for Network Protection
Note: Signature Protection is not available in DefensePro models running on the OnDemand
Switch 3 S1 platform.
Signature Protection detects and prevents network-oriented attacks, Operation System (OS)
oriented attacks and application-oriented attacks by comparing each packet to the set of signatures
stored in the Signatures database.
The attacks handled by this protection can be divided into the following groups:
Server-based vulnerabilities:
Web vulnerabilities
Mail server vulnerabilities
FTP server vulnerabilities
SQL server vulnerabilities
DNS server vulnerabilities
SIP server vulnerabilities
Worms and viruses
Trojans and backdoors
Client-side vulnerabilities
IRC bots
Spyware
Phishing
Anonymizers
Configuration Considerations with Signature Protection
You can configure Signature Protection using Radware Security Operations Center (SOC) signature
profiles or using user-defined signature profiles.
Radware recommends that you configure policies containing Signature Protection profiles using
Networks with Source = Any, the public network, and Destination = Protected Network. You can
configure policies to use VLAN tags, application ports, physical ports, and MPLS RDs.
For implications of direction settings for rules and protections, see Table 77 - Implications of Policy
Directions, page 150.
Policies containing Signature Protection profiles can be configured with Direction set to either One
Way or Two Way.
Protections can be configured with the Direction values Inbound, Outbound, or In-Outbound.
While most of the attacks (such as worm infections) are detected through their inbound pattern,
some attacks require inspecting outbound patterns initiated by infected hosts. For example, trojans
require inspecting outbound patterns initiated by infected hosts.
Policies configured with Source = Any and Destination = Any inspect only In-Outbound attacks.
Radware provides you with a set of predefined signature profiles for field installation, such as
Corporate Gateway, DMZ and LAN protections, Carrier links protections, and so on. Radware profiles
are continuously updated along with the weekly signature database maintained by the Radware
SOC. You cannot edit Radware signature profiles.
Configuring Signature Protection Profiles
A Signature Protection profile contains one or more rules for the network segment you want to
protect. Each rule defines a query on the Signatures database. DefensePro activates protections
from the signature database that comply with the set of rules. The user-defined profile is updated
each time you download an updated Signatures database.
Each rule in the profile can include one or more entries from the various attribute types.
Rules define a query on the Signatures database based on the following logic:
Values from the same type are combined with logical OR.
Values from different types are combined with logical AND.
The rules are combined in the profile with a logical OR.
Note: Rules in the profile are implicit. That is, when you define a value, all signatures that
match a specific selected attribute plus all the signatures that have no attribute at all.
This logic ensures that signatures that may be relevant to the protected network are
includedeven if they are not associated explicitly (by SOC) with the application in the
network.
To configure Signature Protection profiles, IPS protection must be enabled and global DoS Shield
parameters must be configured. For more information, see Configuring Global Signature Protection,
page 119 and Configuring DoS Shield Protection, page 119.
To configure Signature Protection profiles
1. In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Profiles.
To add a profile, click the (Add) button, and enter a profile name.
To edit a profile, double-click the entry in the table.
To display the list of signatures associated with the configured protections for the profile,
double-click the entry in the table; and then, click Show Matching Signatures.
Table 77: Implications of Policy Directions
Policy Direction Policy Action Packet
Direction
Signature Direction
Inbound Outbound Inbound or
Outbound
From To One way Ex to in Inspect Ignore Inspect
In to ex Ignore Inspect Ignore
From To Two way Ex to in Inspect Ignore Inspect
In to ex Ignore Inspect Inspect
Any to any N/A N/A Ignore Ignore Inspect
3. To add a rule:
a. In the rules table, right-click and select, Add New Signature Profile.
b. Enter a profile name, and select an attribute and its value.
c. Click OK. The new rule is displayed in the rule table. You can now add more attributes to the
rule, and add more values to existing rule attributes.
4. To add an attribute to an existing rule:
a. In the rules table, right-click the rule, and select Add Attribute Type.
b. Select an attribute and its value.
c. Click OK. The new attribute is displayed in the rule.
5. To add a value to an existing rule attribute:
a. In the rules table, right-click the rule attribute, and select Add Attribute Value.
b. Select a value for the attribute.
c. Click OK. The new attribute value is displayed in the rule.
6. To save the signature profile configuration, click OK.
Configuring Signature Protection Signatures
A signature is a building block of the protection profile. Each signature contains one or more
protection filters and attributes that determine which packets are malicious and how they are
treated.
Signature settings parameters define how malicious packets are tracked and treated once their
signature is recognized in the traffic. Each attack is bound to a tracking function that defines how
the packet is handled when it is matched with a signature. The main purpose of these functions is to
determine whether the packet is harmful and to apply an appropriate action.
Table 78: Signature Profile Parameters
Profile Name The name of the signature profile. For a new profile, enter a profile
name.
Show Matching Signatures This button appears only when editing a profile. Click to display the
list of signatures associated with the configured protections for the
profile.
Signature Profile Rules Table
The table displays details of the configured rules for the selected profile. Each rule can contain
more than one attribute type, and each attribute type can contain one or more attribute values.
Rule Name The name of the signature profile rule.
Note: This field is read-only when adding an attribute type or
attribute value.
Attribute Type Select from the list of predefined attribute types, which are based
on the various aspects taken into consideration when defining a
new attack.
Attribute Value Select the value for the defined attribute type.
The Signatures table provides you with filters that allow viewing Radware and user-defined
signatures. You can define filtering criteria, so that all signatures that match the criteria are
displayed in the Signatures table. You can also add user-defined signatures.
Note: You can edit and remove only user-defined signatures. For Radware-defined signatures,
you can edit the general parameters only.
To view Signature Protection signatures
Protection > Signatures.
2. To view all signatures, do one of the following:
Click Filter by ID, then click Go.
Click Filter by Attribute, select All Signatures in the Display list, then click Go.
3. To view user-defined signatures, click Filter by Attribute, select User Signatures in the
Display list, then click Go.
4. To filter the signatures for display:
To filter by ID, click Filter by ID, enter the required ID number and click Go.
To filter by attribute, click Filter by Attribute, configure the following parameters and click
Go.
To configure Signature Protection signatures
Protection > Signatures.
2. To add or edit a signature, do one of the following:
To add a signature, click the (Add) button.
To edit a signature, display the required signature, then double-click the signature.
Display Specifies which sets of signatures to display.
Values:
User SignaturesUser-defined signatures. You can edit and
remove these signatures.
Static SignaturesRadware-defined signatures. You can edit
only the general parameters of these signatures.
All SignaturesUser-defined and Radware-defined signatures.
Attribute Type Select from the list of predefined attribute types, which are based
on the various aspects taken into consideration when defining a
new attack.
Attribute Value Select the value for the defined attribute type.
Table 79: Signature Parameters
Signature Name The name of the signature, up to 29 characters.
Signature ID (Read-only) The ID assigned to the signature by the system.
Enabled Specifies whether the signature can be used in protection profiles.
Tracking Time The time, in milliseconds, for measuring the Active Threshold. When a
number of packets exceeding the threshold passes through the device
within the configured Tracking Time period, the device recognizes it as an
attack.
Default: 1000
Tracking Type Defines how the device determines which traffic to block or drop when
under attack.
Values:
Destination CountSelect this option when the defined attack is
destination-basedthat is, the hacker is attacking a specific
destination such as a Web server, for example, Ping Floods or DDoS
attacks.
DHCP
Drop All Select this option when each packet of the defined attack is
harmful, for example, Code Red and Nimda attacks.
Fragments
FTP Bounce
Land Attack
ncpsdcan
SamplingSelect this option when the defined attack is based on
sampling, that is a DoS Shield attack.
Source and Destination CountSelect this option when the attack
type is a source and destination-based attackthat is, the hacker is
attacking from a specific source IP to a specific destination IP
address, for example, Port Scan attacks.
Source CountSelect this option when the defined attack is source-
basedthat is, the attack can be recognized by its source address,
for example, a Horizontal Port Scan, where the hacker scans a certain
application port (TCP or UDP) to detect which servers are available in
the network.
Default: Drop All
Action Mode The action taken when an attack is detected.
Values:
DropThe packet is discarded.
Report OnlyThe packet is forwarded to the defined destination.
Reset SourceSends a TCP-Reset packet to the packet source IP
address.
Reset DestinationSends a TCP-Reset packet to the destination
address.
Reset BidirectionalSends a TCP-Reset packet to both the packet
source IP and the packet destination IP address.
Default: Drop
Suspend Action Specifies which session traffic the device suspends for the duration of the
attack.
Values:
NoneThe suspend action is disabled for this attack.
Source IPAll traffic from the IP address identified as the source of
this attack, is suspended.
Source IP and Destination IPTraffic from the IP address identified as
the source of this attack to the destination IP under attack, is
suspended.
Source IP and Destination PortTraffic from the IP address identified
as the source of this attack to the application (destination port) under
attack, is suspended.
Source IP, Destination IP and PortTraffic from the IP address
identified as the source of this attack to the destination IP and port
under attack, is suspended.
Source IP and Port, Destination IP and Port Traffic from the IP
address and port identified as the source of this attack to the
destination IP and port under attack, is suspended.
Direction The protection inspection path. The protections can inspect the incoming
traffic only, the outgoing traffic only, or both.
Values: Inbound, Outbound, Inbound & Outbound
Default: Inbound & Outbound
Activation Threshold The maximum number of attack packets allowed in each Tracking Time
unit. Attack packets are recognized as legitimate traffic when they are
transmitted within the Tracking Time period.
When the value for Tracking Type is Drop All, the DefensePro device
ignores this parameter.
Default: 50
Drop Threshold After an attack has been detected, the device starts dropping excessive
traffic only when this threshold is reached. This parameter is measured in
PPS.
When the value for Tracking Type is Drop All., the DefensePro device
Default: 50
Termination Threshold When the attack PPS rate drops below this threshold, the device changes
the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All., the DefensePro device
Default: 50
Packet Reporting Enables the sending of sampled attack packets to APSolute Vision for
further offline analysis.
Default: Disabled
Exclude Source IP
Address
The source IP address or network whose packets the device does not
inspect.
Default: None
Table 80: Signature Filter Parameters
Exclude Destination IP
Address
The destination IP address or network whose packets the device does not
inspect.
Default: None
Default: Disabled
a change to this parameter takes effect only after you update
policies.
Web Quarantine Option
(This parameter is
available only in
devices with an SME.)
Specifies whether the device can quarantine all Web traffic from internal
hosts after matching this signature.
To enable this option:
The value for the Direction field must be Inbound & Outbound.
The value for the Tracking Type field must be Drop All.
Default: Disable
Caution: The device implements this option for the signature only
when the Web Quarantine checkbox in the Network Policy
(Network Protection tab > Network Protection Rules) is
selected also.
Filters Table Filters are components of a protection, each containing one specific attack
signature, that scan and classify predefined traffic. Filters match scanned
packets with attack signatures in the Signatures database.
For each custom protection, you define custom filters. You cannot use
filters from other protections when customizing protection definitions.
To add a filter, right-click and select Add New Filter.
To edit a filter, right-click and select Edit Filter.
Note: For more information, see Signature Filter Parameters,
page 155.
Attributes Table The attributes that you select for the signature determine the attack
characteristics used in the rule creation process.
To add an attribute value, right-click in the table; and then, select Add
New Attribute Value.
Basic Parameters
Each filter has a specified name and specified protocol-properties parameters.
Filter Name The name of the signature filter.
Protocol The protocol used.
Values:
ICMP
ICMPv6
IP
Non IP
TCP
UDP
Default: IP
Source Application Port For UDP and TCP traffic only.
Select from the list of predefined Application Port Groups.
Destination Application
Port
For UDP and TCP traffic only.
Select from the list of predefined Application Port Groups.
Packet Parameters
Packet parameters are used to match the correct packet length in different layers.
Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3, Layer 4 or
Layer 7 content.
Values:
L2The complete packet length is measured, including Layer 2
headers.
L3The Layer 2 data part of the packet is measured (excluding the
Layer 2 headers).
L4The Layer 3 data part of the packet is measured (excluding the
Layer 2/Layer 3 headers).
L7The L4 data part of the packet is measured (excluding the
Layer 2/Layer 3/Layer 4 headers).
None
Default: None
Packet Size Length The range of values for packet length.
Notes:
>> The size is measured per packet only.
>> The size is not applied on reassembled packets.
>> Fragmentation of Layer 4Layer 7 packets may result in tails that
do not contain the Layer 4Layer 7 headers. The check is
bypassed, as no match with Type = L4L7 is detected.
OMPC Parameters
Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define rules
for pattern lookups. The OMPC rules look for a fixed size pattern of up to four bytes that uses fixed
offset masking. This is useful for attack recognition, when the attack signature is a TCP/IP header
field or a pattern in the data/payload in a fixed offset.
OMPC Condition The OMPC condition.
Values:
Equal
Greater Than
Not Applicable
Less Than
Not Equal
Default: Not Applicable
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data:
Values:
Not Applicable
1 Byte
2 Bytes
3 Bytes
4 Bytes
Default: 1 Byte
OMPC Offset The location in the packet from where data checking starts looking for
specific bits in the IP/TCP header.
Values: 01513
Default: 0
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative.
Values:
None
IP Header
IP Data
L4 Data
L4 Header
Ethernet
Default: None
OMPC Pattern The fixed size pattern within the packet that OMPC rules attempt to find.
Values: A combination of hexadecimal numbers (09, af). The value is
defined by the OMPC Length parameter.
The OMPC Pattern definition contain eight symbols. When the OMPC
Length is less than four bytes, complete it with zeros.
For example, when the OMPC Length is two bytes, the OMPC Pattern can
be abcd0000.
Default: 00000000
OMPC Mask The mask for the OMPC data.
Values: A combination of hexadecimal numbers (09, af). The value is
defined by the OMPC Length parameter.
The OMPC Mask definition contains eight symbols. When the OMPC Length
value is less than four bytes, complete it with zeros.
For example, When the OMPC Length is two bytes, the OMPC Mask can be
abcd0000.
Default: 00000000
Content Parameters
The Content parameters define the rule for a text/content string lookup for attack recognition,
when the attack signature is a text/content string within the packet payload. The Content
parameters are available only for TCP, UDP and ICMP protocols.
Content Type Enables you to search for a specific content type, which you select from a
long list.
For the list of valid values, see Table 81 - Content Types, page 159.
Default: N/AThe device will not filter the content based on type.
Content Encoding Application Security can search for content in languages other than
English, for case-sensitive or case-insensitive text, and hexadecimal
strings.
Values:
Not Applicable
Case Insensitive
Case Sensitive
Hex
International
Note: The value of this field corresponds to the Content Type
parameter.
Content The value of the content search, except for HTTP headers, cookies, and
FTP commands.
Values: <space> ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
@ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _ ` a b c d
e f g h i j k l m n o p q r s t u v w x y z { | } ~
Content Offset The location in the packet from which the content is checked. The offset
location is measured from the beginning of the UDP or TCP header.
Values: 065,535
Default: 0
Content Max Length The maximum length to be searched within the selected Content Type.
Values: 065,535
Default: 0
Note: The Content Max Length value must be equal to or greater than
the Offset value.
The following table describes the Content types that you can configure the device to examine as part
of the attack signature.
Content Data Encoding Application Security can search for data in languages other than English,
for case-sensitive or case-insensitive data, and hexadecimal strings.
Values:
Not Applicable
Case Insensitive
Case Sensitive
HEX
International
parameter.
Content Data The content type for the content search.
Values:
HTTP HeaderThe value of the HTTP Header. The header is defined
by the Content field.
CookieThe cookie value. The cookie is defined by the Content field.
FTP CommandThe FTP command arguments. The FTP command is
defined by the Content field.
Distance Range A range that defines the allowable distance between two content
characters. When the distance exceeds the specified range, it is
recognized as an attack.
Regular Expression
Content
Specifies whether the Content Data field value is formatted as a regular
expression (and not as free text to search). You can set a regex search for
all content types.
Regular Expression
Content Data
Specifies whether the Content Data value is formatted as a regular
expression (and not as free text to search).
Table 81: Content Types
Content Type Description
Cookie HTTP cookie field. The Content field includes the cookie name, and the
Content Data field includes the cookie value.
DCE-RPC Distributed Computing Environment/Remote Procedure Calls.
File Type The requested file type in the HTTP GET command (JPG, EXE, and so on).
FTP Command Parses FTP commands to commands and arguments, while normalizing
FTP packets and stripping Telnet opcodes.
FTP Content Scans data transmitted using FTP, normalizes FTP packets and strips
Telnet opcodes.
Header Field HTTP Header field. The Content field includes the header field name, and
the Content Data field includes the field value.
Host Name In the HTTP header.
HTTP Reply Data The data of the HTTP reply. This is available only in devices with an SME.
Configuring Signature Protection Attributes
Attributes are components of the protection rules set in the process of rule-based profile
configuration. Attributes are organized according to types based on the various aspects taken into
consideration when defining a new attack, such as environment, applications, threat level, risk levels
and so on.
Each signature is assigned with attributes in different types. The Radware Security Operation Center
(SOC) assigns the attributes when creating the signature creation as a way to describe the signature
in attribute types.
You can use the existing attributes, add new attributes, or remove attributes from the list.
Note: You can view properties of attribute types, and for the attribute types Complexity,
Confidence, and Risk you can also specify the Match Method (Minimum or Exact). For
more information, see Viewing and Modifying Attribute Type Properties, page 162.
HTTP Reply Header The header of the HTTP reply. This is available only in devices with an
SME.
Mail Domain In the SMTP header.
Mail From In the SMTP header.
Mail Subject In the SMTP header.
Mail To In the SMTP header.
MM7 File Attachment The file associated with the MM7 request.
MM7 Request The request for an MM7 Error message.
Normalized URL To avoid evasion techniques when classifying HTTP requests, the URL
content is transformed into its canonical representation, interpreting the
URL the same way the server would.
The normalization procedure supports the following:
Directory referencing by reducing /./ into / or A/ B/ . . / to A/ .
Changing backslash (\ ) to slash (/ ).
Changing HEX encoding to ASCII characters. For example, the hex
value %20 is changed to a space.
Unicode support, UTF-8 and IIS encoding.
POP3 User User field in the POP3 header.
RPC Reassembles RPC requests over several packets.
RPC RFC 1831 standard provides a feature called Record Marking
Standard (RM). This feature is used to delimit several RPC requests sent
on top of the transport protocol. For a stream-oriented protocol (like TCP),
RPC uses a kind of fragmentation to delimit between records. In spite of
its original purpose, fragmentation may also divide records in the middle,
not only at their boundaries. This functionality is used to evade IPS
systems.
Text Anywhere in the packet.
URI Length Length of the URI packet in bytes.
URL The HTTP Request URI. No normalization procedures are taken.
Table 81: Content Types
Content Type Description
Attributes are derived from the Signatures database and are added dynamically with any update.
For information about attribute types and their system values, see Table 81 - Content Types, page
161.
To configure Signature Protection attributes
Protection > Attributes.
2. To view attributes:
To view all attributes, select All and click Go.
To view attributes for a single attribute type, select the attribute type and click Go.
3. To add a new attribute:
a. Click the (Add) button.
b. Select the attribute type, and enter the attribute name.
c. Click OK.
Table 82: Attribute Types
Attribute Type Description
Applications The applications that are vulnerable to this exploit.
Examples: Web servers, mail servers, browsers
The parameter is optional; that is, the attribute may or may not contain a
value.
There can be multiple values.
Complexity The level of analysis performed as part of the attack lookup mechanism.
There can be only a single value for the parameter.
Values:
LowThis signature has negligible impact on device performance.
HighThis signature has stronger impact on the device
performance.
Confidence The level of certainty to which an attack can be trusted. The confidence
level is the opposite of the false-positive level associated with an attack.
For example, if an attacks confidence level is set to high, its false-
positive level is low.
The parameter is mandatory.
Values: Low, High, Medium
Groups Enables you to create customized attack groups.
Platforms The operating systems that are vulnerable to this exploit.
Examples: Windows, Linux, Unix
The parameter is optional; that is, the attribute may or may not contain a
value.
Viewing and Modifying Attribute Type Properties
You can view the following properties of the attribute types that the device supports:
Multiple Values in AttackSpecifies whether the attribute type may contain multiple values in
any one signature.
Multiple Values in RuleSpecifies whether the attribute type may contain multiple values in any
one signature profile rule.
Multiple Values in StaticSpecifies whether the attribute type may contain multiple values in
signatures from the signature file.
Match MethodRelevant only for the attribute types Complexity, Confidence, and Risk, which
have Attribute Values with ascending-descending levels.
Values:
MinimumSpecifies that the Attribute Value includes the results for the lower-level Attribute
Values. For example, for the attribute type Risk with Match Method Minimum, the Attribute
Value High includes the results for Info, Low, and Medium. Minimum is the default for
Complexity, Confidence, and Risk.
ExactSpecifies that the Attribute Value uses only its own results. For example, for the
attribute type Risk with Match Method Exact, the Attribute Value High uses only for High-risk
results.
You can change the Match Method for the attribute types Complexity, Confidence, and Risk.
To view attribute types that the device supports
In the Configuration perspective Network Protection tab navigation pane, select Signature
Protection > Attributes > Attribute Type Properties.
Risk The attacks severity. For example, attacks that impact on the network
are very severe and are defined as high risk attacks.
The parameter is mandatory.
Services The protocol that is vulnerable to this exploit.
Examples: FTP, HTTP, DNS
The parameter is optional; that is, the parameter may or may not contain
a value.
Target The target of the threatclient side or server side.
Threat Type The threats that best describe the signature.
Examples: floods, worms
Attribute Type Description
To change the Match Method for Complexity, Confidence, and Risk attribute types
Protection > Attributes > Attribute Type Properties.
2. Double-click the attribute type.
3. From the Match Method drop-down list, select Minimum or Exact.
4. Click OK.
Configuring Web Quarantine Actions and Quarantined Sources
This feature is available only in devices with an SME.
The Web Quarantine feature enables DefensePro to quarantine all Web traffic from internal hosts in
a protected network segment after matching a signature. When you enable the Web Quarantine
mechanism, traffic from internal hosts whose traffic has matched a signature marked for quarantine
enters the Quarantine table. (The Quarantine table is a subset of the Suspend table.) DefensePro
blocks new HTTP connections from these internal hoststo any external destination. DefensePro
responds to the connection requests according to the Quarantine action defined for the network
policy.
The Web Quarantine configuration involves the following:
Configuring quarantine actions. For more information, see Configuring Web Quarantine Actions,
page 163.
Configuring quarantined sources. For more information, see Configuring Quarantined Sources,
page 167.
Enabling the Web Quarantine option in the Network Protection rule (Network Protection tab >
Network Protection Rules > Web Quarantine). For more information, see Configuring the
Network Protection Policy, page 145.
Enabling the Quarantine Web Traffic from Internal Hosts option in the configuration of the
signature (Network Protection tab > Signature Protection > Signatures > Quarantine Web
Traffic from Internal Hosts). For more information, see Configuring Signature Protection
Signatures, page 151.
Configuring Web Quarantine Actions
To configure Web Quarantine actions
Protection > Web Quarantine> Quarantine Actions.
Table 83: Quarantine Action Parameters
Network Protection Policy The name of the Network Protection Rule.
Action The action that the device takes on outbound Web traffic from the
quarantined internal hosts.
Values:
Quarantine WarningThe device returns the default message or
the specified, Custom HTML Page.
The default message is as follows:
Access Error: Unauthorized
Your comput er i s cur r ent l y under quar ant i ne because t he syst em
i dent i f i ed mal i ci ous act i vi t y or i gi nat i ng f r omyour I P
addr ess. Pl ease cont act your syst emadmi ni st r at or .
Quar ant i ne at t ack name: <Si gnat ur eName> I D: <Si gnat ur eI D>
I P: <Host I PAddr ess>
For more information, see Managing the Quarantine Warning
Page, page 165.
RedirectThe device redirects outbound Web traffic from the
quarantined internal hosts to the specified Redirection Location.
Default: Quarantine Warning
Redirection Location
only when the Action is
Redirect.)
The location where the device redirects quarantined internal hosts.
Typically, the location is an HTML page with a message from the
network administrator.
Caution: To prevent an endless loop, the routing to the Redirection
Location must not include the DefensePro device.
Add Metadata Specifies whether to add metadata to URL of the redirected HTTP GET
requests from the quarantined internal hosts. The metadata
comprises the attack name (that is, the signature name), the attack
ID (that is, the signature ID), and the IP address of the quarantined
host.
The format of the metadata is as follows:
<Redi r ect Ser ver >/ ?at t ack=<at t ackName>&r dwr I d=<I D>&i p=<I P>
Example:
MySer ver . com/ ?at t ack=Wor m- Sl ammer &r dwr I d=3204&i p=10. 2. 3. 4
Default: Disable
Managing the Quarantine Warning Page
When Quarantine Warning is the specified Web Quarantine Action, the device returns the default
message or the specified, Custom HTML Page for outbound Web traffic from the quarantined internal
hosts.
The device sends the hard-coded, default quarantine-warning page under the following
circumstances:
No file has been specified.
The specified file is invalid.
The code for the quarantine-warning page can be up to 750 bytes long.
To set the code for the quarantine-warning page
Protection > Web Quarantine > Quarantine Actions.
3. Click Upload Custom HTML Page.
Aging (Hours) The number of hours that the device quarantines all Web traffic from
the internal hosts in a protected network segment after matching a
signature.
Values:
0168That is one week. The value 168 is valid only if the value
for the Aging (Minutes) is 0.
When Aging ( Hours) and Aging ( Minutes) are both 0 (zero),
the device quarantines the Web traffic indefinitely.
Aging (Minutes) The number of minutes that the device quarantines all Web traffic
from the internal hosts in a protected network segment after matching
a signature.
Values:
059The maximum Aging time (hours + minutes) cannot
exceed 168 hours, 0 minutes.
When Aging ( Hours) and Aging ( Minutes) are both 0 (zero),
the device quarantines the Web traffic indefinitely.
Table 83: Quarantine Action Parameters
To view/get the custom code of the quarantine-warning page
Protection > Web Quarantine> Quarantine Actions.
3. Click Show Custom HTML Page.
Table 84: Set Custom Page Parameters
Policy Name (Read-only) The name of the Network Protection Rule.
Export From The source type of the custom code for the quarantine-warning
page.
Values:
File
Text
Default: File
File Name
only when Export From is File.)
The filepath of the file with the code for the quarantine-warning
page. Click Browse to navigate to the file; and then, click OK.
Text
only when Export From is Text.)
The code for the quarantine-warning page.
Table 85: Get Page Code Parameters
Policy Name (Read-only) The name of the Network Protection Rule.
Export To The target type of the custom code for the quarantine-warning page.
Values:
Text
File
Default: Text
Text
only when Export To is Text.)
The code for the quarantine-warning page.
File
only when Export To is File.)
The filepath target for the user-defined quarantine-warning-page
code.
Configuring Quarantined Sources
To configure quarantined sources
Protection > Web Quarantine > Quarantined Sources.
To delete all quarantined sources
Protection > Web Quarantine > Quarantined Sources.
2. Click Delete All.
Table 86: Quarantined Source Parameters
Network Protection Policy The Network Protection rule.
Web Quarantine IP Address The IP address of the quarantined host.
Aging (Hours) The number of hours that the device quarantines all Web traffic
from the internal hosts in a protected network segment after
matching a signature.
Values:
0168That is one week. The value 168 is valid only if the
value for the Aging (Minutes) is 0.
When Aging ( Hours) and Aging ( Minutes) are both 0
(zero), the device quarantines the Web traffic indefinitely.
Aging (Minutes) The number of minutes that the device quarantines all Web traffic
from the internal hosts in a protected network segment after
matching a signature.
Values:
059The maximum Aging time (hours + minutes) cannot
exceed 168 hours, 0 minutes.
When Aging ( Hours) and Aging ( Minutes) are both 0
(zero), the device quarantines the Web traffic indefinitely.
Quarantine Time (Read-only) The time the entry was created.
Matched Signature (Read-only) The name of the signature that caused the
quarantine.
Note: If this is a user-defined entry, the field is empty.
Configuring BDoS Profiles for Network Protection
When you configure Behavioral DoS profiles, you need to configure the bandwidth and quota
settings. Setting the bandwidth and quota values properly and accurately is important, because
initial baselines and attack detection sensitivity are based on these values.
Recommended settings for policies that include Behavioral DoS profiles are as follows:
Configure rules containing Behavioral DoS profiles using Networks with source = Any, the public
network, and destination = Protected Network. It is recommended to create multiple Behavioral
DoS rules, each one protecting a specific servers segment (for example, DNS servers segment,
Web server segments, Mail servers segments, and so on). This assures optimized learning of
normal traffic baselines.
It is not recommended to define a network with the Source and Destination set to Any, because
the device collects statistics globally with no respect to inbound and outbound directions. This
may result in lowered sensitivity to detecting attacks.
When a rules Direction is set to One Way, the rule prevents incoming attacks only. When a rules
Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both
cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal
detection.
You can configure footprint bypass to bypass specified footprint types or values. For more
information, see Configuring BDoS Footprint Bypass, page 124.
To configure a BDoS profile
1. In the Configuration perspective Network Protection tab navigation pane, select BDoS Profiles.
To add a profile, click the (Add) button.
3. Configure the parameters; and then, and click OK.
Table 87: BDoS Profile Parameters
Profile Name The name of the BDoS profile.
Enable Transparent
Optimization
Specifies whether transparent optimization is enabled.
Some network environments are more sensitive to dropping packets (for
example, VoIP), therefore it is necessary to minimize the probability that
legitimate traffic is dropped by the IPS device. This transparent
optimization can occur during BDoSs closed-feedback iterations until a
final footprint is generated.
Note: When transparent optimization is enabled, the profile does not
mitigate the attack until the final footprint is generated, which
takes several seconds.
Flood Protection Settings
SYN Flood Select the network-flood protection types to apply.
TCP ACK + FIN Flood
TCP RST Flood
TCP SYN + ACK Flood
TCP Fragmentation
Flood
UDP Flood
ICMP Flood
IGMP Flood
Bandwidth Settings
Inbound Traffic The maximum inbound traffic bandwidth, in Kbit/s expected on your
links. DefensePro derives the initial baselines from the bandwidth and
quota settings.
Minimum: 1
Note: You must configure this setting to start Behavioral DoS
protection.
Outbound Traffic The maximum outbound traffic bandwidth, in Kbit/s expected on your
links. DefensePro derives the initial baselines from the bandwidth and
quota settings.
Minimum: 1
Note: You must configure this setting to start Behavioral DoS
protection.
Quota Settings
Radware recommends that you initially leave these fields empty so that the default values will
automatically be used. To view default values after creating the profile, double-click the entry in the
table. You can then adjust quota values based on your network performance.
Note: The total quota values may exceed 100%, as each value represents the maximum volume
per protocol.
TCP The maximum expected percentage of TCP traffic out of the total traffic.
UDP The maximum expected percentage of UDP traffic out of the total traffic.
ICMP The maximum expected percentage of ICMP traffic out of the total traffic.
IGMP The maximum expected percentage of IGMP traffic out of the total traffic.
Configuring Anti-Scanning Protection for Network Protection
Worm-propagation prevention and anti-scanning prevent zero-day self-propagating network worms,
horizontal scans, and vertical scans.
A self-propagating worm is an attack that spreads by itself using network resources. This worm uses
a random-IP-address-generation technique (that is, network scanning) to locate a vulnerable host to
infect. When a vulnerable host is identified, the worm immediately executes its code on this host,
thereby infecting the computer with the worms malicious code. Then, the infected hosts initiate
similar scanning techniques and infect other hosts propagating exponentially.
There are several random IP address generation techniques, commonly characterized with
horizontal scanning schemes.
Prior to launching an attack, hackers try to identify what TCP and UDP ports are open on the victim
machine. An open port represents a service, an application or a back door. Ports left open
unintentionally can create serious security problems. These scanning techniques commonly utilize a
vertical scanning scheme.
The worm propagation activity is detected and prevented by DefensePros Anti-Scanning protection.
Advanced Parameters
Level Of Regularization
The packet-rate detection sensitivitythat is, to what extent the BDoS
engine considers the PPS-rate values (baseline and current).
This parameter is relevant only for only for BDoS UDP protection.
Values:
Disable
Low
Medium
High
Default: Low
Packet Report Specifies whether the device sends sampled attack packets to APSolute
Default: Disabled
Note: When this feature is enabled, for the feature to take effect, the
global setting must be enabled (Configuration perspective >
Advanced Parameters > Security Reporting Settings >
Enable Packet Reporting).
Default: Disabled
policies.
Anti-Scanning profiles defend against the following threats:
TCP Horizontal Scanning
TCP Vertical Scanning
TCP stealth scans
UDP Horizontal Scanning
UDP Vertical Scanning
Ping Sweep
Note: In some cases, you may find that network elements legally perform scanning as part of
their normal operation. It is recommended to place such elements in the White List to
avoid network operation interruption.
Before you configure anti-scanning profiles, ensure the following:
The Session table Lookup Mode is Full Layer 4.
Anti-Scanning is enabled and the global parameters are configured. Anti-Scanning global
parameters are defined for all profiles on the device.
Configuring Anti-Scanning Profiles for Network Protection
The following describe the recommended settings for rules that include Anti-Scanning profiles:
Configure policies containing Anti-Scanning profiles using Networks with Source = Any, the
public networkand Destination = Protected Network. This assures optimized attack detection
sensitivity. You can set policies using a VLAN tag, MPLS RD, or physical ports.
It is not recommended to define a network in which the Source and Destination are set to Any,
as it results in lower detection sensitivity.
When a policys Direction is set to One Way, DefensePro prevents incoming attacks only. When a
policys Direction is set to Two Way, the device prevents both incoming and outgoing attacks. In
either case, the device inspects incoming and outgoing traffic for connection scoring.
Before you configure an Anti-Scanning profile, ensure the following:
Anti-scanning protection is enabled and the global parameters are configured. For more
information, see Configuring Global Signature Protection, page 119.
To configure an Anti-Scanning profile
1. In the Configuration perspective Network Protection tab navigation pane, select Anti-Scanning
Profiles.
2. To add or modify an Anti-Scanning profile, do one of the following:
3. Configure anti-scanning profile parameters and click OK.
Table 88: Anti-Scanning Profile Parameters
Rule Name The name of the new profile.
Enable TCP Protection Protects against horizontal and vertical TCP scans, including worm
propagation activity, over TCP.
Enable UDP Protection Protects against horizontal and vertical UDP scans, including worm
propagation activity, over UDP.
Enable ICMP Protection Protects against ping sweeps.
Type The type of traffic protected using Anti-Scanning profiles.
Values:
GWDetects incoming or outgoing scanning attempts, such as
scanning worms.
CarrierDetects large scale scanning worms for carrier links.
InternalPrevents the spreading of worm activity in corporate
LANs.
Detection Sensitivity Level Configures the devices level of sensitivity to scanning activities.
Values: High, Medium, Low, Very Low
Default: Low
Note: High means it needs few scanning attempts to trigger the
Anti-Scanning protection, while Very Low means it needs a
high number of scanning attempts.
Accuracy The accuracy level determines the minimum number of parameters
used in the footprint.
Values: High, Medium, Low
Default: Medium
Higher accuracy means that more parameters are required to appear
in the footprint. If DefensePro is unable to find a footprint with the
minimum number of parameters for the specified accuracy level,
DefensePro does not block the attack.
Default: Disabled
Reporting Settings > Enable Packet Trace). In
addition, a change to this parameter takes effect only
Configuring Anti-Scanning Trusted Ports
You can configure a list of Layer 4 ports on which scanning is allowed. That is, when Anti-Scanning is
enabled, there is no blocking of scans that target these ports. By default, DefensePro ignores port
113 activity.
To configure Anti-Scanning trusted ports
1. In the Configuration perspective Network Protection tab navigation pane, select Anti-Scanning
Profiles > Anti-Scanning Trusted Ports.
2. To view the trusted ports for a profile, select the profile and click Go.
3. To add a trusted port for the selected profile, click the (Add) button.
4. Enter the Layer 4 trusted port on which scanning is allowed. Values: 165,535.
5. Click OK.

Configuring Connection Limit Profiles for Network Protection
Connection Limit profiles defend against session-based attacks, such as half open SYN attacks,
request attacks, and full connection attacks.
Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports.
DefensePro counts the number of TCP connections, or UDP sessions, opened per client, per server,
or per client plus server combination, for traffic that matches a Connection Limit policy attack
definition. Once the number of connections per second reaches the specified threshold, any session/
connection over the threshold is dropped, unless the action mode defined for this attack is Report
Only.
You can also define whether to suspend the source IP address, dropping traffic from this source for a
number of seconds as per Suspend Table definitions.
Recommended settings for policies that include Connection Limit profiles:
Configure policies containing Connection Limit profiles using Networks only with source = Any,
the public network, and destination = Protected Network. You can define segments using VLAN
tag, MPLS RDs, and physical ports.
It is not recommended to define networks when the Source and Destination are set to Any.
Policies containing Connection Limit profiles can be configured with Direction set to either One
Way or Two Way.
Before you configure a Connection Limit profile, ensure the following:
Connection Limit protection is enabled (under the Security Settings tab).
(Recommended) The required Connection Limit protections are configured. For more
information, see Configuring Connection Limit Protections, page 175.
To configure a Connection Limit profile
1. In the Configuration perspective Network Protection tab navigation pane, select Connection
Limit Profiles.
2. To add or modify a profile, do one of the following:
To add a profile, click the (Add) button. Enter the profile name and click OK.
3. To add Connection Limit protections to the profile, in the Edit Connection Limit Profile dialog box
protections table:
a. Right-click and select Add New Connection Limit Protection.
b. Select the protection name and click OK.
4. To define additional Connection Limit protections for the profile, click Go To Protection Table.
For more information, see Connection Limit Protection Parameters, page 175.
Note: A Connection Limit profile should contain all the Connection Limit protections that you
want to apply in a network-policy rule.
Table 89: Connection Limit Profile Parameters
Profile Name (Read-only) The name of the Connection Limit profile.
Connection Limit Protection
Table
Lists the Connection Limit protection name and ID for each protection
to be applied for the selected profile.
To add a protection, in the table, right-click and select Add New
Connection Limit Protection. Select the protection name and click
OK.
Note: In each rule, you can use only one Connection Limit profile.
Therefore, ensure that all the protections that you want to
apply to a rule are contained in the profile specified for that
rule.
Go To Protection Table Opens the Connection Limit Protection dialog box in which you can
add and modify Connection Limit protections.
Configuring Connection Limit Protections
Configure Connection Limit protections to add to Connection Limit profiles for network protection.
To configure a Connection Limit protection
Limit Profiles > Connection Limit Protections.
2. To add or modify a protection, do one of the following:
To add a protection, click the (Add) button.
To edit a protection, double-click the entry in the table.
Table 90: Connection Limit Protection Parameters
Protection ID (Read-only) The ID number assigned to the Connection Limit
protection.
Protection Name Descriptive name for easy identification when configuring and
reporting.
Application Port Group
Name
The group of Layer 4 ports representing the application you want to
protect.
Protocol The Layer 4 protocol of the application you want to protect.
Values: TCP, UDP
Default: TCP
Number of Connections The maximum number of TCP connections, or UDP sessions, per
second, allowed for each source, destination or source-and-
destination pair. All additional sessions are dropped. When the
threshold is reached, attacks are identified and a security event
generated.
Default: 50
Tracking Type The counting rule for tracking sessions.
Values:
Source and Target CountSessions are counted per source IP
and destination IP address combination.
Source CountSessions are counted per source IP address.
Target CountSessions are counted per destination IP address.
Default: Source Count
Action Mode The action when an attack is detected.
Values:
Report-onlyThe packet is forwarded to the destination IP
address.
Reset SourceSends a TCP-Reset packet to the packet source IP
address.
Default: Drop
Packet Report Enables logging a copy of the filtered packet.
Default: Disabled
Risk The risk assigned to this attack for reporting purposes.
Values: High, Info, Low, Medium
Default: Medium
Suspend Action Specifies which session traffic the device suspends for the attack
duration.
Values:
NoneSuspend action is disabled for this attack.
Source IPAll traffic from the IP address identified as the source
of this attack is suspended.
Source IP + Destination IPTraffic from the IP address identified
as the source of this attack to the destination IP address under
attack is suspended.
Source IP + Destination PortTraffic from the IP address
identified as the source of this attack to the application
(Destination port) under attack is suspended.
Source IP + Destination IP and PortTraffic from the IP address
identified as the source of this attack to the destination IP
address and port under attack is suspended.
Source IP and Port + Destination IP and PortTraffic from the IP
address and port identified as the source of this attack to the
destination IP address and port under attack is suspended.
Default: None
Note: When Tracking Type is set to Target Count, the Suspend
Action can only be set to None.
Packet Report Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Note: When this feature is enabled here, for the feature to take
Reporting Settings > Enable Packet Reporting).
Default: Disabled
Parameters > Security Reporting Settings > Enable
Packet Trace). In addition, a change to this parameter
takes effect only after you update policies.
Table 90: Connection Limit Protection Parameters
Configuring SYN Profiles for Network Protection
SYN Profiles defend against SYN flood attacks.
During a SYN flood attack, the attacker sends a volume of TCP SYN packets requesting new TCP
connections without completing the TCP handshake, or completing the TCP handshake, but not
requesting data. This fills up the server connection queues, which denies service to legitimate TCP
users.
Before you configure a SYN profile, ensure the following:
SYN Flood protection is enabled and the global parameters are configured. You can change the
global settings. The SYN flood global settings apply to all the profiles on the device. For more
information, see Configuring Global SYN Flood Protection, page 128.
To configure a SYN profile
1. In the Configuration perspective Network Protection tab navigation pane, select SYN Profiles.
3. To add a SYN flood protection to the profile:
a. Right-click in the table and select Add New SYN Flood Protection.
b. From the Profile Name drop-down list, select the protection.
c. Click OK.
4. To define additional SYN flood protections for the profile, click Go To Protection Table.
Note: A SYN profile should contain all the SYN flood protections that you want to apply in a
network-policy rule.
Table 91: SYN Profile Parameters
Profile Name (Read-only) The name of the profile.
SYN Protection Table Contains the protections to be applied for the selected profile.
To add a protection, in the table, right-click and select Add New SYN
Flood Protection. Select the protection name and click OK.
Note: In each rule, you can use only one SYN profile. Therefore,
ensure that all the protections that you want to apply to a
rule are contained in the profile specified for that rule.
Go To Protection Table Opens the Syn Protections dialog box in which you can add and
modify SYN protections.
Defining SYN Flood Protections
After you define SYN flood protections, you can add them to SYN profiles.
Caution: DefensePro x016 models do not support physical-port classification for SYN
Protection. When triggered, all traffic that matches the attacked destination
classified by destination IP address, Layer 4 port number, and optionally a VLAN tag
will be challenged, regardless or the physical port identification. That is, even if the
attack is carried out through a specific physical port, all traffic from all ports that
matches the other parameters will be challenged.
To configure a SYN protection
1. In the Configuration perspective Network Protection tab navigation pane, select SYN Profiles >
SYN Protections.
Table 92: SYN Flood Protection Parameters
Protection Name A name for easy identification of the attack for configuration and reporting.
Note: Predefined SYN Protections are available for the most common
applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP,
and Telnet. The thresholds are predefined by Radware. You can
change the thresholds for these attacks.
Protection ID (Read-only) The ID number assigned to the protection.
Application Port Group The group of TCP ports that represent the application that you want to
protect. Select from the list predefined port groups, or leave the field
empty to select any port.
Activation Threshold If the average rate of SYN packets received at a certain Destination for the
duration of the tracking period (Stable Threshold) is higher than this
threshold, the protection is activated.
Values:
0The destination is always protected.
1150,000
Default: 2500
Termination Threshold If the average rate of SYN packets received at a certain Destination for the
duration of the tracking period drops below this threshold, the protection is
stopped.
Values: 1150,000
Default: 1500
Radware-Recommended Verification Type Values
Managing SYN Protection Profile Parameters
After you define a SYN Protection profile, you can configure the authentication parameters for it.
To configure SYN Protection profile parameters
1. In the Configuration perspective Network Protection tab navigation pane, select SYN
Protection Profiles > Profiles Parameters.
2. Double-click the relevant profile.
Risk The risk level assigned to this attack for reporting purposes.
Default: Low
Source Type (Read-only) Specifies whether the SYN protection is a predefined (static)
or user-defined (user) protection.
Protocol Destination Port Verification Type
FTP_CNTL 21 ack
HTTP 80 request
HTTPS 443 request
IMAP 143 ack
POP3 110 ack
RPC 135 ack
RTSP 554 request
SMTP 25 ack
TELNET 23 ack
Table 92: SYN Flood Protection Parameters
Configuring SSL Mitigation Policies
DefensePro can mitigate SSL-flood attacks with SSL Mitigation policies. When SYN Protection is
triggered for TCP port 443 protection and the SYN Protection profile is configured with the Use
HTTP Authentication checkbox selected (Network Protection tab > SYN Protection Profiles >
Profiles Parameters), an active SSL Mitigation policy challenges new SSL connections using a
Table 93: SYN Flood Protection Profile Parameters
Profile Name (Read-only) The name of the profile.
Authentication Method The Authentication Method that the device uses at the Transport Layer.
When the device is installed in and ingress-only topology, select the Safe-
Reset method.
Values:
Transparent ProxyWhen the device receives a SYN packet, the
device replies with a a SYN ACK packet with a cookie in the Sequence
Number field. If the response is an ACK that contains the cookie, the
device considers the session to be legitimate. Then, the device opens
a connection with the destination and acts as transparent proxy
between the source and the destination.
Safe-ResetWhen the device receives a SYN packet, the device
responds with an ACK packet with an invalid Sequence Number field
as cookie. If the client responds with RST and the cookie, the device
discards the packet, adds the source IP address to the TCP
Authentication Table. The next SYN packet from the same source
passes through the device, and the session is approved for the server.
The device saves the source IP address for a specified time. Typically,
you specify this method when the network policy rule handles only
ingress traffic.
Default: Transparent Proxy
HTTP Authentication
Use HTTP
Authentication
Specifies whether the device authenticates the Transport Layer of HTTP
traffic using SYN cookies and then authenticates the HTTP Application
Layer using the specified HTTP Authentication Method.
Values:
EnabledThe device authenticates the Transport Layer of HTTP traffic
using SYN cookies and then authenticates the HTTP Application Layer
using the specified HTTP Authentication Method.
DisabledThe device handles HTTP traffic using the specified TCP
Authentication Method.
Default: Disabled
HTTP Authentication
Method
The method that the profile uses to authenticates HTTP traffic at the
Application Layer.
Values:
302-RedirectThe device authenticates HTTP traffic using a 302-
Redirect response code.
JavaScriptThe device authenticates HTTP traffic using a JavaScript
object generated by the device.
Default: 302-Redirect
Safe-Reset method. To decrypt and re-encrypt the SSL packets during the challenge process,
DefensePro uses the SSL engine of a specified Alteon device. DefensePro allows traffic from
validated clients to pass through the DefensePro device to the protected server.
The DefensePro SSL Mitigation mechanism works as follows:
1. The DefensePro device receives a SYN packet from a client on port 443.
2. DefensePro responds with an ACK packet with an invalid Sequence Number field as cookie.
3. If the client responds with RST and the cookie, DefensePro discards the packet, and adds the
source IP address to the TCP Authentication Table.
4. The DefensePro device passes the next SYN packet from the same source to the SSL engine of
the specified Alteon device.
5. The Alteon device performs the SSL handshake with the client.
6. The DefensePro device passes the following HTTPS GET or POST request from the same source
to the SSL engine of the Alteon device.
7. The Alteon device communicates with the DefensePro device to generate an encrypted
challenge.
8. The DefensePro device sends the encrypted HTTPS challenge to the client.
9. The DefensePro device receives a valid response from the client and considers the connection to
be legitimate.
10. The DefensePro device adds the source IP address to the HTTP Authentication Table.
11. The DefensePro device passes the encrypted HTTPS response to the SSL engine of the Alteon
device.
12. The Alteon device communicates with the DefensePro device to generate an encrypted
termination message.
13. The next SYN packet from the validated source passes through the DefensePro device to the
server that is under attack, and DefensePro acts as a transparent proxy for the remainder of the
session.
To configure an SSL mitigation policy
1. In the Configuration perspective Network Protection tab navigation pane, select SYN
Protection Profiles > SSL Mitigation Policies Parameters.
2. To add or modify a policy, do one of the following:
To add a policy, click the (Add) button.
To edit a policy, double-click the entry in the table.
Table 94: SSL Mitigation Policy Parameters
Name The name of the policy.
SSL VIP The IPv4 VIP address on the Alteon device.
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon device.
VIP MAC The MAC address of the Alteon device.
Configuring Connection PPS Limit Profiles for Network Protection
Connection PPS Limit profiles defend against attacks that flood established TCP connections (not
necessarily many connections) with a high PPS rate of legitimate or non-legitimate packets.
Before you configure a connection PPS limit profile, ensure the following:
(Recommended) The required Connection PPS Limit protections are configured. For more
information, see Configuring Connection Limit Protections, page 175.
To configure a connection PPS limit profile
PPS Limit Profiles.
3. To add Connection PPS Limit protections to the profile, in the Edit Connection PPS Limit Profile
dialog box protections table:
a. Right-click and select Add New Connection PPS Limit Protection.
b. Select the protection name and click OK.
4. To define additional Connection Limit protections for the profile, click Go to Protection Table.
For more information, see Connection PPS Limit Profile Parameters, page 183.
Note: A PPS Connection Limit profile should contain all the Connection Limit protections that
you want to apply in a network policy rule.
Network Policy Name The name of the existing Network Protection Rule in the APSolute Vision
server.
State Specifies whether the policy is active.
Values: active, inactive
Default: active
Table 94: SSL Mitigation Policy Parameters
Defining Connection PPS Limit Protections
Define Connection PPS Limit protections to add to Connection PPS Limit profiles for network
protection.
To configure a Connection PPS Limit protection
PPS Limit Profiles > Connection PPS Limit Protections.
3. Configure the Connection PPS Limit protection parameters and click OK.
Table 95: Connection PPS Limit Profile Parameters
Profile Name (Read-only) The name of the Connection PPS Limit profile.
Connection PPS Limit
Protection Table
Lists the connection PPS limit protection name and ID for each
protection to be applied for the selected profile.
To add a protection, in the table, right-click and select Add New
Connection PPS Limit Protection. Select the protection name and
click OK.
Note: In each rule, you can use only one Connection PPS Limit
profile. Therefore, ensure that all the protections that you
want to apply to a rule are contained in the profile specified
for that rule.
Go To Protection Table Opens the Connection PPS Limit Protection dialog box in which you
can add and modify Connection PPS Limit protections.
Table 96: Connection PPS Limit Protection Parameters
ID (Read-only) The ID number assigned to the Connection PPS Limit
protection.
Name Descriptive name for easy identification when configuring and
reporting.
Action The action that the device takes when an attack is detected.
Values: Report Only, Drop
Default: Report Only
Application Port The group of Layer 4 ports representing the application you want to
protect.
Values:
The name of an Application Port class displayed in the Classes
tab
An application-port number
Configuring DNS Protection Profiles for Network Protection
When you configure DNS Protection profiles, you need to configure the query and quota settings.
Setting the query and quota values properly and accurately is important, because initial baselines
and attack detection sensitivity are based on these values.
DNS Protection profiles can be used only in one-way policies.
Tracking Type On what the protection tracks the PPS rate.
Value: Per Connection
Activation Threshold The PPS threshold on a single connection that activates the
protection after the specified Activation Period.
Values: 1max integer
Default: 10,000
Drop Threshold The PPS rate that the protection allows on the connections during an
attack. The device drops packets exceeding the specified Drop
Threshold.
Default: 0
Termination Threshold The PPS threshold on all the connections that deactivates the
protectionafter the Termination Period. That is, when the PPS rate
falls below the specified threshold on all the connections, the device
considers the attack to have endedafter the Termination Period.
Default: 9,000
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.
Values: High, Info, Low, Medium
Default: Medium
Activation Period The time, in seconds, after the PPS rate on a connection has
exceeded the Activation Threshold, that the device considers a PPS
attack to have started and starts the configured protection measures.
Default: 5
Default: Disabled
Parameters > Security Reporting Settings > Enable
Packet Trace). In addition, a change to this parameter
takes effect only after you update policies.
Table 96: Connection PPS Limit Protection Parameters
It is recommended to configure policies that include DNS Protection profiles using Networks with
source = Any, the public network, and destination = Protected Network.
You can configure footprint bypass to bypass specified footprint types or values.
To configure a DNS Protection profile
1. In the Configuration perspective Network Protection tab navigation pane, select DNS
Protection Profiles.
3. Configure the parameters; and then, and click OK.
Table 97: DNS Protection Profile Parameters
Name The name of the profile.
Queries Protections and Quotas
Radware recommends that you initially leave these fields empty so that the default values will
automatically be used. To view default values after creating the profile, double-click the entry in the
table. You can then adjust quota values based on your network performance.
Note: The total quota values may exceed 100%, as each value represents the maximum volume
per protocol.
A Query For each DNS query type to protect, specify the quotathe maximum
expected percentage of DNS traffic out of the total DNS trafficand
select the checkbox in the row.
MX Query
PTR Query
AAAA Query
Text Query
SOA Query
NAPTR Query
SRV Query
Other Queries
Set Default Quotas Configures all the quotas with the hard-coded default values after you
have specified the DNS Queries Rate.
DNS Queries Rate The expected rate, in queries per second, of DNS queries.
Manual Triggers
Use Manual Triggers Specifies whether the profile uses user-defined DNS QPS thresholds
instead of the learned baselines.
Default: Disabled
Activation Threshold The minimum number of queries per secondafter the specified
Activation Periodon a single connection that causes the device to
consider there to be an attack. When the device detects an attack, it
issues an appropriate alert and drops the DNS packets that exceed the
threshold. Packets that do not exceed the threshold bypass the
DefensePro device.
Values: 04,000,000
Default: 0
Activation Period The number of consecutive seconds that the DNS traffic on a single
connection exceeds the Activation Threshold that causes the device to
consider there to be an attack.
Values: 030
Default: 3
Termination Threshold The maximum number of queries per secondafter the specified
Termination Periodon a single connection that cause the device to
consider the attack to have ended.
Values: 04,000,000
Default: 0
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.
Termination Period The time, in seconds, that the DNS traffic on a single connection is
continuously below the Termination Threshold, which causes the device to
consider the attack to have ended.
Values: 030
Default: 3
Max QPS The maximum allowed rate of DNS queries per second.
Values: 04,000,000
Default: 0
Escalation Period The time, in seconds, that the device waits before escalating to the next
specified Mitigation Action
Values: 030
Default: 3
Advanced Report Settings
Default: Disabled
Note: When this feature is enabled, for the feature to take effect, the
global setting must be enabled (Configuration perspective >

Managing the Server Protection Policy
The Server Protection policy protects servers against targeted attacks. Each rule in the policy
contains Server Protection profiles to defend a specific server against network and application
attacks. You can specify an HTTP flood profile and a Server Cracking profile for each rule. These
profiles are activated when DefensePro identifies an attack on the corresponding protected server.
Before you configure rules and profiles for the Server Protection policy, ensure that you have
enabled all the required protections and configured the corresponding global protection parameters
under the Security Settings tab.
Default: Disabled
policies.
Action and Escalation
Note: The device implements the parameters in this group box only when the Manual Triggers
option is not enabled.
Profile Action The action that the profile takes on DNS traffic during an attack.
Values: Block & Report, Report Only
Default: Block & Report
Max allowed QPS The maximum allowed rate of DNS queries per second, when the Manual
Triggers option is not enabled.
Values: 04,000,000
Default: 0
Note: When the Manual Triggers option is enabled, the Max QPS value
specified in the Manual Triggers group box takes precedence.
Signature Rate-limit
Target
The percentage of the DNS traffic that matches the real-time signature
that the profile will not mitigate above the baseline.
Values: 0100
Default: 0
Configuring the Server Protection Policy
The Server Protection policy defines the protected servers in your network, and the actions to be
taken when an attack on a protected server is detected.
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but
it does not download your configuration changes to the device. To apply changes onto
the device, you must activate the configuration changes.
To configure the Server Protection policy
1. In the Configuration perspective Server Protection tab navigation pane, select Server
Protection Policy.
To edit an entry, double-click the entry in the table.
4. To activate your changes on the device, click Activate Latest Changes.
Table 98: Server Protection Parameters
Server Name The name of the server.
IP Range The IP-address or range of the protected server. You can assign
an HTTP profile to a server definition that contains one discrete
IP. You can assign a Server Cracking profile to ranges, networks,
and discrete IPs.
Enabled Specifies whether the rule is enabled.
HTTP Flood Profile The HTTP Flood profile to be activated against an attack.
Note: You can click the adjacent button to open the dialog
box in which you can add and modify profiles.
Server Cracking Profile The Server Cracking profile to be activated against an attack.
Each DefensePro device supports up to 20 Server Cracking
profiles.
box in which you can add and modify profiles.
VLAN Tag Group The VLAN Tag Group of the traffic.
box in which you can add and modify VLAN Tag groups.
Configuring Server Cracking Profiles for Server Protection
Server Cracking profiles defend the applications in your network against server flooding,
authorization hacking, vulnerability scanning, and application floods. Each Protection protects
against one specific cracking activity.
You configure Server Cracking profiles with Radware-defined protections.
Each DefensePro device supports up to 20 Server Cracking profiles.
Packet Reporting Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Note: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled
Packet Reporting Configuration
on Policy Takes Precedence
Specifies whether the configuration of the Packet Reporting
feature here, on this policy rule takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
Packet Trace Specifies whether the DefensePro device sends attack packets to
the specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled
Enable Packet Trace). In addition, a change to
this parameter takes effect only after you update
policies.
Packet Trace Configuration on
Policy Takes Precedence
Specifies whether the configuration of the Packet Trace feature
here, on this policy rule, takes precedence over the configuration
of the Packet Trace feature in the associated profiles.
Caution: A change to this parameter takes effect only after
you update policies.
DefensePro can protect against the following server-cracking types:
Authorization HackingMany Web servers and other server applications lack protection for
their password lists. Highly sophisticated, readily available password-cracking tools
automatically send large numbers of possible passwords in a short period of time leading to
Web-page alterations, customer-data theft, and unauthorized use of Web servers or other
application resources such as mail and FTP. DefensePro protects application resources from
password hacking by constantly monitoring inbound authorization requests and their associated
responses. DefensePro dynamically blocks password-theft attempts that use the Brute Force or
Dictionary Guessing methods while the attempts are active.
Application ScanningApplication scanning attempts are usually precursors to more serious
exploitation attempts. The attacker attempts to exploit a known vulnerability by sending lists of
legitimate looking requests and analyzing the responses. Scanning attempts generate a higher
than usual error-response rate from the application. Blocking such attempts helps prevent the
vulnerabilities from being disclosed.
Application DoSSIP (Session Initiation Protocol) is vulnerable to application-level floods such
as Invite floods. Hackers may exhaust SIP server resources by sending a volume of SIP Invite
requests, an application level flood attack, which cannot be detected as a packet-based or
session-based DoS flood attack.
Dynamic Attacks BlockingDynamic Blocking automatically acts against any detected pre-
attack probe, creating a temporary block against it. The source is monitored for consistency
during this period. A consistent level of activity from the source automatically extends the
blocking. Blocking rules adapt specifically to the attack detected. When an attack is aimed a
specific service, only traffic from the attackers source aimed at that service is blocked. When an
attack targets distributed services, more inclusive blocks are instituted. Dynamic Blocking
accurately blocks network attacks, without any human intervention, reduces response time
while increasing security by using source tracking and a fuzzy logic engine. Attacks are detected
by the frequency and quantity of server-based error responses, uniquely identified for each
protected application. The analysis is done per source IP and protected server.
Before you configure a Server Cracking profile, ensure the following:
IPS protection is enabled and the global parameters are configured. For more information, see
Configuring Global Signature Protection, page 119.
To configure a Server Cracking profile
1. In the Configuration perspective Server Protection tab navigation pane, select Server Cracking
Profiles.
2. To add or a profile:
a. Click the (Add) button.
b. Enter a name for the profile and click OK.
c. Configure the actions and protections for the profile and click OK.
3. To modify a profile:
a. Double-click the entry in the table.
b. Modify the actions and protections of the profile; and then, and click OK.
Viewing Radware-defined Server Cracking Protections
You can view the read-only Radware-defined Server Cracking protections.
To view Radware-defined Server Cracking protections
In the Configuration perspective Server Protection tab navigation pane, select Server Cracking
Profiles > Server Cracking Protections. The Server Cracking Protections table is displayed
with the read-only Radware-defined Server Cracking protections.
Table 99: Server Cracking Profile Parameters
Profile Name (Read-only) The name of the Server Cracking profile.
Action The action to be taken when an attack occurs corresponding to a
defined protection.
Default: Disabled
Enable Packet Trace). In addition, a change to this
parameter takes effect only after you update policies.
Server Cracking Protection
Table
Contains the protections to be applied if there is an attack on the
server. To add a protection, in the table, right-click and select Add
New Server Cracking Protection. To edit a table entry, double-
click the entry. Then, configure the Server Cracking Protection
parameters; and then, click OK.
Note: In each rule, you can use only one Server Cracking profile.
Therefore, ensure that all the protections that you want to
apply to a rule are contained in the profile specified for that
rule.
Table 100: Radware-defined Server Cracking Protections
Protection ID The unique identifying number.
Protection Name The name for the Protection. The Protection Name is used when DoS Shield sends
information about attack status changes.
Configuring HTTP Flood Profiles for Server Protection
HTTP Flood profiles defend the applications in your network against server flooding.
Server flood attacks are aimed at specific servers causing denial of service at the server level. These
types of attacks disrupt a server by sending more requests than the server can handle, thereby
preventing access to a service.
Server attacks differ from network-flood attacks either in the attack volume or in the nature of the
requests used in the attack. Server flood attacks use legitimate requests that cannot be
distinguished from regular customer requests.
Sensitivity The detection sensitivity of module. The sensitivity level defines thresholds for
the number and frequency of server-side error messages. These messages are
tracked for attack detection. High sensitivity specifies that the device needs few
cracking attempts to trigger the protection. Minor sensitivity specifies that the
device needs a very high number of attempts.
Values: High, Medium, Low, Minor
Default: Medium
Note: If you are protecting a Web server that is not maintained or not
updated, it may generate HTTP-error replies at an abnormal rate, which
the device will falsely identify as an attack. In such a case, set the
sensitivity to Low.
Action Mode The action that the device takes when an attack is detected.
Direction The direction of the traffic to inspect. A protection may include attacks that
should be searched only for traffic from client to server or only on traffic from
server to client.
Values:
InboundThe Protection inspects traffic from policy Source to policy
Destination.
OutboundThe Protection inspects traffic from policy Destination to policy
Source
Inbound & OutboundThe Protection inspects all traffic between policy
Source to policy Destination
Suspend Action Specifies what traffic to suspend for a period of time.
Values:
NoneSuspend action is disabled for this attack.
SrcIPAll traffic from the IP address identified as the source of the attack is
suspended.
SrcIP, DestIPTraffic from the IP address identified as the source of the
attack to the destination IP address under attack is suspended.
SrcIP, DestPortTraffic from the IP address identified as source of the attack
to the application (destination port) under attack is suspended.
SrcIP, DestIP, DestPortTraffic from the IP address identified as the source
of the attack to the destination IP and port under attack is suspended.
SrcIP, DestIP, SrcPort, DestPortTraffic from the IP address and port
identified as the source of the attack to the destination IP and port under
attack is suspended.
Table 100: Radware-defined Server Cracking Protections
Before you configure an HTTP Flood profile, ensure that HTTP mitigation is enabled and the global
parameters are configured. For more information, see Configuring Global HTTP Flood Protection,
page 131.
To configure an HTTP Flood profile
1. In the Configuration perspective Server Protection tab navigation pane, select HTTP Flood
Profiles.
3. Configure the parameters and click OK.
Table 101: HTTP Flood Profile Parameters
Basic Parameters
Profile Name The name of the profile.
Sensitivity Level When User-Defined Attack Triggers are not used, this parameter specifies
how sensitive the profile is to deviations from the baseline. High specifies
that attack will be triggered when a small deviation from the baselines is
detected.
Values:
Minor
Low
Medium
High
Default: Medium
Action The action that the device takes when the profile detects suspicious traffic.
Values:
Block and ReportBlocks and reports on the suspicious traffic.
Report OnlyReports the suspicious traffic.
Default: Block and Report
User-Defined Attack Triggers
Use the following
thresholds to identify
HTTP flood attacks
Specifies whether the profile uses static, user-defined thresholds to
identify when an attack is in progress or checks the server traffic and
compares the traffic behavior to the baseline to identify when an attack is
in progress.
Default: Disabled
Get and POST Request-
Rate Trigger
The maximum number of GET and POST requests allowed, per server per
second.
Values:
0The profile ignores the threshold.
12
32
Default: 0
Other Request-type
Request-Rate Trigger
The maximum number of requests that are not GET or POST (for example,
HEAD, PUT, and so on) allowed, per server per second.
Values:
12
32
Default: 0
Outbound HTTP BW
Trigger
The maximum allowed bandwidth of HTTP responses in kilobits per
second.
Values:
12
32
Default: 0
Requests-per-Source
Trigger
The maximum number of requests allowed per source IP per second.
Values:
12
32
Default: 5
Requests-per-
Connection Trigger
The maximum number of requests allowed from the same connection.
Value:
12
32
Default: 5
Suspicious Source Characterization Thresholds
Request-Rate
Threshold
The number of HTTP requests per second from a source that causes the
device to consider the source to be suspicious.
Values: 165,535
Default: 5
Requests-per-
Connection Threshold
The number of HTTP requests for a connection that causes the device to
consider the source to be suspicious.
Values: 165,535
Default: 5
Default: Enabled
Note: When this feature is enabled here, for the feature to take effect,
the global setting must be enabled (Configuration perspective >
Configuring White Lists
The White List determines the traffic that is exempt from security inspection.
For each protection, you can set different White List rules.
Configuring White Lists in Defense Pro
The configuration of White Lists in DefensePro depends on the device version.
In Defense Pro, a White List rule can use explicit values or predefined classes to classify the traffic.
The classes are displayed in the Classes tab. For more information, see Managing Classes,
page 221.
Default: Disabled
Reporting Settings > Enable Packet Trace). In addition, a
change to this parameter takes effect only after you update
policies.
Mitigation Settings
When the protection is enabled and the device detects that a HTTP-flood attack has started, the
device implements the mitigation actions in escalating orderin the order that they appear in the
group box. If the first enabled Mitigation Action does not mitigate the attack satisfactorily, after a
certain escalation period, the device implements the next more-severe enabled mitigation action
and so on.
Escalation periods are not configurable.
Challenge Suspects Specifies whether the device challenges HTTP sources that match the real-
time signature.
Default: Enabled
Challenge All Specifies whether the device challenges all HTTP traffic toward the
protected server.
Default: Enabled
Block Suspects Specifies whether the device blocks all traffic from the suspect sources.
Default: Enabled
Challenge Mode Specifies how the device challenges suspect HTTP sources.
Values:
302 RedirectThe device authenticates HTTP traffic using a 302-
Redirect response code.
JavaScriptThe device authenticates HTTP traffic using a JavaScript
object generated by the device.
Default: 302 Redirect
You can configure a White List rule from a specified source Network class or source IP address to
bypass (that is, be exempt from) specific protection modulesfor example, Server Cracking. When
you specify specific protection modules in a White List rule, the device uses only the source Network
class or explicit source IP address.
Note: Since networks on the White List are not inspected, certain protections are not applied
to sessions in the opposite direction. For example, with SYN protection, this can cause
servers to not be added to known destinations due to ACK packets not being inspected.
To configure a white list
1. In the Configuration perspective ACL tab navigation pane, select White List.
2. To add or modify a white list rule, do one of the following:
To add a rule, click the (Add) button.
To edit a rule, double-click the entry in the table.
3. Configure white list rule parameters.
Table 102: White List Rule Parameters
Identification
Name The name of the rule up to 50 characters.
Description The user-defined description of the rule.
Enable When selected, the rule is active.
Module Bypass
Bypass All Modules Specifies whether the rule includes all specific protection modules.
Values:
EnabledThe specified Classification criteria determine the
traffic that is exempt from security inspection. The checkboxes
for the protection modules are unavailable.
DisabledThe specified source (that is, the source Network class
or source IP address) and specified protection modules
determine the traffic that is exempt from security inspection. The
checkboxes for the protection modules are available.
Default: Enabled
Note: Performance is better when Bypass All Modules is enabled
(Bypass All Modules checkbox is selected) rather than
having the having the modules enabled individually.
Bypass SYN Protection When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses SYN Protection
inspection.
Default: Enabled
Bypass Anti Scanning When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Anti-Scanning
inspection.
Default: Enabled
Bypass Signature Protection When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Signature Protection
inspection.
Default: Enabled
Bypass HTTP Flood When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses HTTP Flood inspection.
Default: Enabled
Bypass Server Cracking When enabled, traffic from the specified source (that is, the source
Network class or source IP address) bypasses Server Cracking
inspection.
Default: Enabled
Classification
Source Network The source of the packets that the rule uses.
Values:
An IP address
any
Source Port The source Application Port class or application-port number that the
rule uses.
Values:
An Application Port class displayed in the Classes tab
None
Destination Network The destination of the packets that the rule uses.
Values:
An IP address
any
Destination Port The destination Application Port class or application-port number that
the rule uses.
Values:
None
Configuring Black Lists
The Black List comprises the traffic that the device always blocks without inspection. You use the
Black List as policy exceptions for security policies.
Enabling and Disabling the Packet Trace Feature for Black List Rules
When the Packet Trace feature is enabled for Black Lists, the DefensePro device sends blacklisted
packets to the specified physical port.
Physical Ports The Physical Port class or physical port that the rule uses.
Values:
None
VLAN Tag The VLAN Tag class that the rule uses.
Values:
None
Protocol The protocol of the traffic that the rule uses.
Values:
Any
GRE
ICMP
ICMPv6
IGMP
SCTP
TCP
UDP
Default: Any
Values:
One-directionalThe protection applies to sessions originating
from sources to destinations that match the network definitions
of the policy.
Bi-directionalThe protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One-directional
Action
Action (Read-only) The action for a White List rule is always Bypass.
You enable or disable the Packet Trace feature for all the Black List rules on the device.
Notes
>> When this feature is enabled, for the feature to take effect, the global setting must be
enabled (Configuration perspective > Advanced Parameters > Security Reporting
Settings > Enable Packet Trace).
>> A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for all the Black List rules on the device
1. In the Configuration perspective ACL tab navigation pane, select Black List.
2. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.
Configuring Black List Rules
The Black List module supports the Packet Trace feature. You enable or disable the feature globally
that is, for all the of the associated Black List rules.
To configure a Black List rule
1. In the Configuration perspective ACL tab navigation pane, select Black List.
2. To add or modify a black list rule, do one of the following:
3. Select the network to block, and enable or disable the rule. Click OK.
Table 103: Black List Rule Parameters
Identification
Name The name of the rule up to 50 characters.
Enable When selected, the rule is active.
Default: Enabled
Classification
Values:
An IP address
None
any
Default: any
Source Port The source Application Port class or application-port number that the rule
uses.
Values:
None
Values:
An IP address
None
any
Default: any
Destination Port The destination Application Port class or application-port number that the
rule uses.
Values:
None
Physical Ports The Physical Port class or physical port that the rule uses.
Values:
None
VLAN Tag The existing VLAN Tag class for the rule.
Values:
None
Protocol The protocol of the traffic that the policy inspects.
Values:
Any
GRE
ICMP
ICMPv6
IGMP
SCTP
TCP
UDP
Default: Any
Direction The direction to which the rule relates.
Values:
One-directionalThe protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
Bi-directional The protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One-directional
Dynamic State
Dynamic Specifies whether the rule implements the Expiration Timer.
Default: Disabled
Note: Changing the configuration of the option takes effect only after a
device reset.
Expiration Timer Specifies the hours and minutes that the rule remains active.
Notes:
>> Changing the configuration of the timer values takes effect only
after a device reset.
>> The timer starts when the device resets. However, if there is no
change to the timer values and the Dynamic checkbox remains
selected any other change to the device configuration and an
subsequent reset does not affect the timerthe timer values will
display the time remaining.
>> You cannot create a dynamic Black List rule whose Expiration
Timer is longer than two hours.
>> A dynamic Black List rule must have a positive value for the
Expiration Timer.
>> The Expiration Timer for a static Black List rule must be set to 0
(zero hours and zero minutes).
Action
Action (Read-only) The action for a Black List rule is always Drop.
Report Specifies whether the device issues traps for the rule.
Managing the ACL Policy
The Access Control List (ACL) module is a stateful firewall that enables you to configure a flexible
and focused stateful access-control policy. You can modify and view the active ACL policy. You can
also view ACL report summaries and the ACL log analysis.
ACL in DefensePro does not work on the physical management ports (MNG 1 and MNG 2).
When enabled and activated, the relevant ACL configuration takes precedence over the Session
Table Aging parameter. For more information, see Configuring Session Table Settings, page 88.
To operate correctly, ACL needs to determine the direction of session packets.
ACL determines packet direction as follows:
TCP directionAccording to the first SYN packet that creates a session.
UDP directionAccording to the first packet in the flow.
ICMP directionAccording to the ICMP message type (that is, reply or request type).
Non-TCP, Non-UDP and Non-ICMP session directionAccording to the first L3 (IP) packet in the
flow.
Non-IP directionAccording to the first packet in the flow.
When ACL is enabled and activated, the device learns about the existing sessions for a specified
amount of time (by default, 10 minutes). During this learning period, the device accepts all sessions
regardless of any unknown direction. However, for the certain cases, ACL treats the session
according to the configured policies.
ACL treats the session according to the configured policies in the following cases:
A new TCP session starts with a SYN packet.
A new ICMP session starts with a request packet.
Configuring the ACL feature involves the following steps:
1. Configuring Global ACL Policy Settings, page 202.
2. Configuring ACL Policy Rules, page 205.
Note: Enabling an ACL policy requires a device reboot.
Configuring Global ACL Policy Settings
Before you configure an ACL policy, ensure that the ACL feature is enabled.
Caution: In a high-availability (HA) setup, when you enable ACL on the primary device, you
must reboot the device immediately. If you do not reboot, the secondary device may
synchronize its configuration and reboot automatically, causing traffic sent to the
secondary device to be blocked in the event of a switchover.
Note: Enabling ACL requires a device reboot.
To configure global ACL settings
1. In the Configuration perspective ACL tab navigation pane, select ACL Policy > Global
Settings.
Table 104: Global ACL Parameters
Global Settings
Enable ACL Specifies whether the ACL feature is enabled.
When you change this setting, the device requires an immediate
reboot.
Default: Disabled
Caution: The default configuration of the Default ACL policy blocks
all traffic.
Learning Period The time, in seconds, the device takes to learn existing sessions
before starting the protection.
During the learning period, the device accepts all sessions regardless
of any unknown direction.
However, for the following cases, ACL will treat the session according
to the configured policies:
A new TCP session that starts with a SYN packet
A new ICMP session that starts with a request packet
Values:
0The protection starts immediately
1max integer
Default: 600
TCP Handshake Timeout The time, in seconds, the device waits for the three-way handshake
to complete before the device drops the session.
TCP Timeout in Established
State
The time, in seconds, an idle session remains in the Session table. If
the device receives packets for a timed-out, discarded session, the
device considers the packets to be out-of-state and drops them.
Values: 607200
Default: 3600
TCP FIN Timeout The time, in seconds, the session remains in the Session table after
the device receives a FIN packet from both sides (from the client and
from the server).
Values: 1600
Default: 10
TCP RST Timeout The time, in seconds, the session remains in the Session table after
the device receives a TCP RST packet for the session.
Values: 1600
Default: 30
TCP Mid Flow Mode Specifies what the device does with out-of-state packets.
Values: Drop, Allow
Default: Drop
TCP Reset Validation Mode Specifies the action that the device takes when RST packet validation
fails (that is, the packet sequence number is not within the permitted
range).
Values: Drop, Allow, Report Only
Default: Drop
UDP Timeout The time, in seconds, that the device keeps an idle UDP session open.
After the timeout, the session is removed from the Session table.
Values: 13600
Default: 180
Unsolicited ICMP Specifies whether the ACL module permits unsolicited ICMP reply
messages.
ICMP Timeout The time, in seconds, that the device keeps an idle ICMP session
open. After the timeout, the session is removed from the Session
table.
Values: 1300
Default: 60
GRE Timeout The time, in seconds, that the device keeps an idle GRE session open.
After the timeout, the session is removed from the Session table.
Values: 17200
Default: 3600
SCTP Timeout The time, in seconds, that the device keeps an idle SCTP session
open. After the timeout, the session is removed from the Session
table.
Values: 17200
Default: 3600
Other IP Protocols Timeout The time, in seconds, that the device keeps an idle session of other IP
protocols (not UDP, not ICMP) open. After the timeout, the session is
removed from the Session table.
Values: 17200
Default: 600
Report and Trace Settings
Interval for Sending
Summary Reports
The frequency, in seconds, that the device produces ACL reports.
Values: 1600
Default: 60
Send Reports Using SRP When enabled, that the device sends ACL policy reports to the
APSolute Vision server.
Note: The Statistics Reporting Protocol (SRP) management host IP
address must be configured to send ACL policy reports. For
more information, see Configuring Advanced Settings,
page 72.
Configuring ACL Policy Rules
Configure ACL policy rules to create a flexible and focused stateful access-control policy.
You can activate and de-activate rules using predefined event schedules. For more information
about configuring event schedules, see Configuring the Device Event Scheduler, page 91.
Before you configure ACL rules, ensure that you have configured classes for the networks, physical
port groups, and VLAN tag groups that you want to use in the rules. For more information, see
Managing Classes, page 221.
To configure an ACL policy rule
1. In the Configuration perspective ACL tab navigation pane, select ACL Policies > Modify
Policy.
2. To add or modify a policy rule, do one of the following:
3. Configure the parameters.
Max Number of Report
Traps
The maximum number of detailed reports that the device generates
per second.
Values: 1100
Default: 10
Default: Disabled
(Configuration perspective > Advanced Parameters
> Security Reporting Settings > Enable Packet
Trace). In addition, a change to this parameter takes
effect only after you update policies.
Table 105: ACL Rule Parameters
Identification
Rule Name The name of the rule up to 50 characters.
Rule Index The index number for the rule. DefensePro examines policy rules
according to the ascending order of index numbers.
Enabled When selected, the rule is active.
Activate Schedule The predefined event schedule that activates the policy.
Default: None
De-activate Schedule The predefined event schedule that de-activates the policy.
Default: None
Classification
Protocol The protocol of the traffic that the policy inspects.
Values:
Any
ICMP
Other
TCP
UDP
Default: Any
Source The existing source Network class of the packets that the policy
inspects.
Values:
The Network classes displayed in the Classes tab
any
any_ipv4
any_ipv6
None
Default: any
Destination The existing destination Network class of the packets that the policy
inspects.
Values:
The Network classes displayed in the Classes tab
any
any_ipv4
any_ipv6
None
Default: any
Physical Port Group The Physical Port class or physical port that the rule uses.
Values:
None
VLAN Tag Group The existing VLAN Tag class for the rule.
Values:
The VLAN Tag classes displayed in the Classes tab
None
Default: None
Service
only when TCP or UDP is
selected for the Protocol
parameter.)
The Service for the rule. Services characterize traffic based on
Layer-37 criteria. A Service is a configuration of a basic filter, which
may combine with logical operators to achieve more sophisticated
filters (AND Group filters and OR Group filters). DefensePro supports
a long list of predefined basic filters.
You cannot configure Services in APSolute Vision. You can configure
basic filters using Web Based Management. For more information,
see Managing Services for Traffic Filtering, page 229.
Action The action that the policy takes on packets that match the
classification.
Values:
Accept
Drop
Drop + RST Source
Default: Accept
ICMP Flags
Source Quench The ICMP flags in the packets that the policy inspects. DefensePro
inspects only the packets with the selected flags.
You can specify ICMP flags only when ICMP is the specified protocol.
TIME STAMP
Information
Address Mask
Alternate Host Address
Domain
Router Advertisement
Router Solicitation
Destination Unreachable
REDIRECT
Time Exceeded
Parameter Problem
Echo
Packet Too Big
Home Agent
Table 105: ACL Rule Parameters
Viewing Active ACL Policy Rules
You can view the active rules in the ACL policy configured on the device.
To view the active ACL rule configuration
In the Configuration perspective Classes tab navigation pane, select ACL Policies > Active
Policy.
The table displays details of the current ACL rules configured on the device. For information
about ACL rule parameters, see ACL Rule Parameters, page 206.
Chapter 6 Bandwidth Management
This chapter describes the Bandwidth Management module.
Bandwidth Management Overview, page 209
Managing Bandwidth Management Global Settings, page 210
Bandwidth Management Policies, page 212
Port Bandwidth, page 220
Bandwidth Management Overview
The Bandwidth Management module includes a feature set that enables you to gain full control over
their available bandwidth. Using these features, you can prioritize applications according to a wide
array of criteria, while taking the bandwidth used by each application into account. For example,
Bandwidth Management allows you to give HTTP traffic priority over SMTP traffic, which, in turn,
may have priority over FTP traffic. At the same time, a Bandwidth Management solution can track
the actual bandwidth used by each applicationand either ensure a guaranteed bandwidth for a
certain application and/or set limits as to how much each classified traffic pattern can utilize.
The Bandwidth Management module enables you to define policies that restrict or maintain the
bandwidth that can be sent or received by each application, user, or segment. Therefore, you can
control the maximal bandwidth that DoS attacks can consume from corporate resourcesthus
ensuring that mission-critical operations are not affected, maintaining the service level required to
guarantee smooth business operation. In a similar manner, if you are a carrier, you can ensure that
a DoS attack launched on one customer does not compromise another customers Service License
Agreement (SLA).
Using the Bandwidth Management module, a device can classify traffic passing through it according
to predefined criteria and can enforce a set of actions on traffic. A comprehensive set of user-
configurable policies controls how the device identifies each packet and what it does with each
packet.
When a packet is matched, the device forwards the packet but drops the packet when maximum
bandwidth is reached.
Application Classification
The BWM module supports the following options for Application Classification:
Per PacketIf you configure Application Classification with the Per Packet option, the device
classifies every packet that flows through it. In this mode, every single packet must be
individually classified.
Per SessionIf you configure Application Classification with the Per Session option, all packets
are classified by session. The BWM module uses an complex algorithm to classify all packets in a
session until a best fit policy is found, fully classifying the session. Once the BWM module fully
classifies the session, the module classifies all packets belonging to the same session
accordingly. This not only allows for traffic classification according to application, but also saves
some overhead for the classifier, as it only needs to classify sessions, and not every single
packet.
Classification Mode
The BWM module supports the following classification modes:
PoliciesThe device classifies each packet or session by matching it to policies configured by
the user.
DiffservThe device classifies packets only by the Differentiated Services Code Point (DSCP)
value.
ToSThe device classifies packets only by the ToS (Type of Service) bit value.
Managing Bandwidth Management Global Settings
Before setting up Bandwidth Manager policies, you need to define the general bandwidth
management parameters.
To configure the BWM global settings
1. In the Configuration perspective BWM tab navigation pane, select Global Settings.
Table 106: BWM Global Settings
Global Settings
Classification Mode The classification to be used.
Values:
DiffservThe device classifies packets only by the DSCP
(Differentiated Services Code Point) value.
DisabledNo classification. The BWM feature is disabled.
PoliciesThe device classifies each packet according to
various policies configured by the user. The policies can
use parameters, such as source and destination IP
addresses, application, and so on. If required, the DSCP
field in the packets can be marked according to the policy
the packet matches.
ToSThe device classifies packets only by the ToS (Type
of Service) bits value.
Default: Disabled
Note: If you change the value for this parameter, you
must reset the device.
Application Classification The type of application classification.
The process of session classification considers either of the
following:
Each packet of the session is classified until the number
of Max Packets for Session Classification is reached.
There is a match based on Force Best Fit.
There is a match with a policys Content/OMPC
definitions.
Values:
Per SessionPackets are classified by session. All
packets in a session are classified until a best fit policy is
found, fully classifying the session. Once the session is
fully classified, all packets belonging to the same session
are classified accordingly.
Per PacketThe device classifies every packet that flows
through it.
Default: Per Session
Bandwidth per Traffic Flow Aging The time, in seconds, that the device keeps a non-active
traffic flow in the Bandwidth per Traffic Flow Sessions
Tracking table.
Default: 20
Max Packets for Session
Classification
When the Application Classification mode is Per Session and
one of the policies is configured to search for content, this
parameter specifies the maximum number of packets that the
device searches for the configured content.
If the device fails to find the content after the number of the
configured parameter, the device stops searching for the
content in the session.
Max Packets for Session Classification affects only packets
that contain Layer 4 data. For TCP, the device does not count
the three-way handshake packets.
The device counts packets in each direction of the session. If
the configured value is 5 for example, the device counts up to
five request packets and up to five reply packets.
In some cases, when classifying FTP traffic, the default value
should be higher, since the searched content may appear
after the first five packets.
Values:
0The device searches for the content in all the packets
belonging to the session.
1100
Default: 5
Enable Policy Statistics Monitoring Specifies whether BWM policy statistics are monitored.
Default: Disabled
Bandwidth Management Policies
This section describes Bandwidth Management policies and contains the following topics:
Bandwidth Management Policy Mechanism, page 212
Bandwidth Management Classification Criteria, page 213
Bandwidth Management Rules, page 214
Managing Bandwidth Management Policies, page 215
Bandwidth Management Policy Mechanism
The policy mechanism enables you to classify and manage the bandwidth on the traffic passing
through the device.
A policy consists of a set of conditions (classification criteria) and a set of actions that apply as a
consequence of the conditions being matched.
Policy Statistics Reporting Period The time, in seconds, that the device monitors policy
statistics.
Values: 1999999999
Default: 60
Forward Reporting to Management
System
Specifies whether the device sends BWM statistics to the
APSolute Vision.
Default: Disabled
Report Settings
Reports Start Threshold The threshold for starting to send reports regarding a specific
policy. The threshold is the percentage of the specified
Maximum Bandwidth. When reporting is enabled and the
bandwidth consumption reaches the threshold, the device
starts sending the reports.
Values: 1100
Default: 95
Reports Termination Threshold The threshold for stopping the sending of reports regarding a
specific policy. The threshold is the percentage of the
specified Maximum Bandwidth and must be less than or equal
to the Reports Start Threshold. When reporting is enabled
and the bandwidth consumption falls below the threshold for
the specified Reports Sustained Period, the device stops
sending the reports.
Values: 1100
Default: 5
Reports Sustained Period The time, in seconds, that the bandwidth consumption must
be less than or equal to the specified Reports Termination
Threshold before the device stops sending the reports.
Values: 13600
Default: 60
Bandwidth Management Classification Criteria
You can use an object (for example, a network object) that you have already configured or you can
add an IP address manually. Radware recommends that you work with objects that you have already
configured.
A policy includes the following traffic classification criteria:
SourceSpecifies the source of the traffic. This can be specific IP addresses, a range of IP
addresses or IP Subnet address. You should first configure Networks. The default value is any,
which covers traffic from any source.
DestinationSpecifies the destination of the traffic. This can be specific IP addresses, a range
of IP addresses or IP Subnet address. The default value is any, which covers traffic to any
destination.
Note: To limit or block access to the devices interface, type the IP address of the interface
in the Destination box.
DirectionSetting the direction mode to one way enables asymmetric BWM. When a policy is
set to One Way, the classifier searches for traffic in one direction only, while with Two Way, the
device searches both directions. When a rule is set to One Way, the device classifies only one
direction of the traffic and the return traffic is not classified. When a rule is set to Two Way, on
the way back, the device replaces the source and destination IP addresses and ports (in case the
rule is a Layer 4 or Layer 7 rule).
ServiceSpecifies the traffic type. The Service configured per policy can allow the policy to
consider other aspects of the packet, such as the protocol (IP/TCP/UDP), TCP/UDP port
numbers, bit patterns at any offset in the packet, and actual content (such as URLs or cookies)
deep in the upper layers of the packet. Available Services are very granular. The default value is
None, which covers all protocols.
Inbound Physical Port GroupClassifies only traffic received on certain interfaces of the
device. Enables you to set different policies to identify traffic classes that are received on
different interfaces of the device.
VLAN Tag GroupSpecifies VLAN traffic classification according to VLAN ID (VLAN Identifier)
tags.
Traffic Flow IdentificationSpecifies what type of traffic flow we are going to limit via this
policy. The available options are:
Client (source IP)
Session (source IP and port)
Connection (source IP and destination IP)
Full L4 Session (source and destination IP and port)
Session Cookie (must configure cookie identifier)
Cookie Field IdentifierA string that identifies the cookie field whose value must be used to
determine the different traffic flows.
Note: This is required only when Traffic Flow Identification is set to SessionCookie. When
Traffic Flow Identification is set to SessionCookie, the BWM classifier searches for
the Cookie Field Identifier followed by an equal sign (=) and classifies flows
according to the value.
Example
If you have the following rule:
Source: IP_A
Destination: IP_B
Service: HTTP
Direction: One Way
only traffic with a source IP, IP_A and a destination IP IP_B with source port X and destination
port 80 would be classified. The return packet, with source IP_B and destination IP IP_A, with
source port x and destination port 80 would not be classified.
Example
If you have the following rule:
Source: NET_A
Destination: NET_B
Service: HTTP
Direction: Two Way
a packet with source IP belongs to NET_A with a destination IP belongs to NET_B requesting a
HTTP request will be matched, while a packet with source IP belongs to NET_B with a destination
IP belongs to NET_A requesting a HTTP request will not be matched, even if the rule is set to two
ways.
Bandwidth Management Rules
Once the traffic is classified and matched to a policy, the Bandwidth Management rules can be
applied to the policy.
Priority
The packet is classified according to the configured priority. There are nine (9) options available:
real-time forwarding and priorities 0 through 7.
Guaranteed Bandwidth
You can configure the policy to guarantee a minimum bandwidth. The BWM module will not allow
packets that were classified through this policy to exceed this allotted bandwidth, unless borrowing
is enabled. Note that the maximum bandwidth configured for the entire device overrides per-policy
bandwidth configurations. That is, the sum of the guaranteed bandwidth for all the policies cannot
exceed the total device bandwidth.
Max Concurrent Sessions
The Max Concurrent Sessions allowed for the BWM policy.
Packet Marking
Packet Marking refers to Differentiated Services Code Point (DSCP) or Diffserv. It enables the device
to mark the packet with a range of bits.
Policy Index
The policy order or index is a number that determines the order of the policy in the entire policy
database. When the classifier receives a packet, it tries to find a policy that matches the packet. The
classifier searches the policy database starting with policy #1, in descending order. Once a policy is
matched, the process is stopped. Using this logic, the very last policy configured should be the policy
that is enforced on all packets that do not match any other policies. In other words, the last
configured policy should be the default policy.
Managing Bandwidth Management Policies
You can view the configuration of active BWM policies, as well as configure new ones.
The policy database comprises two sections. The first section is the temporary or inactive portion.
You can alter and configure these policies without affecting the current operation of the device. As
these policies are adjusted, the changes do not take effect unless the inactive database is activated.
The activation updates the active policy database, which is what the device uses to filter the packets
that flow through it.
Configuring BWM Policies, page 215
Viewing the Configuration of Active BWM Policies, page 219
Configuring BWM Policies
To configure a BWM policy
1. In the Configuration perspective BWM tab navigation pane, select Modify Policies.
Note: The pane is displayed with a table comprising a column for each BWM Rule
parameter. To define the columns, right-click the table heading row, and select or
deselect the relevant values.
2. To add or modify a BWM policy rule, do one of the following:
To add an entry to the table, click the (Add) button.
To edit an entry in the table, double-click the entry.
3. Configure the parameters and click OK.
4. To activate your changes on the device, click Activate Latest Changes.
Table 107: BWM Rule Parameters
Identification
Name The user-defined name of the policy.
Values: 1100,000
Note: This value is read-only after creation.
Index The index number of the policy.
Description A description of the policy.
Enable Policy Specifies whether the policy is enabled.
Values:
EnabledWhen BWM policies are updated, this policy is used to be
matched against packets.
DisabledWhen BWM policies are updated, this policy is not used
to be matched against packets.
Default: Enabled
Activate Schedule The Event Schedule for activation of the policy.
Note: The schedule must be configured already.
De-activate Schedule The Event Schedule for de-activation of the policy.
Note: The schedule must be configured already.
Classification
Values:
An IP address
any
Default: any
Values:
An IP address
any
Default: any
Port Group The Physical Port class or physical port that the rule uses.
Values:
None
Default: None
Values:
None
Default: None
Service Type The type of Service (filter).
Values:
None
Basic Filter
AND Group
OR Group
Default: None
Note: For more information, see Managing Services for Traffic
Filtering, page 229.
Service Name The name of the service required for this policy, based on the Service
Type.
Values:
One WayThe rule applies to sessions originating from sources to
destinations that match the network definitions of the policy.
Two WayThe rule applies to sessions that match the network
definitions of the policy regardless of their direction.
Default: Two Way
Action
Guaranteed Bandwidth The bandwidth limitation, in Kbit/s, for packets matching this policy.
Default: 0
Note: The value for Guaranteed Bandwidth must be less than or
equal to the value for Maximum Bandwidth.
Maximum Bandwidth The maximum bandwidth, in kbit/s, for packets matching this policy.
Values:
Unlimited
0The rule drops all matching packets
18,000,000
Priority The priority attached to the packet by which it is forwarded.
Values:
Real Time
077 is the lowest priority.
Default: Real Time
Per Traffic Flow
Traffic Flow Identification The type of traffic flow that this policy manages.
Values:
None
ClientSource IP
SessionSource IP and port
ConnectionSource IP and destination IP
Full L4 SessionSource and destination IP and port
Session CookieMust configure cookie identifier
SIP Call ID
Traffic Flow Maximum
Bandwidth
The maximum bandwidth, in Kbit/s, allowed per traffic flow.
Force Best Fit Specifies whether the device classifies traffic according to Best Fit as
opposed to First Fit.
Values:
EnabledThe traffic is classified per packet instead of per session.
DisabledThe traffic is classified directly from the policy.
Default: Disabled
Cookie Field Identifier
(This parameter is
displayed only when
Traffic Flow Identification
is set to SessionCookie.)
A string that identifies the cookie field whose value to use to determine
the different traffic flows.
When Traffic Flow Identification is set to SessionCookie, the BWM
classifier searches for the Cookie Field Identifier followed by = and
classifies flows according to the value. For example, if the value of the
Cookie Field Identifier is name, then all sessions that have name=a will
share the configured maximum bandwidth, and all packets with name=b
will share the maximum configured bandwidth.
Packet Marking Type Marks the packet with a range of bits displayed in the drop-down list.
Values:
NoneNo marking
DSCPDifferentiated Services Code Point
ToSType of Service
Default: None
Packet Marking Value The Packet Marking value.
Values:
None
063For DCSP
07For ToS
Default: None
Viewing the Configuration of Active BWM Policies
To view the configuration of an active BWM policy
1. In the Configuration perspective BWM tab navigation pane, select Active Policies. The pane is
displayed with a table displaying all the active BWM policies, read-only.
Note: The pane is displayed with a table comprising a column for each BWM Rule
parameter. To define the columns, right-click the table heading row, and select or
deselect the relevant values.
2. To view the configuration of a specific, active BWM policy rule (read-only), double-click the entry
in the table.
3. View the parameters and click OK. to close the dialog box.
Advanced
Maximum Concurrent
Sessions
The maximum number of concurrent sessions allowed for a client IP
address.
Default: 0
Note: This option is not available if the Traffic Flow Identifier is set to
Session or Full L4 Session.
Maximum HTTP Requests
Per Second
The maximum number of requests (for example GET, POST, or HEAD)
per second per traffic flow. The device can implement this feature only
when Traffic Flow Identification and Traffic Flow Max BW parameters are
not None or 0 respectively.
Default: 0
Table 108: Active BWM Rule Parameters
Identification
Name The user-defined name of the policy.
Index The index number of the policy.
Description A description of the policy.
Activate Schedule The Event Schedule for activation of the policy.
De-activate Schedule The Event Schedule for de-activation of the policy.
Classification
Port Group The Physical Port class that the rule uses.
Port Bandwidth
To optimize the queuing algorithm, it is essential for the BWM module to be aware of the maximum
available bandwidth on the ports. This can configured via the BWM port Bandwidth table. By default,
the maximum available throughput is determined by the port type100 Mbit/s for the FE ports
and 1 Gbit/s for the Gigabit Ethernet ports. The priority mechanism will only begin to function upon
link saturation. Configuring the maximum throughput is the only way of telling if the link is
saturated.
To define a maximum available bandwidth for a port
1. In the Configuration perspective BWM tab navigation pane, select Ports Bandwidth Table.
2. Double-click the port whose maximum available bandwidth you want to define.
3. In the Port Bandwidth text box, type the required value.
4. Click OK.
Service Type The type of Service (filter).
Note: For more information, see Managing Services for Traffic
Filtering, page 229.
Service Name The name of the service required for this policy, based on the Service
Type.
Action
Guaranteed Bandwidth The bandwidth limitation, in Kbit/s, for packets matching this policy.
Maximum Bandwidth The maximum bandwidth, in kbit/s, for packets matching this policy.
Priority The priority attached to the packet by which it is forwarded.
Per Traffic Flow
Traffic Flow Identification The type of traffic flow that this policy manages.
Traffic Flow Maximum
Bandwidth
The maximum bandwidth, in Kbit/s, allowed per traffic flow.
Force Best Fit Specifies whether the device classifies traffic according to Best Fit as
opposed to First Fit.
Cookie Field Identifier A string that identifies the cookie field whose value must be used to
determine the different traffic flows.
Packet Marking Type Marks the packet with a range of bits displayed in the drop-down list.
Packet Marking Value The Packet Marking value.
Maximum Concurrent
Sessions
The maximum number of concurrent sessions allowed for a client IP
address.
Table 108: Active BWM Rule Parameters
Chapter 7 Managing Classes
Classes define groups of elements of the same type of entity.
You can configure classes based on the following:
Networksto classify traffic in a network-protection rule or a bandwidth management rule.
Application portsto define or modify applications based on Layer 4 destination ports.
Physical device portsto classify traffic in a network-protection rule or a bandwidth
management rule.
VLAN tagsto classify traffic in a network-protection rule or a bandwidth management rule.
MAC addressesto classify traffic whose source or destination is a transparent network
device.
MPLS RDsto classify traffic in a network-protection rule.
After you create or modify a class, the configuration is saved in the APSolute Vision database. You
must activate the configuration to download it to the device. You can also view the current class
configurations on your device. After creation, you cannot modify the name of a class, or the
configuration of application, MAC, or physical port classes.
This chapter contains the following topics:
Configuring Network Classes, page 221
Configuring Application Classes, page 223
Configuring Physical Port Classes, page 224
Configuring VLAN Tag Classes, page 224
Configuring MAC Address Classes, page 225
Viewing Active Class Configurations, page 226
Configuring MPLS RD Groups, page 227
Configuring Network Classes
A network class is identified by a name and defined by a network address and mask, or by a range
of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2
can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2
can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.
Using classes allows you to define a network comprised of multiple subnets and/or IP ranges, all
identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and
10.1.1.1 to 10.1.1.7.
You can use network classes in the following:
Black lists
White lists
Network-protection policies/rules to match source or destination traffic
Note: APSolute Vision uses the term rule (or rules), whereas DefensePro may use the term
policy (or policies).
Bandwidth management rules
Managing Classes
To configure a network class
1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration >
Networks.
2. To add or modify a network class, do one of the following:
To add a class, click the (Add) button.
To edit a class, double-click the entry in the table.
3. Configure the network class parameters.
Table 109: Network Class Parameters
Network Name The name of the network class.
The network name is case-sensitive.
The network name cannot be an IP address.
Network Type Values: IPv4, IPv6
Entry type Whether the network is defined by a subnet and mask, or by an IP
range.
Values: IP Mask, IP Range
Network Address
(For IP Mask entry only)
The network address.
Mask
The mask of the subnet, which you can enter in either of the
following ways:
A subnet mask in dotted decimal notationfor example,
255. 0. 0. 0 or 255. 255. 0. 0.
An IP prefix, that is, the number of mask bitsfor example, 8 or
16.
From IP
(For IP Range entry only)
The first IP address in the range.
To IP
The last IP address in the range.
Managing Classes
Configuring Application Classes
Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by its
unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify the
predefined application classes for standard applications; however, you can add entries for the class.
You can add and modify user-defined classes to the Application Port Group table.
To configure an application class
Applications.
2. To add or modify an application class, do one of the following:
3. Configure application class parameters.
Table 110: Application Class Parameters
Ports Group Name The name of the Application Port Group.
To associate a number of ranges with the same port group, use the same
name for all the ranges that you want to include in the group. Each range
appears as a separate row with the same name in the Application Port
Group table.
Type of Entry (Read-only) System or User Defined.
From L4 Port The first port in the range.
To L4 Port The last port in the range.
To define a group with a single port, set the same value for the From L4
Port and To L4 Port parameters.
Managing Classes
Configuring Physical Port Classes
You can define network segments using definitions of physical ports. Use physical port classes to
classify traffic according to physical ports in security policy rules and bandwidth management rules.
To configure a physical port class
Physical Port Groups.
2. To add or modify a physical port class, do one of the following:
3. Enter a name for the physical port class, and select the inbound port to be associated with it.
4. Click OK.
Tip: You can update all configuration policies on the device in a single operation.For more
Configuring VLAN Tag Classes
You can define network segments using VLAN tags. Use VLAN tag classes (groups) to classify traffic
according to VLAN tags in security policy rules and bandwidth management rules.
Each DefensePro device supports a maximum 64 VLAN Tag groups. Each VLAN Tag group can
contain a maximum 32 discrete tags and 32 ranges. That is, in effect, each managed device
supports up to 64
2
definitions.
To configure a VLAN tag class
VLAN Tags.
2. To add or modify a VLAN tag group class, do one of the following:
3. Configure VLAN tag group class parameters.
Managing Classes
Configuring MAC Address Classes
MAC groups identify traffic whose source or destination is a transparent network device.
To configure a MAC address class
MAC Addresses.
2. To add or modify a MAC address class, do one of the following:
3. Enter a name for the MAC group and the MAC address associated with the group. Click OK.
Tip: You can update all configuration policies on the device in a single operation.For more
Table 111: VLAN Tag Group Class Parameters
VLAN Tags Group Name The name of the VLAN group.
Group Mode The VLAN mode.
Values:
DiscreteAn individual VLAN tag, as defined in the interface
parameters of the device.
RangeA group of sequential VLAN tag numbers, as defined in
the interface parameters of the device.
VLAN Tag
(Discrete mode only)
The VLAN tag number.
VLAN Tag From
(Range mode only)
The first VLAN tag in the range.
You cannot modify this field after creating the VLAN group.
VLAN Tag To
(Range mode only)
The last VLAN tag in the range.
Managing Classes
Viewing Active Class Configurations
You can view the active class configurations that are configured on the device.
Viewing the Active Network Class Configuration, page 226
Viewing the Active Application Class Configuration, page 226
Viewing the Active MAC Address Class Configuration, page 227
Viewing the Active Physical Port Class Configuration, page 226
Viewing the Active VLAN Tag Class Configuration, page 227
Viewing the Active Network Class Configuration
You can view the active network classes that are configured on the device.
To view the active network class configuration
In the Configuration perspective Classes tab navigation pane, select Active Configuration >
Networks.
The table displays details of the current configuration of all the network classes on the device.
For information about network class parameters, see Configuring Network Classes, page 221.
Viewing the Active Application Class Configuration
You can view the active Application Port Group classes that are configured on the device.
To view the active application class configuration
Applications.
The table displays details of the current configuration of all the Application Port Groups on the
device. For information about Application Port Group parameters, see Configuring Application
Classes, page 223.
Viewing the Active Physical Port Class Configuration
You can view the active physical port group classes that are configured on the device.
To view the active physical port group class configuration
Physical Port Groups.
The table displays details of the current configuration of all the physical port groups on the
device.
Managing Classes
Viewing the Active VLAN Tag Class Configuration
You can view the active VLAN tag classes that are configured on the device.
To view the active VLAN tag class configuration
VLAN Tags.
The table displays details of the current configuration of all the VLAN tag classes on the device.
For information about VLAN tag class parameters, see Configuring VLAN Tag Classes, page 224.
Viewing the Active MAC Address Class Configuration
You can view the active MAC address classes that are configured on the device.
To view the active MAC Address class configuration
MAC Addresses.
The table displays details of the current configuration of all the MAC address classes on the
device.
Configuring MPLS RD Groups
To achieve faster switching in VPNs over Multi-protocol Label Switching (MPLS) networks, a route
distinguisher (RD) is used for each packet. If a DefensePro device is installed on a link where it can
listen to Border Gateway Protocol (BGP) and LDP signaling, you can configure policies on the device
using MPLS RDs.
An RD is an address qualifier used only within a single Internet service providers Multi-Protocol
Label Switching (MPLS) network. It is used to uniquely define MPLS Virtual Routing and Forwarding
(VRF) and to distinguish the distinct Virtual Private Network (VPN) routes of separate customers who
connect to the provider.
You can define the segment that you want to protect using MPLS RDs. DefensePro detects the
MPLS RD values when installed between P (provider) and PE (provider edge) routers in the
providers MPLS backbone. Only the packets that match the MPLS RD value of this segment are
inspected by the policy.
Note: To use MPLS RD, you must enable MPLS RD and configure the MPLS RD groups.
Managing Classes
To configure MPLS RD groups
1. In the Configuration perspective Classes tab navigation pane, select MPLS RD.
To add an MPLS RD group, click the (Add) button.
To edit an MPLS RD group, double-click the group name.
3. Configure the MPLS RD group parameters and click OK.
Table 112: MPLS RD Group Parameters
Group Name A user-defined name for the MPLS RD group.
MPLS RD The MPLS RD value manually based on the type.
Type Describes the MPLS RD format.
Values:
2 Bytes : 4 Bytes
4 Bytes : 2 Bytes
IP Address : 2 Bytes
Chapter 8 Managing Services for Traffic
Filtering
The ACL and BWM modules can use Services to filter traffic. Services classify traffic based on Layer-
37 criteria. A Service is a configuration of a basic filter, which may combine with logical operators
to achieve more sophisticated filters (AND Group filters and OR Group filters). The ACL and BWM
modules support a long list of predefined basic filters. A basic filter includes attributes that specify
parameters such as protocol, application port, and content type. When the protocol of a basic filter is
TCP or UDP, the filter can include a text string.
You cannot configure Services in APSolute Vision. You can configure basic filters using Web Based
Management.
You can configure Services (using Web Based Management) separately from policies. When you
configure a policy, you can associate it with an existing Service.
Basic Filters, page 229
AND Group Filters, page 235
OR Group Filters, page 236
Viewing Active Services, page 237
Basic Filters
The ACL and BWM modules support an extensive list of predefined basic filters (see Predefined Basic
Filters, page 230). Using Web Based Management, you can also create your own basic filters.
A basic filter includes the following components:
ProtocolThe specific protocol that the packet should carry. The choices are IP, TCP, UDP,
ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and
UDP) will be considered.
When configuring TCP or UDP protocol, the following additional parameters are available:
Destination Port (From-To)Destination port number for that protocol. For example, for
HTTP, the protocol would be configured as TCP and the destination port as 80. The port
configuration can also allow for a range of ports to be configured.
Source Port (From-To)Similar to the destination port, the source port that a packet should
carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC)The OMPC is a means by which any bit pattern can
be located for a match at any offset in the packet. This can aid in locating specific bits in the IP
header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful.
It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there
should be an OMPC match in addition to a protocol (and source/destination port) match. In
other words, if an OMPC is configured, the packet needs to match the configured protocol (and
ports) and the OMPC.
Content Specifications
When the protocol of a basic filter is TCP or UDP, you can search for any text string in the packet.
Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect
examples of how a text search can help in classifying a session.
Managing Services for Traffic Filtering
You can choose from the following types of configurable content:
URL
Hostname
HTTP header field
Cookie
mail domain
Mail to
Mail from
Mail subject
File type
Regular expression
Text
When the content type is URL, for example, the module assumes the session to be HTTP with a GET,
HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a
match for the configured text. In this case, the configured offset is meaningless, since the GET/
HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches
the entire packet for the content text, starting at the configured offset.
By allowing a filter to take actual content of a packet/session into account, the module can recognize
and classify a wider array of packets and sessions.
Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in
the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists)
and the Content Rule.
Predefined Basic Filters
The BWM module supports an extensive list of predefined basic filters.
The ACL and BWM modules support an extensive list of predefined basic filters. You cannot modify or
delete predefined basic filters. For the list of predefined basic filters, see Appendix D - Predefined
Basic Filters, page 325.
Configuring Basic Filters
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy,
you need to activate the latest changes (Classes > Update Policies > Set).
To configure a basic filter
1. Select Classes > Modify Services > Basic Filters. The Modify Basic Filter Table pane is
displayed. The Modify Basic Filter Table pane contains a table with the following columns:
Name
Description
Protocol
OMPC Offset
OMPC Mask
2. Select the relevant link. The Modify Basic Filter Table Update pane is displayed.
3. Configure the parameters; and then, click Set.
Table 113: Basic Filter Parameters
Name (Read-only) The name of the filter.
Protocol Values:
IP
TCP
UDP
ICMP
NonIP
ICMPV6
SCTP
Default: IP
Source App. Port The Layer-4 source port or source-port range for TCP, UDP, or SCTP
traffic.
Values:
Values in the range 065,535
Value ranges (for example, 30400)
dcerpc
dns
ftp
http
https
imap
ms-sql-m
ms-sql-s
ntp
pop3
radius
sip
smtp
snmp
ssh
sunrpc
telnet
Note: The value must be greater than the Source Port Range: From
value.
Destination App. Port The Layer-4 destination port or source-port range for TCP, UDP, or
SCTP traffic.
Values:
Values in the range 065,535
Value ranges (for example, 30400)
dcerpc
dns
ftp
http
https
imap
ms-sql-m
ms-sql-s
ntp
pop3
radius
sip
smtp
snmp
ssh
sunrpc
telnet
Note: The value must be greater than the Destination Port Range:
From value.
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
Values:
None
IPv4 Header
IPv6 Header
IP Data
L4 Data
Ethernet
ASN1
L4 Header
OMPC Offset The location in the packet where the data starts being checked for
specific bits in the IP or TCP header.
Values: 01513
Default: 0
OMPC Mask The mask for OMPC data. The value must be defined according to the
OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts
to find. The value must be defined according to the OMPC Length
parameter. The OMPC Pattern must contain eight hexadecimal
symbols. If the value for the OMPC Length parameter is smaller than
Four Bytes, you need to pad the OMPC Pattern with zeros. For
example, if OMPC Length is two bytes, the OMPC Pattern can be
abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Condition Values:
None
Equal
Not Equal
Greater Than
Less Than
Default: None
OMPC Length Values:
None
One Byte
Two Bytes
Three Bytes
Four Bytes
Default: None
Content Offset Specifies the location in the packet at which the checking of content
starts.
Values: 01513
Default: 0
Content Contains the value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; <
= > ? @ A B C D E F G H I J K L M N O P Q R S T U V W X Y Z [ \ ] ^ _
` a b c d e f g h i j k l m n o p q r s t u v w x y z { | } ~ .
Content Type Specifies the specific content type to search for.
Values:
None
URLA URL in the HTTP request URI.
TextText anywhere in the packet.
Host NameA hostname in the HTTP header. The host names in
the Hostname List of an L7 Policy are not algorithmically related to
a host name configured for a basic filter.
Header FieldA header field in the HTTP header.
ExpressionText anywhere in the packet represented by a
regular expression specified in the Content field.
Mail DomainThe Mail Domain in the SMTP header.
Mail ToThe Mail To SMTP header.
Mail FromThe Mail From SMTP header.
Mail SubjectThe Mail Subject SMTP header.
File TypeThe type of the requested file in the HTTP GET
command (for example, JPG, EXE, and so on).
CookieThe HTTP cookie field. The Content field includes the
cookie name, and the Content Data field includes the cookie
value.
Normalized URLA normalized URL in the HTTP request URI.
POP3 UserThe POP3 User field in the POP3 header.
URI lengthFilters according to URI length.
FTP CommandParses FTP commands to commands and
arguments, while normalizing FTP packets and stripping Telnet
opcodes.
FTP ContentScans the data transmitted using FTP, normalizes
FTP packets and strips Telnet opcodes.
Generic Url The generic URL in the HTTP Request URI. No
normalization procedures are taken. GET/HEAD/POST is not
required when this type is selected. This is applicable for protocols
like SIP, BitTorrent, and so on.
Generic HeaderIn the HTTP Request URI. No normalization
procedures are taken. GET/HEAD/POST is not required when this
type is selected. This is applicable for protocols like SIP,
BitTorrent, and so on.
Generic CookieIn the HTTP Request URI. No normalization
procedures are taken. GET/HEAD/POST is not required when this
type is selected. This is applicable for protocols like SIP,
BitTorrent, and so on.
SIP Call From
SIP Call To
SIP callerThe SIP Call From or the SIP Call To
Default: None
AND Group Filters
An AND Group filter is a combination of basic filters with a logical AND between them. The ACL and
BWM modules support a set of predefined, static and AND Groups.
Using Web Based Management, you can create your own AND Groups using basic filters.
Note: You cannot modify or delete predefined AND Groups.
Content End Offset Specifies the location in the packet at which the checking of content
ends.
Values: 01499
Default: None
Content Data Refers to search for content within the packet.
Content Coding The encoding type of the content to search for (as specified in the
Content field).
Values:
None
Case Insensitive
Case Sensitive
HEX
International
Default: None
parameter.
Content Data Coding The encoding type of the content data to search for (as specified in the
Content Data field).
Values:
None (Default)
Case Insensitive
Case Sensitive
HEX
International
Default: None
parameter.
Description A description of the filter.
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3).
To configure an AND Group filter
1. Select Classes > Modify > Services > AND Groups. The Modify AND Groups Table pane is
displayed.
2. Click Create. The Modify AND Groups Table Create pane is displayed.
3. Set the following parameters:
4. Click Set.
5. Repeat the previous steps in this procedure (using the same AND Group Name) until you have
added all the required basic filters to the AND Group.
6. Click Set.
OR Group Filters
An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between
them. The ACL and BWM modules support a set of predefined, static OR Groups. The predefined are
based on the predefined basic filters.
Using Web Based Management, you can also create your own OR Groups using basic filters or AND
Groups.
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a
packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6.
Use the Modify OR Groups Table pane to create, modify, and delete the OR Group filters.
Note: You cannot modify or delete predefined OR Groups.
AND Group Name The user-defined AND Group name.
Basic Filter Name A basic filter for this AND Group.
To configure an OR Group filter
1. Select Classes > Modify > Services > OR Groups. The Modify OR Groups Table pane is
displayed.
2. Click Create. The Modify OR Groups Table Create pane is displayed.
3. Configure the parameters; and then click Set.
Viewing Active Services
Using Web Based Management, you can view active services and the configuration of each.
To view active Basic Filters
Select Classes > View Active > Services > Basic Filter. The Active Basic Filter Table pane is
displayed.
Note: To view the configuration of the filter (read-only), select the link of the relevant
filter.
To view active AND Groups
Select Classes > View Active > Services > AND Groups. The Active AND Groups Table pane
is displayed.
filter.
Table 114: OR Groups Parameters
OR Group Name The user-defined OR Group name.
Filter Name A basic filter or an AND Group, depending on the value in the Filter Type
drop-down list, for this OR Group.
Filter Type Specifies the type of the filter options displayed in the Filter Name drop-
down list.
Values: Basic Filter, And Group
To view active OR Groups
Select Classes > View Active > Services > OR Groups. The Active OR Groups Table pane is
displayed.
filter.
Chapter 9 Managing Device Operations and
Maintenance
Use the APSolute Vision Monitoring perspective for the following operation and maintenance tasks
for managed devices:
Rebooting a DefensePro Device, page 239
Shutting Down a DefensePro Device, page 240
Enabling and Disabling APSolute Vision Monitoring, page 240
Viewing and Setting Device Date and Time, page 241
Upgrading Device Software, page 241
Downloading a Devices Log File to the APSolute Vision Client, page 242
Updating a Radware Signature File or RSA Signature File, page 243
Downloading a Technical Support File to the APSolute Vision Client, page 244
Managing DefensePro Device Configurations, page 244
Updating Policy Configurations on a DefensePro Device, page 246
Checking Device Memory Availability, page 247
Resetting the Baseline for DefensePro, page 247
Enabling and Disabling Interfaces, page 248
Scheduling APSolute Vision and Device Tasks, page 248
Rebooting a DefensePro Device
Some configuration changes on the device require a device reboot for the configuration to take
effect. This is indicated by a Reboot required notification in the Properties pane. You can activate
the device reboot from APSolute Vision.
Note: You can schedule device reboots in the APSolute Vision scheduler. For more information,
see Configuring Tasks in the Scheduler, page 249.
To reboot a DefensePro device
1. In the Monitoring perspective system pane, right-click the device name and select Reboot.
2. Click Yes in the Confirmation Required dialog box.
Managing Device Operations and Maintenance
Shutting Down a DefensePro Device
You can activate a device shutdown from APSolute Vision.
Note: This feature applies only to OnDemand Switch platforms.
To shut down a DefensePro device
1. In the Monitoring perspective system pane, right-click the device name and select Shutdown.
2. Click Yes in the Confirmation Required dialog box.
Enabling and Disabling APSolute Vision Monitoring
APSolute Vision monitoring is available by default. When enabled, APSolute Vision polls the
DefensePro device for its status and collects device statistics.
You might want to disable APSolute Vision monitoring when testing, or using the device in a non-
production environment.
When you disable APSolute Vision monitoring for a device:
APSolute Vision stops polling the device for its status.
The device icon in the system pane includes a small question mark (?) for DefensePro.
The Alerts pane does not receive alerts from the device.
The device node in the sites tree does not include the device entities (for example, ports and
trunks).
Monitoring perspective tabs are unavailable.
DefensePro real-time and historical reports are not collected.
To enable APSolute Vision monitoring
In the Monitoring perspective system pane, right-click the device name and select Enable
Vision Monitoring. disable APSolute Vision monitoring
To disable APSolute Vision monitoring
In the Monitoring perspective system pane, right-click the device name and select Disable
Vision Monitoring.
Viewing and Setting Device Date and Time
You can view the current date and time on a DefensePro device and you can change its date and
time setting.
To view the date and time on a DefensePro device
In the Monitoring perspective system pane, right-click the device name and select Show Date
& Time.
Note: The date and time display is a snapshot only. It does not change if the dialog box is
left open.
To change the date and time on a DefensePro device
1. In the Monitoring perspective system pane, right-click the device name and select Set Date and
Time.
2. Set the date and/or time as required, and click OK.
Upgrading Device Software
You can upgrade the software version on DefensePro devices from APSolute Vision.
A device upgrade enables the new features and functions on the device without altering the existing
configuration. In exceptional circumstances, new software versions are incompatible with legacy
configuration files from earlier software versions. This most often occurs when attempting to
upgrade from a very old version to the most recently available version.
The software version file must be located on the APSolute Vision client system. APSolute Vision
automatically transfers it to the APSolute Vision server and uploads it to the device. New software
versions require a password, which can be obtained from the Radware corporate Web site. For a
maintenance-only upgrade, the password is not required.
After the device upgrade is complete, you must reboot the device.
Caution: Before upgrading to a newer software version, do the following:
>> Back up the existing configuration file. For more information, see Downloading a
Devices Configuration File, page 245.
>> Ensure that you have configured on the device the authentication details for the protocol
used to upload the file.
To update the device software version
1. In the Monitoring perspective system pane, right-click the device name and select Manage
Software Versions.
2. Configure software upgrade parameters, and click OK.
3. When the device upgrade is complete, reboot the device.
Downloading a Devices Log File to the APSolute Vision
Client
You can download a DefensePro devices log file to the APSolute Vision client system. The log file is
automatically generated by the device and contains a report of configuration errors. The log file can
be used for debugging.
To download a device log file
1. In the Monitoring perspective system pane, right-click the device name and select Export Log
File.
2. Configure download parameters, and click OK.
Table 115: Software Upgrade Parameters
Upload Via The protocol used to upload the software file from APSolute Vision to the
device.
Values: HTTP, HTTPS, TFTP
File Name The name of the file to upload.
Software Version The software version number as specified in the new software
documentation.
Password Enter the password received with the new software version, and verify.
The password is case sensitive.
Table 116: Device Log File Download Parameters
Download Via The protocol used to download the log file.
File Name Save the downloaded log file as a text file on the client system. Enter or
browse to the location of the saved log file, and select or enter a file
name.
Updating a Radware Signature File or RSA Signature File
You can upload an updated Radware signature file or RSA signature file to a DefensePro device.
You can upload an updated Radware signature file to a DefensePro device from the following
sources:
Radware.com or the proxy file server that is configured in the Vision Server
Connection configurationThe Alerts pane displays a success or failure notification and
whether the operation was performed using a proxy server.
APSolute Vision client systemThe name of the signature file on the must be DEVICE-MAC-
ADDRESS.sig.
Note: You can schedule signature file updates in the APSolute Vision scheduler. For more
information, see Configuring Tasks in the Scheduler, page 249.
To For more information about using signature files, see the DefensePro User Guide.update the
signature file of a device
1. In the Monitoring perspective system pane, right-click the device name and select Update
Attack Signature.
2. Configure the parameters, and click OK.
Table 117: Update Device Signature File Parameters
Signature Type The type of the signature file to upload to the device.
Values:
Radware Signatures
RSA Signatures
Update From The location of the signature file to upload.
Values:
Radware.comAPSolute Vision uploads the signature file directly
from Radware.com or from the proxy server that is configured in
the Vision Server Connection configuration.
ClientAPSolute Vision uploads the signature file from the
APSolute Vision client system. This option is only available for
Radware signatures.
Upload Via The protocol used to upload the signature file.
File Name
(This parameter is
displayed only when
Update From Client is
selected)
Name of the signature file on the client system.
Downloading a Technical Support File to the APSolute
Vision Client
For debugging purposes, a DefensePro device can generate a TAR file containing the technical
information that Radware Technical Support requires. The file includes output of various CLI
commands; for example, a printout of the Client table.
You can download a DefensePro devices technical support file to the APSolute Vision client system
and send it to Radware Support.
Note: If you encounter problem with APSolute Vision server or APSolute Vision client (as
opposed to the DefensePro device), see the APSolute Vision Administrator Guide.
To download a devices technical support file
1. In the Monitoring perspective system pane, right-click the device name and select Export Tech
Support File.
2. Configure download parameters, and click OK.
Managing DefensePro Device Configurations
This section describes how to manage configurations of the DefensePro devices that are configured
in the APSolute Vision server.
Configuration File Content
The configuration file content is divided into two sections:
Commands that require rebooting the deviceThese include BWM Application
Classification Mode, Application Security status, Device Operation Mode, tuning parameters, and
so on. Copying and pasting a command from this section takes effect only after the device is
rebooted. The section has the heading: The f ol l owi ng commands wi l l t ake ef f ect
onl y once t he devi ce has been r eboot ed!
Commands that do not require rebooting the deviceCopying and pasting a command
from this section takes effect immediately after pasting. The commands in the section are not
bound to SNMP. The section has the heading: The f ol l owi ng commands t ake ef f ect
i mmedi at el y upon execut i on!
Table 118: Device Technical Support File Download Parameters
Download Via The protocol used to download the technical support file.
Save As Save the downloaded technical support file as a text file on the client
system. Enter or browse to the location of the saved file, and select or
enter a file name.
The commands are printed within each sectionin the order of implementation.
At the end of the file, the device prints the signature of the configuration file. This signature is used
to verify the authenticity of the file and that it has not been corrupted. The signature is validated
each time the configuration file is uploaded to the device. If the validity check fails, the device
accepts the configuration, but a notification is sent to the user that the configuration file has been
tampered with and there is no guarantee that it works. The signature looks like Fi l e Si gnat ur e:
063390ed2ce0e9df c98c78266a90a7e4.
Downloading a Devices Configuration File
You can download a devices configuration file from the device to APSolute Vision for backup.
Whether you choose to download to the APSolute Vision server or client system, a copy is always
saved in the APSolute Vision database.
By default, you can save up to five (5) configuration files per device on the APSolute Vision server.
You can change this parameter in the APSolute Vision Setup page up to a maximum of 10. When the
limit is reached, you are prompted to delete the oldest file. For more information, see the APSolute
Vision Administrator Guide.
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
information, see Configuring Tasks in the Scheduler, page 249.
To download a devices configuration file
1. In the Monitoring perspective system pane, right-click the device name and select Export
Configuration File from Device.
2. Configure the download parameters; and then, click Save.
Restoring a Devices Configuration
You can restore a DefensePro devices configuration file from a backup configuration file on the
APSolute Vision server or client system to the DefensePro device. When you upload the
configuration file to the device, it overwrites the existing device configuration.
After the restore operation is complete, you must reboot the device.
Table 119: Device Configuration File Download Parameters
Download to Where to back up the device configuration file.
Values: Client, Server
Download Via The protocol used to download the configuration file.
Save As Save the downloaded configuration file as a text file on the client system.
On the server, the default name is a combination of the device name and
backup date and time. You can change the default name.
To restore a devices configuration
1. In the Monitoring perspective system pane, right-click the device name and select Import
Configuration File to Device.
2. Configure upload parameters, and click OK.
3. When the upload completes, reboot the device.
Updating Policy Configurations on a DefensePro Device
You can apply the following configuration changes to a managed device in a single operation:
Network security policy
Server security policy
ACL policy
White list
Black list (relevant for DefensePro only)
Classes
To update policy configurations on a managed device
1. In the Monitoring perspective system pane, right-click the device name and select Update
Policies.
2. Click Yes in the Confirmation dialog box.
Table 120: Device Configuration File Upload Parameters
Upload from The location of the backup device configuration file to send.
Values: Client, Server
Upload Via The protocol used to upload the configuration file.
File Name When uploading from the client system, enter or browse to the name of
the configuration file to upload.
When uploading from the server, select the configuration to upload.
Checking Device Memory Availability
You can check whether a DefensePro device has enough memory before you change any tuning
parameters, including NAT tuning.
To check device memory availability
In the Monitoring perspective system pane, right-click the device name and select Check
Available Memory. A message box is displayed, which notifies you whether there is enough
memory on the device, or, if not, how much memory is required.
Resetting the Baseline for DefensePro
Resetting baseline-learned statistics clears the baseline traffic statistics and resets default normal
baselines. Reset the baseline statistics only when the characteristics of the protected network have
changed entirely and bandwidth quotas need to be changed to accommodate the network changes.
You can reset the baseline for all the network policy rules that contain a BDoS or DNS Protection
profile, or for a selected network policy rule that contains a BDoS or DNS Protection profile.
To reset BDoS baseline statistics
1. In the Monitoring perspective system pane, right-click the device name and select Reset BDoS
Baseline.
2. Select whether to reset the baseline for all network policy rules that contain a BDoS profile, or
for a specific network-protection rule that contains a BDoS profile; and then, click OK.
To reset DNS baseline statistics
1. In the Monitoring perspective system pane, right-click the device name and select Reset DNS
Baseline.
2. Select whether to reset the baseline for all network policy rules that contain a DNS profile, or for
a specific network-protection rule that contains a DNS profile, then click OK.
Enabling and Disabling Interfaces
You can enable and disable interfaces from the Monitoring perspective. In DefensePro, you can
enable and disable device ports and trunks.
To enable an interface
1. In the Monitoring perspective system pane, select the relevant device.
2. Expand the node in the tree to display the interfaces.
3. Right-click the interface name and select Enable.
Note: If the interface is already enabled, this option is unavailable.
To disable an interface
1. In the Monitoring perspective system pane, select the relevant device.
2. Expand the node in the tree to display the interfaces.
3. Right-click the interface name and select Disable.
Note: If the interface is already disabled, this option is unavailable.
Scheduling APSolute Vision and Device Tasks
The following topics describe how to schedule operations in the APSolute Vision Scheduler:
Overview of Scheduling, page 248
Configuring Tasks in the Scheduler, page 249
Task Parameters, page 250
Note: For information on how to schedule operations in the APSolute Vision server, see the
APSolute Vision User Guide or APSolute Vision online help.
Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled
operations are called tasks.
The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be
performed next. When you configure a task for multiple devices, the task runs on each device
sequentially. After the task completes on one device, it begins on the next. If the task fails to
complete on a device, the Scheduler will activate the task on the next listed device.
Scheduled tasks run according to the time as configured on the APSolute Vision client.
Caution: If the APSolute Vision client time zone differs from the time zone of the APSolute
Vision server or the managed device, take the time offset into consideration.
When you define a task, you can choose whether to enable or disable the task. All configured tasks
are stored in the APSolute Vision database.
You can define the following types of DefensePro-related scheduled tasks:
Back up a device configuration
Reboot a device
Update the Radware signature file onto a DefensePro device from Radware.com or the proxy
server
Update RSA signature file onto a DefensePro device from Radware.com or the proxy server
Note: You can perform the operations manually, from the Monitoring perspective.
For more information see:
Downloading a Devices Configuration File, page 245
Rebooting a DefensePro Device, page 239
Updating the Attack Description File, page 47
Updating a Radware Signature File or RSA Signature File, page 243
Configuring Tasks in the Scheduler
The Scheduler window is the starting point for viewing and configuring tasks, which are scheduled
operations.
The Tasks table displays the following information for each configured task.
Table 121: Information Displayed in the Tasks Table
Name The name of the configured task.
Task Type The type of task to be performed.
Enabled When selected, the task will be performed according to the defined
schedule. Disabled tasks are not activated, but the task is saved in the
database.
Schedule The frequency that the task is performed; for example, daily or weekly.
The schedule start date is displayed, if it has been defined.
Last Execution Status Whether the last task run was successful. When the task is disabled, or
has not yet started, the status is Never Executed.
Last Execution Time The date and time of the last task run. When the task is disabled, or has
not yet started, this field is empty.
To configure a task schedule
1. In the Configuration perspective main toolbar, click the (Scheduler) button. The Tasks table
displays information for each scheduled task.
2. To add or edit a task:
To add a new task, click the (Add) button. Select the type of task, and click OK. The
dialog box for the selected task type is displayed.
To edit a task, double-click the entry in the table.
3. Configure task parameters, and click OK. All task configurations include basic parameters and
scheduling parameters. Other parameters depend on the type of task selected. For more
information, see the description of the relevant Task Parameters.
Task Parameters
Set the following parameters to configure tasks in the Scheduler:
Device Configuration Backup Parameters, page 250
Device Reboot Parameters, page 251
Update APSolute Vision Attack Description File Parameters, page 252
Update RSA Signature Files for a Device, page 253
Update Radware Signature Files for a Device, page 254
Device Configuration Backup Parameters
Note: By default you can save up to five (5) configuration files per device on the APSolute
Vision server. You can change this parameter in the APSolute Vision Setup tab. For more
information, see the APSolute Vision Administrator Guide.
Next Execution Time The date and time of the next task run. When the task is disabled, this
field is empty.
Description The user-defined description of the task.
Basic Parameters
Name A unique name for the task.
Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.
Table 121: Information Displayed in the Tasks Table
Device Reboot Parameters
Enabled When selected, the task is performed according to the defined schedule.
Disabled tasks are not activated, but the task configuration is saved in the
database.
Schedule
Frequency The frequency at which the task is performed.
Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Schedule Period
Run Always When enabled, the task is activated immediately, and runs at the first
time configured by the frequency.
To activate the task only between specific dates, clear the checkbox and
set the Start Date and Time and End Date and Time fields.
Devices
The configurations of devices in the Selected Devices list will be backed up.
Basic Parameters
sequential number.
database.
Update APSolute Vision Attack Description File Parameters
Schedule
parameters.
Values:
time.
Vision client.
Schedule Period
Devices
The devices in the Selected Devices list will be rebooted.
Basic Parameters
sequential number.
database.
Update RSA Signature Files for a Device
Schedule
parameters.
Values:
time.
Vision client.
Schedule Period
Basic Parameters
sequential number.
database.
Update Radware Signature Files for a Device
Schedule
parameters.
Values:
time.
Vision client.
Schedule Period
Devices
The RSA signature files for DefensePro devices in the Selected Devices list will be updated. The list
of available devices contains only the device with Fraud Protection enabled.
Basic Parameters
sequential number.
database.
Schedule
parameters.
Values:
time.
Vision client.
Schedule Period
Communication Parameters
Upload Protocol The protocol used to upload the updated signature file from APSolute
Vision to the device.
Values: HTTPS, HTTP, TFTP
Default: HTTPS
Devices
The signature files for DefensePro devices in the Selected Devices list will be updated.
Chapter 10 Monitoring DefensePro Devices
and Interfaces
APSolute Visions online monitoring can serve as part of a Network Operating Center (NOC) that
monitors and analyzes the network and connected devices for changes in conditions that may
impact network performance.
The following topics describe:
Monitoring DefensePro Devices, page 257
Monitoring Device Interfaces, page 272
To view monitoring information for a physical device or interface, you must first select the device or
interface in the Monitoring perspective navigation pane System tab.
Monitoring DefensePro Devices
You can monitor the following statistics and information for each managed DefensePro device:
Monitoring General DefensePro Device Information, page 257
Monitoring DefensePro High Availability, page 259
Monitoring the DefensePro Suspend Table, page 260
Monitoring DefensePro CPU Utilization, page 260
Monitoring and Clearing DefensePro Authentication Tables, page 261
Monitoring Session Table Information, page 264
Monitoring DefensePro SNMP Statistics, page 262
Monitoring DME Utilization According to Configured Policies, page 263
Monitoring DefensePro Syslog Information, page 264
Monitoring DefensePro IP Statistics, page 266
Monitoring DefensePro Bandwidth Management Statistics, page 267
Monitoring Routing Table Information, page 270
Monitoring DefensePro ARP Table Information, page 271
Monitoring MPLS RD Information, page 271
Select the DefensePro device to monitor in the Monitoring perspective system pane.
Monitoring General DefensePro Device Information
The Overview tab displays general device information including the information about the software
version on the device and the hardware version of the device.
To display general device information for a selected device
In the Monitoring perspective, select the Overview tab in the content pane.
General device information for DefensePro is displayed.
Monitoring DefensePro Devices and Interfaces
Table 122: DefensePro General Device Information
Basic Parameters
Operational Status Whether the device is currently up or down.
Device is Monitored Whether APSolute Vision monitoring is currently enabled for the device.
Management IP The IP address of the device used for management.
Hardware Platform Type of hardware platform for this device; for example, OnDemand
Switch 3.
Uptime System up time in days, hours, minutes, and seconds.
Base MAC Address MAC address of the first port on the device.
Signature Update
Radware Signature File
Version
The version of the Radware Signature File installed on the device.
RSA Signatures Last
Update
When RSA is enabled, this parameter can display the timestamp of the
last update of RSA signatures, received from Radware.com and
downloaded to the DefensePro device.
Values:
The timestamp, in DDD MMM DD hh: mm: ss yyyy z format
displayed according to the timezone of your APSolute Vision client
No Feeds Received Since Device Boot
Software
Software Version The version of the product software installed on the device.
APSolute OS Version Version of the APSolute OS installed on the devicefor example, 10.31-
03.01:2.06.08.
Build The build number of the current software version.
Version Status State of this software version.
Values:
OpenNot yet released
Final Released version
Hardware
Hardware Version The hardware version; for example, B.5.
RAM Size Amount of RAM, in megabytes.
Flash Size Size of flash (permanent) memory, in megabytes.
Accelerator RAM Size Amount of RAM for the accelerator module.
Monitoring DefensePro High Availability
You can view the status of parameters related to the high availability of a selected DefensePro
device.
Note: When you issue the Switch Over command on the cluster node in the Monitoring
perspective, the active device switches over. To switch modes, in the Monitoring
perspective system pane, right-click the cluster node; and then select Switch Over.)
To view the parameters related to the high availability of a selected DefensePro device
In the Monitoring perspective, select the High Availability tab in the content pane.
The following information is displayed:
Device Role Values:
Stand AloneThe device is not configured as a member of a high-
availability cluster.
PrimaryThe device is configured as the primary member of a
high-availability cluster.
SecondaryThis device is configured as the secondary member of
a high-availability cluster.
Device State Values:
ActiveThe device is in active. The device may be a standalone
device (not part of a high-availability cluster) or the active
member of a high-availability cluster.
PassiveThe device is the passive member of a high-availability
cluster.
Last Baseline Sync. Values:
Base-Line still not synchronized on this deviceEither high
availability is not enabled on the device or high availability is
enabled on the device but the baselines for security protections
are still not synchronized.
The timestamp, in DDD MMM DD hh: mm: ss yyyy format, of the
last synchronization of the baseline between the active and
passive device.
Cluster State Values:
Pair not definedThe device is not configured as a member of a
high-availability cluster.
In SyncThe members of the high-availability cluster are
synchronized.
Cluster Node in Use The IP address of the selected device.
Peer Clustered Node in
Use
The IP address of the other cluster member.
Monitoring the DefensePro Suspend Table
When DefensePro detects an attack, some protections, such as anti-scan, server cracking, and
connection limit, add the source IP of the attacker to the Suspend table. All traffic from the attacker
to the protected server is then handled according to the Suspend Action for a defined time period.
To view the real-time Suspend table for a selected DefensePro device
In the Monitoring perspective, select the Suspend Table tab in the content pane.
Monitoring DefensePro CPU Utilization
You can view statistics for the devices average resource utilization and the utilization for each
accelerator.
To monitor device utilization for a selected DefensePro device
1. In the Monitoring perspective, select the Resource Utilization tab in the content pane.
2. In the navigation pane, select CPU Utilization.
Source IP The IP address from which traffic was suspended.
Destination IP The IP address to which traffic was suspended (0.0.0.0 means
traffic to all destinations was suspended).
Destination Port The application port to which traffic was suspended (0 means all
ports).
Protocol The Network protocol of the suspended traffic.
Module The security module that activated the traffic suspension:
Signature Protection, Anti Scanning, SYN Protection.
Expiration Type The method of determining the expiration: On Request, Fixed
Timeout, Dynamic Timeout.
Expiration Time The number of seconds until the entry is removed from the
Suspend table.
CPU Utilization
Resource Utilization Percent of the devices CPU currently utilized.
RS Resource Utilization Percent of the devices routing services (RS) resource currently
utilized.
RE Resource Utilization Percent of the devices routing engine (RE) resource currently
utilized.
Monitoring and Clearing DefensePro Authentication Tables
You can view statistics for the devices Authentication Tables. You can also clear the contents of each
table.
To monitor Authentication Tables for a selected DefensePro device
2. Select Authentication Tables.
Last 5 sec. Average
Utilization
Average utilization of resources in the last 5 seconds.
Last 60 sec. Average
Utilization
Average utilization of resources in the last 60 seconds.
Accelerator Utilization
Accelerator Type The name of the accelerator. The accelerator named
Flow_Accelerator_0 is one logical accelerator that uses several CPU
cores. The accelerator named HW Classifier is the string-matching
engine (SME). OnDemand Switch 3 S1 has no SME.
CPU ID The CPU number for the accelerator. OnDemand Switch 2 and
OnDemand Switch 3 S2 have two CPU cores. OnDemand Switch 3 S1
has three CPU cores.
Forwarding Task The percentage of CPU cycles used.
Other Tasks The percentage of CPU resources used for other tasks such as aging
and so on.
Idle Task The percentage of free CPU resources.
TCP Authentication Table
Table Size The number of source addresses that the table can hold.
Table Utilization Percent of the table that is currently utilized.
Aging Time The aging time, in seconds, for the table.
Clear Table Click Clear Table to clear the contents of the table.
HTTP Authentication Table
Aging Time The aging time, in seconds, for the table.
Values: 603600
Default: 1200
Monitoring DefensePro SNMP Statistics
You can view statistics for the SNMP layer of the device.
To monitor DefensePro SNMP statistics
2. In the navigation pane, select SNMP Statistics.
DNS Authentication Table
Aging Time The aging time, in minutes, for the table.
Number of SNMP Received Packets The total number of messages delivered to the SNMP
entity from the transport service.
Number of SNMP Sent Packets The total number of SNMP messages passed from the
SNMP protocol entity to the transport service.
Number of SNMP Successful 'GET'
Requests
The total number of MIB objects retrieved successfully
by the SNMP protocol entity as the result of receiving
valid SNMP GET-Request and GET-Next PDUs.
Number of SNMP Successful 'SET'
Requests
The total number of MIB objects modified successfully by
the SNMP protocol entity as the result of receiving valid
SNMP SET-Request PDUs.
Number of SNMP 'GET' Requests The total number of SNMP GET-Request PDUs accepted
and processed by the SNMP protocol entity.
Number of SNMP 'GET-Next'
Requests
The total number of SNMP GET-Next Request PDUs
accepted and processed by the SNMP protocol entity.
Number of SNMP 'SET' Requests The total number of SNMP SET-Request PDUs accepted
and processed by the SNMP protocol entity.
Number of SNMP Error Too Big
Received
The total number of SNMP PDUs generated by the SNMP
protocol entity for which the value of the error-status
field is tooBig.
Number of SNMP Error No Such
Name Received
protocol entity for which the value of the error-status is
noSuchName.
Number of SNMP Error Bad Value
Received
field is badValue.
Monitoring DME Utilization According to Configured Policies
This feature is available only on x412 platforms with the DME.
You can view statistics relating the user-defined policies to the utilization of the DoS Mitigation
Engine (DME).
The values that the device exposes are the calculated according to the configured valueseven
before running the Update Policies command.
Note: If the device is not equipped with the DME, 0 (zero) values are displayed.
To monitor DefensePro policies
2. In the navigation pane, select Policies.
Number of SNMP Error Generic
Error Received
field is genErr.
Number of SNMP 'GET' Responses
Sent
The total number of SNMP Get-Response PDUs
generated by the SNMP protocol entity.
Number of SNMP Traps Sent The total number of SNMP Trap PDUs generated by the
SNMP protocol entity.
Policies Resources Utilization
If any of the values in this group box is close to the maximum, the resources for the device are
exhausted.
Total Policies The total number of policies in the context of the DME, which is
double the number of network policies configured in the device.
OnDemand Switch 3 S2 supports 50 configured network policies.
HW Entries Utilization The percentage of resource utilization from the HW entries in the
context of the DME.
Sub-Policies Utilization The percentage of DME resource utilization from the entries of
sub-policies.
In the context of the DME, a sub-policy is a combination of the
following:
Source-IP-address range
Destination-IP-address range
VLAN-tag range
Policies Table
Policy Name The name of the policy.
Monitoring DefensePro Syslog Information
You can view information relating to the syslog mechanism.
To monitor DefensePro syslog information
2. In the navigation pane, select Syslog Monitor.
Monitoring Session Table Information
Each DefensePro device includes a Session table to keep track of sessions bridged and forwarded by
the device. By default, the Session table is enabled.
The size of the table makes it difficult to view. To generate reliable and useful reports and to prevent
system failures, use filters to define the Session Table information to display. Information that
matches any enabled Session table filter is displayed.
Note: The filtered Session table is not automatically refreshed periodically. The information is
loaded when you select to display the Session Table pane, and when you manually
refresh the display.
To view Session table information
1. In the Monitoring perspective, in the Session Table navigation pane, select Session Table.
2. If required, in the Display field, change the number of entries to display.
Direction The direction of the policy.
Values:
Inbound
Outbound
HW Entries The number of DME hardware entries that the policy uses.
Sub-Policies The number of DME sub-policy entries that the policy uses.
Syslog Server The name of the syslog server.
Status The status of the syslog server.
Values: Reachable, Unreachable
Messages in Backlog The number of messages in the backlog to the syslog
server.
The number of entries that match configured session table filters is displayed.
The following information is displayed in the Filtered Session Table:
Configuring DefensePro Session Table Filters
The full Session table is very large; therefore, it is recommended to filter the information. Use
Session table filters to define the information you want to display.
To configure Session table filters
1. In the Monitoring perspective Session Table navigation pane, select Session Table Filters.
2. To add or modify a filter, do one of the following:
To add a filter, click the (Add) button.
To edit a filter, double-click the entry in the table.
3. Configure filter parameters and click OK.
Source IP The source IP address within the defined subnet.
Destination IP The destination IP address within the defined subnet.
Source L4 Port The session source port.
Destination L4 Port The session destination port.
Protocol The session protocol.
Physical Interface The physical port on the device at which the request arrives from the
client.
Life Time (sec.) The time, in seconds, following the arrival of the last packet, that the
entry will remain in the table before it is deleted.
Aging Type The reason for the Lifetime value (for example, application or session
end).
SYN Flood Status Whether the entry is currently protected against SYN attacks.
Table 123: DefensePro Session Table Filter Parameters
Filter Name The unique name of the filter.
Physical Interface The physical port on the device at which the request arrives from the
client.
Default: Any
Source IP Address The source IP address within the defined subnet.
Select IPv4 or IPv6; and then, enter the address.
Source IP Mask The source IP address used to define the subnet that you want to
present in the Session Table.
Select IPv4 or IPv6; and then, enter the mask.
Destination IP Address The destination IP address within the defined subnet.
Select IPv4 or IPv6; and then, enter the address.
Monitoring DefensePro IP Statistics
You can monitor statistics for the IP layer of the device, including the number of packets discarded
and ignored. This enables you to quickly summarize the state of network congestion from a given
interface.
To display IP statistics information for a selected DefensePro device
In the Monitoring perspective, select the IP Statistics tab in the content pane.
Destination IP Mask The destination IP address used to define the subnet that you want to
present in the Session Table.
Select IPv4 or IPv6; and then, enter the mask.
Source L4 Port The session source Layer 4 port.
Destination L4 Port The session destination Layer 4 port.
IP Statistics
Number of IP Packets
Received
The total number of input datagrams received from interfaces,
including those received in error.
Number of IP Header Errors The number of input datagrams discarded due to errors in their
IP headers, including bad checksums, version number
mismatch, other format errors, time-to-live exceeded, errors
discovered in processing their IP options, and so on.
Number of Discarded IP
Packets
Total number of input datagrams discarded.
This counter does not include any datagrams discarded while
awaiting re-assembly.
Number of Valid IP Packets
Received
The total number of input datagrams successfully delivered to
IP user-protocols (including ICMP).
Number of Transmitted
Packets (Inc. Discards)
The total number of IP datagrams which local IP user-protocols,
including ICMP supplied to IP in requests for transmission.
This counter does not include any datagrams counted in the
Number of IP Packets Forwarded.
Number of Discarded Packets
on TX
The number of output IP datagrams for which no problem was
encountered to prevent their transmission to their destination,
but which were discarded, for example, the lack of buffer space.
This counter includes any datagrams counted in the Number of
IP Packets Forwarded if those packets meet this (discretionary)
discard criterion.
Table 123: DefensePro Session Table Filter Parameters
Monitoring DefensePro Bandwidth Management Statistics
You can monitor the Bandwidth Management (BWM) statistics for a DefensePro device.
Displaying the Last-Second BWM Statistics for a Selected DefensePro Device
To display the last-second BWM statistics for a selected DefensePro device, the Enable Policy
Statistics Monitoring checkbox must be selected (Configuration perspective > BWM > Global
Settings > Enable Policy Statistics Monitoring).
Router Statistics
Forwarded
The number of input datagrams for which this entity was not
their final IP destination, as a result of which an attempt was
made to find a route to forward them to that final destination.
In entities that do not act as IP Gateways, this counter includes
only those packets which were Source - Routed via this entity,
and the Source - Route option processing was successful.
Discarded Due to Unknown
Protocol
The number of locally addressed datagrams received
successfully but discarded because of an unknown or
unsupported protocol.
Discarded Due to No Route
The number of IP datagrams discarded because no route could
be found to transmit them to their destination.
Note: This counter includes any packets counted in the
Number of IP Packets Forwarded that meet the no-
route criterion. This includes any datagrams which a
host cannot route because all of its default gateways
are down.
Number of IP Fragments
Received
The number of IP fragments received which needed to be
reassembled at this entity.
Successfully Reassembled
The number of IP datagrams successfully re-assembled.
Failed Reassembly
The number of failures detected by the IP re-assembly
algorithm, such as timed out, errors, and so on. Note: This is
not necessarily a count of discarded IP fragments since some
algorithms (notably the algorithm in RFC 815) can lose track of
the number of fragments by combining them as they are
received.
Number of IP Datagrams
Successfully Fragmented
The number of IP datagrams that have been successfully
fragmented at this entity.
Discarded Due to
Fragmentation Failure
The number of IP datagrams that have been discarded because
they needed to be fragmented at this entity but could not be,
for example, because their Dont Fragment flag was set.
Fragments Generated
The number of IP datagram fragments that have been
generated as a result of fragmentation at this entity.
Valid Routing Entries
Discarded
Number of valid routing entries discarded.
To display the last-second BWM statistics for a selected DefensePro device
1. In the Monitoring perspective, select the BWM Statistics tab in the content pane.
2. Select Policy Statistics (Last Second). The Policy Statistics (Last Second) table is displayed.
3. Do one or both of the following:
To select the columns that are displayed, right-click the table heading; and then, select the
column names to display.
To view all the parameters of a policy, right-click the row of the policy; and then, select
Show Statistics Entry. The Edit Statistics Entry dialog box is displayed with all the BWM
statistics.
Table 124: DefensePro BWM Last-Second Statistics Parameters
Policy Name The name of the displayed policy.
Matched Packets The number of packets matching the policy during the last
second.
Matched Bandwidth The traffic bandwidth, in Kbits, matching the policy during the
last second.
Sent Bandwidth The volume of sent traffic, in Kbits, in any direction, in the last
second.
Guaranteed Bandwidth Reached Specifies whether the guaranteed bandwidth was reached
during the last second.
Maximum Bandwidth Reached Specifies whether the maximum bandwidth was reached during
the last second.
New TCP Sessions The number of new TCP sessions the device detected in the last
second.
New UDP Sessions The number of new UDP sessions the device detected in the last
second.
Queued Bandwidth The bandwidth, in Kilobits, during the last second.
Full Queue Bandwidth The bandwidth, in Kilobits, discarded during the last second,
due to a full queue.
Aged Packets Bandwidth The amount of discarded bandwidth, in Kilobits, during the last
second, due to the aging of packets in the queue.
Inbound Packets The number of inbound packets in the last second.
Inbound Matched Bandwidth The volume of inbound traffic, in Kilobits, in the last second that
matched the policy.
Inbound Sent Bandwidth The volume of inbound sent traffic, in Kilobits, in the last
second.
Outbound Packets The number of outbound packets in the last second.
Outbound Matched Bandwidth The volume of outbound traffic, in Kilobits, in the last second
that matched the policy.
Outbound Sent Bandwidth The volume of outbound sent traffic, in Kilobits, in the last
second.
Displaying the Last-Period BWM Statistics for a Selected DefensePro Device
To display the last-second BWM statistics for a selected DefensePro device, the Enable Policy
Statistics Monitoring checkbox must be selected (Configuration perspective > BWM > Global
Settings > Enable Policy Statistics Monitoring).
The Policy Statistics Reporting Period parameter determines the period (Configuration perspective >
BWM > Global Settings > Policy Statistics Reporting Period).
To display the last-period BWM statistics for a selected DefensePro device
1. In the Monitoring perspective, select the BWM Statistics tab in the content pane.
2. Select Policy Statistics (Last Period). The Policy Statistics (Last Period) table is displayed.
3. Do one or both of the following:
To select the columns that are displayed, right-click the table heading; and then, select the
column names to display.
To view all the parameters of a policy, right-click the row of the policy; and then, select
Show Statistics Entry. The Edit Statistics Entry dialog box is displayed with all the BWM
statistics.
Table 125: DefensePro BWM Last-Period Statistics Parameters
Policy Name The name of the displayed policy.
Matched Packets The number of packets matching the policy during the last
specified period.
Matched Bandwidth The traffic bandwidth, in Kilobits, matching the policy during
the last specified period.
Sent Bandwidth The volume of sent traffic, in Kilobits, in any direction, in the
last specified period.
Guaranteed Bandwidth Reached Specifies whether the guaranteed bandwidth was reached
during the last specified period.
Maximum Bandwidth Reached Specifies whether the maximum bandwidth was reached during
the last specified period.
New TCP Sessions The number of new TCP sessions the device detected in the last
specified period.
New UDP Sessions The number of new UDP sessions the device detected in the last
specified period.
Queued Bandwidth The volume of queued traffic, in Kilobits, during the last second.
Full Queue Bandwidth The bandwidth, in Kilobits, discarded in the last specified
period, due to a full queue.
Aged Packets Bandwidth The amount of discarded bandwidth, in Kilobits, in the last
specified period, due to the aging of packets in the queue.
Inbound Packets The number of inbound packets in the last specified period.
Inbound Matched Bandwidth The volume of inbound traffic, in Kilobits, in the last specified
period that matched the policy.
Inbound Sent Bandwidth The volume of inbound sent traffic, in Kilobits, in the last
specified period.
Outbound Packets The number of outbound packets in the last specified period.
Monitoring Routing Table Information
The Routing table stores information about destinations and how they can be reached.
By default, all networks directly attached to the DefensePro device are registered in this table. Other
entries can be statically configured or dynamically created through the routing protocol.
Note: The Routing table is not automatically refreshed periodically. The information is loaded
when you select to display the Routing Table pane, and when you manually refresh the
display.
To display Routing Table information for a selected device
In the Monitoring perspective, select the Routing tab in the content pane.
Outbound Matched Bandwidth The volume of outbound traffic, in Kilobits, in the last specified
period that matched the policy.
Outbound Sent Bandwidth The volume of outbound sent traffic, in Kilobits, in the last
specified period.
Destination Network Destination network to which the route is defined.
Netmask Network mask of the destination subnet.
Next Hop IP address of the next hop toward the Destination subnet. (The next
hop always resides on the subnet local to the device.)
Via Interface The local interface or VLAN through which the next hop of this route is
reached. This can be the port name, trunk name, or VLAN ID.
Type This field is displayed only in the Static Routes table.
The type of routing.
Values:
LocalThe subnet is directly reachable from the device.
RemoteThe subnet is not directly reachable from the device.
Metric The metric value defined or calculated for this route.
Table 125: DefensePro BWM Last-Period Statistics Parameters
Monitoring DefensePro ARP Table Information
You can view the devices ARP table, which contains both static and dynamic entries. You can change
an entry type from dynamic to static.
Note: The ARP table is not automatically refreshed periodically. The information is loaded when
you select to display the ARP Table pane, and when you manually refresh the display.
To display ARP Table information for a selected DefensePro device
In the Monitoring perspective, select the ARP tab in the content pane.
The following information is displayed.
To change an entry type from dynamic to static
In the ARP table, right-click the entry, and select Change Entry to Static.
Monitoring MPLS RD Information
You can monitor MPLS RD information and configure an MPLS RD. Each MPLS RD is assigned two
tags for the link on which the device is installed, an upper tag and a lower tag. On a different link,
the same MPLS RD can be assigned with different tags.
To display MPLS RD information for a selected DefensePro device
1. In the Monitoring perspective, select the MPLS RD tab in the content pane.
The MPLS RD table displays current MPLS RD information.
2. To add an MPLS RD, click the (Add) button.
Parameter Heading
Port The interface number where the station resides.
IP Address The stations IP address.
MAC Address The stations MAC address.
Type Entry type.
Values:
OtherNot Dynamic or Static
DynamicEntry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the
table.
StaticEntry has been configured by the network management
station and is permanent.
3. Configure MPLS RD parameters and click OK.
Monitoring Device Interfaces
A Layer 2 interface is defined as any interface that has its own MAC address, physical port, trunk,
and VLAN.
You can monitor status and interface statistics for ports and trunks on all DefensePro devices.
To display information for a device interface
1. In the Monitoring perspective system pane, select the device.
2. Expand the node; and then, select the interface.
Table 126: MPLS RD Parameters
MPLS RD The MPLS RD name.
Type Describes the MPLS RD format.
Values:
2 Bytes : 4 BytesAS (16 bit): Number (32 bit)
4 Bytes : 2 BytesAS (32 bit): Number (16 bit)
IP Address : 2 BytesIP: Number (16 bit)
Upper Tag The upper tag for the link on which the device is installed.
Lower Tag The lower tag for the link on which the device is installed.
Table 127: L2 Interface Statistics
Basic Parameters
Port Name The interface name or index number.
Port Description A description of the interface.
Type The interface type number assigned by the Internet Assigned
Numbers Authority (IANA).
Port Speed The interfaces current bandwidth in bits per second.
MAC Address The MAC Address of the interface.
Admin Status The administrative status of the interface, Up or Down.
Operational Status The operational status of the interface, Up or Down.
Last Change Time The value of System Up time at the time the interface entered its
current operational state. If the current state was entered prior to the
last re-initialization of the local network management subsystem,
then this value is zero.
Statistics
Incoming Bytes The number of incoming octets (bytes) through the interface
including framing characters.
Incoming Unicast Packets The number of packets delivered by this sub-layer to a higher sub-
layer, which were not addressed to a multicast or broadcast address
at this sub-layer.
Incoming Non-Unicast
Packets
The number of packets delivered by this sub-layer to a higher sub-
layer, which were addressed to a multicast or broadcast address at
this sub-layer.
Incoming Discards The number of inbound packets chosen to be discarded even though
no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a
packet could be to free up buffer space.
Incoming Errors For packet-oriented interfaces, the number of inbound packets that
contained errors preventing them from being deliverable to a higher-
layer protocol. For character-oriented or fixed-length interfaces, the
number of inbound transmission units that contained errors
preventing them from being deliverable to a higher-layer protocol.
Outgoing Bytes The total number of octets (bytes) transmitted out of the interface,
including framing characters.
Outgoing Unicast Packets The total number of packets that higher-level protocols requested be
transmitted, and which were not addressed to a multicast or
broadcast address at this sub-layer, including those that were
discarded or not sent.
Outgoing Non-Unicast
Packets
The total number of packets that higher-level protocols requested be
transmitted, and which were addressed to a multicast or broadcast
address at this sub-layer, including those discarded or not sent.
Outgoing Discards The number of outbound packets which were chosen to be discarded
even though no errors had been detected to prevent their being
transmitted. One possible reason for discarding such a packet could
be to free up buffer space.
Outgoing Errors For packet-oriented interfaces, the number of outbound packets that
could not be transmitted because of errors. For character-oriented or
fixed-length interfaces, the number of outbound transmission units
that could not be transmitted because of errors.
Table 127: L2 Interface Statistics
Chapter 11 Real-Time Security Reporting
You can use the Security Monitoring perspective to observe and analyze the attacks that the device
detected and the countermeasures that the device implemented.
APSolute Vision displays real-time network traffic and statistical parameters. The DefensePro device
calculates a traffic baseline, and uses this to identify abnormalities in traffic levels.
The following topics describe monitoring traffic and attacks in APSolute Vision:
Viewing the Security Dashboard, page 275
Viewing Current Attack Information, page 277
Viewing Real-Time Traffic Statistics, page 290
Monitoring Attack SourcesGeographical Map, page 293
Protection Monitoring, page 293
HTTP Reports, page 298
Viewing the Security Dashboard
The Security Dashboard provides a graphical representation of current and recent attacks.
Figure 19: Security Dashboard
Real-Time Security Reporting
Use the Security Dashboard to analyze activity and security events in the network, identify security
trends, and analyze risk.
You can view Dashboard information for individual DefensePro devices, all devices in a site, or all
devices in the network. The Dashboard monitoring display automatically refreshes providing ongoing
real-time analysis of the system. You can select the ports to view inbound or outbound traffic in
specific portions of your network, and you can choose the recent period of time for which to display
data.
You can configure the following Security Monitoring client preferences:
The display refresh rate. The default is 15 seconds.
How long an attack continues to be displayed after the attack has ended.
The Dashboard displays an attacks radar, and Drop Intensity indicator.
The attacks radar displays current and recent attacks:
Each arrowhead in the radar represents a separate attack.
A flashing arrowhead represents an ongoing attack.
The color of the arrowhead indicates the attack category. The category represents the type of
protection that the attack violates. When you double-click an arrowhead, the corresponding
attack-characteristics-and-information dialog box is displayed.
The categories in the Security Dashboard are as follows:
DDoSRepresents attacks identified by the following protection types: Behavioral DoS, SYN
Flood, and DoS Shield.
Server CrackingRepresents attacks identified by Server Cracking Protection.
IntrusionRepresents attacks identified by Intrusion Protection.
Application DDoSRepresents attacks identified by HTTP Flood Protection.
Stateful ACLRepresents attacks identified by Stateful ACL Protection.
Packet AnomaliesRepresents attacks identified by Packet Anomaly Protection.
Network ScansRepresents attacks identified by Anti-Scanning Protection.
Black & White ListsRepresents traffic identified by Black List Protection.
The position of the attack in the radar indicates the attack risk. Each band in the radar, moving
inwards from the outer edge, represents increasing riskinfo, low, medium, and high.
You can display summary information for an attack by clicking on the corresponding arrowhead,
and you can view additional attack details by double-clicking the arrowhead.
Note: The summary information displayed in the attacks radar is also presented in the Current
Attacks table.
The Drop Intensity counter provides an indication of the level of discarded traffic during attacks,
relative to the maximum bandwidth of the device (per license).
To display Security Dashboard information
1. In the Security Monitoring perspective navigation pane Security tab, select the DefensePro
device, or site, for which to display data.
2. Select the Security Dashboard tab.
3. To select the ports for which to display data:
a. Click Select Ports. Data is displayed for ports in the Selected Ports list.
b. Move ports to and from the Selected Ports list, as required.
4. To control the amount of data displayed, change the number of minutes in the Display Last list.
5. To view additional information for a displayed attack:
Right-click the corresponding arrowhead in the radar to display summary information for the
attack.
Double-click the corresponding arrowhead in the radar to display detailed information for
the attack. For more information, see Attack Details, page 280.
Viewing Current Attack Information
When an attack is detected, the DefensePro device creates and reports a security event that
includes the information relevant to the specific attack.
The Current Attacks table displays summary information for current and recent attacks. You can
view additional information for a specific attack, including the attack footprint.
You can view information about a security event, or a group of security events that belong to the
same attack.
You can configure filter settings to display a subset of the current attack data. Filter conditions are
joined by AND, meaning, only attacks that match all the filter conditions are displayed.
To display a summary of current attack information
1. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for
which to display data.
2. Select the Current Attacks tab.
3. To filter the displayed data, set the filter options as required, and click Go.
Information is displayed in the Current Attacks table for the attacks that match all filter
conditions.
Note: The attack details contained in the table columns that are hidden by default are
displayed in the Attack Details window for individual attacks.
Table 128: Current Attacks Filter Settings
Risk The severity level of the attack.
Category The threat type to which the attack belongsfor example, Intrusions, DoS,
Anti-Scanning, and so on.
Rule The server-protection rule or network-protection rule violated by the attack.
Select Ports Add the ports for which to display attack data to the Selected Ports list.
Table 129: Current Attacks Summary Information
Start Time The date and time of the attack start.
Category The threat type to which this attack belongsfor example, Intrusions, DoS,
Anti Scanning, and so on.
Status The last-reported status of the attack.
Values:
StartedAn attack containing more than one security event has been
detected (some attacks contain multiple security events, such as DoS,
Scans, and so on).
Occurred (Signature-based attacks)Each packet matched with
signatures was reported as an attack and dropped.
OngoingThe attack is currently taking place, the time between Started
and Terminated (for attacks that contain multiple security events, such
as DoS, Scans, and so on).
TerminatedThere are no more packets matching the characteristics of
the attack, and the device reports that the attack has ended.
Risk The predefined attack severity level.
Values:
High.
Medium.
Low.
Info. Used for very low risk, or when it is not a real attack, but an
event reported to provide additional information.
Attack Name The name of the detected attack.
Source Address The source IP address of the attack. If there are multiple IP sources for an
attack, this field displays Multiple. The multiple IP addresses are displayed in
the Attack Details window.
Destination Address The destination IP address of the attack.
Destination L4 Port The destination port of the attack.
Rule The name of the configured network-protection policy rule or server-
protection policy rule that was violated by this attack.
To view or edit the rule for a specific attack, right-click the attack entry and
select Go to Rule.
RDW ID The unique attack identifier issued by device.
Direction The direction of the attack, inbound or outbound.
Action Type The reported action against the attack.
Values:
ForwardThe packet is forwarded to its destination.
Reset SourceA TCP Reset packet is sent to the attackers source IP
address.
Reset DestinationA TCP Reset packet is sent to the attackers
destination IP address.
To view details of a specific attack
In the Current Attacks table, double-click an attack entry.
The attack details are displayed in a separate window. For more information about attack
details, see Attack Details, page 280.
To export information in Ethereal format for packet analysis
1. In the Current Attacks table, right-click an attack entry and select Export Packets To Ethereal
Format.
2. Enter a file name in the file selection dialog box.
Notes
>> Up to 255 bytes of packet information is saved in the CAP file. You can send this file to a
packet analyzer.
>> The file is available only as long as it is displayed in the Current Attacks table.
Device IP The IP address of the attacked device.
Protocol
1
The transmission protocol used to send the attack.
Values:
TCP
UDP
ICMP
IP
Source L4 Port
1
The Layer 4 source port of the attack.
Physical Port
1
The port on the device to which the attacks packets arrived.
Packet Count The number of identified attack packets from the beginning of the attack.
Bandwidth
1
For most protections, this value is the volume of the attack, in kilobits, from
when the attack started.
For SYN protection (SYN cookies), this value is the number of SYN packets
dropped, multiplied by 60 bytes (the SYN packet size).
VLAN
1
A VLAN tag value is used to generate reports for each customer. A value of 0
in this field indicates that the VLAN tag is not available.
MPLS RD
1
The MPLS Route Distinguisher. This value is used to generate reports for each
customer.
1 This column is not displayed by default. To display the column, right-click on any column
heading, and select the column name from the pop-up menu.
Table 129: Current Attacks Summary Information
>> The file is created only if packet reporting is enabled in the protection configuration for
the profile that was violated.
Attack Details
An Attack Information window is displayed when you double-click an attack in the Security
Dashboard or in the Current Attacks table.
The Attack Description displays the information from the Attack Descriptions file. An attack
description is displayed only if the Attacks Description file has been uploaded on the APSolute Vision
server.
For information about uploading the Attacks Description file, see Updating the Attack Description
File, page 47.
The following attack details are also displayed for the following attacks:
BDoS Attack Details, page 281
DoS Attack Details, page 283
Anti-Scan Attack Details, page 283
Server Cracking Attack Details, page 284
SYN Flood Attack Details, page 285
HTTP Flood Attack Details, page 286
DNS Flood Attack Details, page 289
Note: The Attack Characteristics information that are displayed in these windows is also
available in the hidden columns of the Current Attack Summary table.
BDoS Attack Details
Global
Attack Characteristics The attack characteristics comprise the following parameters:
Source L4 Port
Protocol
Physical Port
Packet Count
Bandwidth [Kbits]
VLAN
MPLS RD
Device IP
TTL
L4 Checksum
TCP Sequence Number
IP ID Number
Fragmentation Offset
Fragmentation FlagA value
of 0 indicates that
fragmentation is allowed, 1
indicates that fragmentation is
not allowed.
Flow Label (IPv6 only)
ToS
Packet Size
ICMP Message Type
Displayed only if the protocol
is ICMP.
Source IP
Destination IP
Source Ports
Destination Ports
DNS ID
DNS Query
DNS Query Count
Note: Some fields can display multiple values, when relevant and
available. The values displayed depend on the current stage
of the attack. If a field is part of the dynamic signature (that
is, a specific value or values appear in all the attack traffic),
the Attack Characteristics field displays the relevant value or
values.
Attack Info The attack information comprises the following parameters:
Packet Size Anomaly RegionDisplays the statistical region of the
attack packets. The formula for the packet-size baseline for a
policy is
{(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/NormalPPS)}
Values:
Large PacketsThe attack packets are approximately 15%
larger than the normal packet-size baseline for the policy.
Normal PacketsThe attack packets are within approximately
15% either side of the normal packet-size baseline for the
policy.
Small PacketsThe attack packets are approximately 15%
smaller than the normal packet-size baseline for the policy.
StateThe state of the protection process:
Footprints AnalysisBehavioral DoS Protection has detected an
attack and is currently determining an attack footprint.
BlockingBehavioral DoS Protection is blocking the attack
based on the attack footprint created. Through a closed
feedback loop operation, the Behavioral DoS Protection
optimizes the footprint rule, achieving the narrowest effective
mitigation rule.
Non-attackNothing was blocked because the traffic was not
an attackno footprint was detected or the blocking strictness
level was not met.
Sampled Data Opens the Sampled Data dialog box, which contains a data on sampled
attack packets.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the Behavioral DoS Protection,
which provides the narrowest effective blocking rule against the flood
attack.
Attack Statistics Table
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines. Table columns are displayed according to the
protocols: TCP (includes all flags), UDP, or ICMP.
Attack Statistics Graph
The graph displays a snapshot of the relevant traffic type for the 15-second period during which the
attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line
represents the normal adapted traffic baseline.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
DoS Attack Details
Anti-Scan Attack Details
Global
Protocol
Physical Port
Packet Count
VLAN
MPLS RD
Device IP
values.
ActionThe protection Action taken.
Attacker IPThe IP address of the attacker.
Protected HostThe protected host.
Protected PortThe protected port.
Attack DurationThe duration of the attack.
Current Packet RateThe current packet rate.
Average Packet RateThe average packet rate.
attack packets.
Attack Description
Vision server.
Global
Source L4 Port
Protocol
Physical Port
Packet Count
Bandwidth [Kbits]
VLAN
MPLS RD
Device IP
Server Cracking Attack Details
Attack Info Displays protection action information, blocking details and scan
statistics.
The attack information comprises the following parameters:
ActionThe protection Action taken.
Action ReasonDescribes the difference between the
configured action and the actual action.
Blocking DurationThe blocking duration, in seconds, of the
attacker source IP address.
Estimated Release Time (Local)The estimated release time
of attacker in local time.
Avg. Time Between ProbesThe average time between scan
events in seconds.
Number of ProbesThe number of scan events from the time
the attack started.
Sampled Data Opens the Sampled Data dialog box, which contains a data on
sampled attack packets.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the anti-scanning attack
protection, which provides the narrowest effective blocking rule
against the scanning attack.
Scan Details
Destination IP The destination IP address of the scan.
Destination L4 Port The destination port of the scan.
TCP Flag The TCP packet type. This is displayed only for TCP traffic.
ICMP Message Type This is displayed only for ICMP traffic.
Attack Description
Vision server.
Global
Protocol
Source L4 Port
Physical Port
Packet Count
Bandwidth [Kbits]
VLAN
MPLS RD
Device IP
SYN Flood Attack Details
Attack Info Displays protection action information, blocking details and attack
statistics.
Blocking DurationThe blocking duration, in seconds, of the
attacker source IP address.
Estimated Release TimeThe estimated release time of
attacker in local time.
Avg. Time Between ProbesThe average time between scan
events in seconds.
Number of ProbesThe number of scan events from the time
the attack started.
Application Requests
When a server-cracking attack is detected, DefensePro sends, to
the management system, sample suspicious attacker requests
in order to provide more information on the nature of the attack.
The sample requests are sent for the protocols or attacks.
Values:
Web ScanSample HTTP requests.
Web CrackingUsername and Password.
SIPSIP user (SIP URI).
FTPUsername (if sent in the same request) and Password.
POP3Username (if sent in the same request) and
Password.
Global
Protocol
Physical Port
Packet Count
VLAN
MPLS RD
Device IP
Bandwidth [Kbits]
HTTP Flood Attack Details
Attack Info The information is displayed when the protection action is
blocking mode.
Average Attack RateThe average rate of spoofed SYNs and
data connection attempts per second, calculated every 10
seconds.
Attack ThresholdThe configured attack trigger threshold.
Spoofed SessionsThe number of established, spoofed TCP
connections per second during the attack life cycle
(aggregated). These are the sessions that were established
through the SYN-cookies mechanism or were passed through
the SYN protection trusted list.
Attack DurationThe duration, in hh: mm: ss format, of the
attack on the protected port.
TCP Challenge
HTTP Challenge
Authentication Lists Utilization The Authentication Lists Utilization group comprises the following
parameters:
TCP Auth. ListThe current utilization, in percent, of the TCP
Authentication table.
HTTP Auth. ListThe current utilization, in percent, of the
Table Authentication table.
Global
Source L4 Port
Protocol
Physical Port
Packet Count
VLAN
MPLS RD
Device IP
Bandwidth [Kbits]
Note: Some fields can display multiple values, when relevant
and available. The values displayed depend on the
current stage of the attack. If a field is part of the
dynamic signature (that is, a specific value or values
appear in all the attack traffic), the Attack
Characteristics field displays the relevant value or
values.
Protection StateThe state of the protection process:
CharacterizationThe protection module is analyzing the
attack footprint.
MitigationThe protection module is mitigating the attack
according to the profile configuration.
Suspicious ActivitiesThe protection module identified
the attack but cannot mitigate it.
Mitigation FlowThe configuration of the mitigation flow for
the profile:
DefaultThe mitigation flow for the profile is configured
to use all three mitigation actions, which are selected by
default: 1-Challenge Suspects, 2-Challenge All, 3-Block
Suspects.
CustomizedThe mitigation flow for the profile is not
configured to use all three mitigation actions.
ActionThe current action that protection module is using to
mitigate the attack:
Challenge Suspected AttackersThe protection module is
challenging HTTP sources that match the real-time
signature.
Challenge All SourcesThe protection module is
challenging all HTTP traffic toward the protected server.
Block Suspected AttackersThe protection module is
blocking all HTTP traffic from the suspect sources (that is,
sources that match the signature).
No MitigationThe protection module is in the Suspicious
Activities state and is not mitigating the attack.
Challenge MethodThe user-specified Challenge Method,
302 Redirect or JavaScript.
Suspicious SourcesThe number of sources that the
protection module suspects as being malicious.
Challenged SourcesThe number of sources that the
protection module has identified as being attackers and is
now challenging them.
Blocked SourcesThe number of sources that the protection
module has identified as being attackers and is now blocking
them.
HTTP Authentication Table Utilization [%]The percentage of
HTTP Authentication Table that is full.
Blocked Users
Source IP address The source IP addresses mitigated as attackers. Up to 40 different
IP addresses can be viewed.
Note: When the HTTP flood attack is widely distributed,
meaning more than 1000 source IP addresses, the
system does not use any source IP addresses in the
blocking rule. This mitigation occurs only if the URI Only
blocking mode option is enabled.
Request URI The HTTP request URIs that took part in the HTTP flood attack and
were mitigated.
Bypassed/Blocked Usually the value that is displayed is Blocked. Only when one of
HTTP request URIs was configured to be bypassed, is the value
Bypassed.
This table displays normal and actual traffic information.
Normal values represent the learned normal traffic baselines. Real-time values will display the
actual values when an attack is triggered.
The graph displays the HTTP request URI size distribution. The y-axis shows the number of HTTP
requests per second that refers to GET and POST request methods, and the x-axis shows the
Request URI size in bytes. The blue line represents the normal expected HTTP request rates and the
orange line represents the real-time rate values identified when the attack was triggered.
Attack Description
Vision server.
DNS Flood Attack Details
Global
Source L4 Port
Protocol
Physical Port
Packet Count
VLAN
MPLS RD
Device IP
Bandwidth [Kbits]
TTL
IP ID Number
Destination IP
DNS ID
DNS Query Count
L4 Checksum
Packet Size
Destination Ports
DNS Query
DNS An Query Count
values.
Attack Info The attack information comprises the State parameter, which indicates
the state of the protection process.
Values:
Footprints AnalysisBehavioral DoS Protection has detected an
attack and is currently determining an attack footprint.
BlockingBehavioral DoS Protection is blocking the attack based
on the attack footprint created. Through a closed feedback loop
operation, the Behavioral DoS Protection optimizes the footprint
rule, achieving the narrowest effective mitigation rule.
Non-attackNothing was blocked because the traffic was not an
attackno footprint was detected or the blocking strictness level
was not met.
attack packets.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the Behavioral DoS Protection,
which provides the narrowest effective blocking rule against the flood
attack.
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines. Table columns are displayed according to the DNS
query types: A, MX, PTR, AAAA, Text, SOA, NAPTR, SRV, Other.
The graph displays a snapshot of the relevant traffic type for the 15-second period during which the
attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line
represents the normal adapted traffic baseline.
Sampled Data Dialog Box
The Sampled Data dialog box contains a table with data on sampled attack packets. Each row in the
table displays the data for one sampled attack packet.
The table in the Sampled Data dialog box comprises the following columns:
Time
Source Address
Source L4 Port
Destination Address
Destination L4 Port
Protocol
VLAN
MPLS RD
Physical Port
Viewing Real-Time Traffic Statistics
You can view real-time traffic statistics over time for the IP traffic passing through the managed
DefensePro devices on selected port pairs. The information includes data on overall IP traffic,
protocol mix, and packet discards. You can display the data in graph or table format.
You can also view graphs of connection rates and concurrent connections based on data from the
Session Table.
By default, all traffic is presented in these graphs and tables. In each graph, you can filter the
display by protocol or traffic direction, but not for concurrent connections.
The Connection Statistics are displayed only when the device is operating in Full Layer 4 Session
Table Lookup mode.
You can monitor the following traffic information in the Traffic Monitoring tab:
Viewing Traffic Utilization Statistics, page 290
Viewing Connection Rate Statistics, page 292
Viewing Concurrent Connections Statistics, page 292
Viewing Traffic Utilization Statistics
You can display the following traffic statistics for selected port pairs:
Inbound IP traffic
Outbound IP traffic
Discarded inbound traffic
Discarded outbound traffic
Attack Description
Vision server.
You can display the information as a graph or table or both. The table displays the last reading for
each protocol and provides totals for all protocols. In the graph, you can display the information for
a selected protocol or the total for all protocols over a period of time.
Tip: You can use the following CLI command to get the current traffic rate in packets or bytes
per second (calculated as the average rate in 15 seconds):
dp real-time-monitor-stats get [port number]
To display traffic utilization statistics
2. Select the Traffic Monitoring tab. By default, the Traffic Utilization pane displayed.
3. Change display settings for the graph and table, as required, and click Go.
4. For the graph, set filter options for the displayed traffic data, as required. The displayed
information refreshes automatically.
Table 130: Traffic Utilization Display Settings for Graph and Table
Units Select to display the traffic rate in Kilobits per second (Kbps), or packets per
second.
Select Traffic Select the port pairs relevant for the network topology by moving the
required port pairs to the Selected Port Pairs list. All other port pairs should
be in the Available Port Pairs list.
Note: Port pairs can be selected for each direction; however, Radware
recommends that you select a port pair in one direction only, and
display traffic for both directions, if required. If you select port pairs
in both directions, and traffic for both directions, the graph will
display the same traffic twice.
Table 131: Traffic Utilization Filter Settings for the Graph
Show Traffic Select inbound traffic, outbound traffic, or both. When you select both, data
for inbound and outbound are displayed as separate lines, not as totals.
Note: The direction of traffic between a pair of ports is defined by the
In Port setting in the port pair configuration.
Protocol Select the traffic protocol to display. When you select All, total traffic
statistics are displayed.
Viewing Connection Rate Statistics
You can display a graph showing connection rate statistics of inbound and outbound traffic for
selected port pairs. You can display the information for a selected protocol or the total for all
protocols over a period of time. The time period is 30 minutes, by default, and is dependent on the
poll refresh time.
To display connection rate statistics
2. Select the Traffic Monitoring tab.
3. In the navigation pane, select Connections Rate.
4. Change display settings for the graph as required, and click Go.
Viewing Concurrent Connections Statistics
You can display a graph showing the rate of current connections for selected port pairs. You can
display the information for a selected protocol or the total for all protocols over a period of time. The
time period is 30 minutes, by default, and is dependent on the poll refresh time.
To display concurrent connections statistics
1. In the Security Monitoring perspective navigation pane, select the device, or site, for which to
display data.
2. Select the Traffic Monitoring tab, and in the navigation pane, select Concurrent Connections.
3. Select the traffic protocol from the Protocol list, and click Go.
When you select All in the Protocol list, total traffic statistics are displayed.
Table 132: Connection Rate Display Settings
Select Traffic Move the port pairs for which you want to display data to the Selected Port
Pairs list.
Note: Port pairs can be selected for each direction; however, Radware
recommends that you select a port pair in one direction only, and
display traffic for both directions, if required.
Show Traffic Select inbound traffic, outbound traffic, or both. When you select both, data
for inbound and outbound are displayed as separate lines, not as totals.
Note: The direction of traffic between a pair of ports is defined by the In
Port setting in the port pair configuration.
Protocol Select the traffic protocol to display. When you select All, total traffic
statistics are displayed.
Monitoring Attack SourcesGeographical Map
Attacks can originate from different locations around the world, for example, Web site attacks. Web
site administrators can track these attacks to see from which countries they originate.
You can generate a Top Attack Sources report for an individual device. This report displays a
geographical map of the world with indicators marking the country from which attacks originated,
based on their source IP address.
You can modify the report output by configuring the period of time over which the map displays
data, and the number of source countries to display.
The Top Attack Sources report also displays a summary table of attacks that originated from each
source country marked on the map, and you can view additional details for a selected source.
To view attack sources
1. In the Security Monitoring perspective navigation pane, select the device, or site, for which to
display data.
2. Select the GeoMap tab.
3. In the GeoMap pane, if required, change the display settings.
4. Click an attack source in the map to display more details in the Location Attacks List table.
(When no location is selected in the map, this table is empty.)
Protection Monitoring
Protection Monitoring provides the real-time traffic monitoring per network rule policy, either for the
network as a whole, if BDoS is configured, or for DNS traffic, if DNS is configured. The statistical
traffic information that Protection Monitoring provides can help you better understand the traffic that
flows through the protected network, how the configured protection is working, and, most
importantly, how anomalous traffic is detected.
For information about displaying protection information for a selected device, see the following:
Displaying Attack Status Information, page 294
Monitoring Network Rule Traffic, page 294
Monitoring DNS Flood Attack Traffic, page 296
Table 133: GeoMap Display Settings
Display Last The last number of hours for which the map displays information.
Values: 1, 2, 3, 6, 12, 24
Default: 1 hour
Top Sources to
Display
The map displays the locations that have the highest number of attacks in
the database. You can set the number locations to display up to a maximum
of 20.
Default: 5
Total Plotted Attacks (Read-only) The number of attack source locations that are displayed. All
attacks that cannot be associated with any known location are considered as
originating from a single (unknown) location.
Displaying Attack Status Information
You can display summary status information for attacks for each configured and enabled policy rule
for protection. When there is an attack that violates a network-policy rule, the table displays an icon
indicating the status of the attack in the corresponding row for the relevant attack traffic.
To display attack status information
1. In the Security Monitoring perspective navigation pane, select the DefensePro device to monitor.
2. Select the Protection Monitoring tab. By default, the Attack Status pane is displayed with the
Attack Status per Rule table.
The table comprises the following columns:
Rule Name
IPv4-TCP
IPv4-UDP
IPv4-ICMP
IPv4-DNS
IPv6-TCP
IPv6-UDP
IPv6-ICMP
IPv6-DNS
3. When an attack icon is displayed in the table, click the icon to display the corresponding attack
traffic information.
Monitoring Network Rule Traffic
You can monitor the traffic for a network-policy rule that includes BDoS protection. Traffic
information is displayed in the Statistics Graph and Last Sample Statistics table.
To display traffic information for a network policy rule that includes BDoS protection
1. In the Security Monitoring perspective navigation pane, select the device to monitor.
2. Select the Protection Monitoring tab, and select Network Rule Traffic.
3. In the content pane Filter group box, configure the filter for the display of the Statistics Graph
and Last Sample Statistics table; and then, click Go.
4. Configure the settings for the display of the Statistics Graph.
Statistics Graph
The graph displays the traffic rates for the selected network policy rule according to the specified
parameters over a period of time30 minutes by default. The time period depends on the polling
refresh configuration.
Table 134: Filter Parameters for the Statistics Graph and Last Sample Statistics Table
Rule The network policy rule. The list only displays rules configured with a BDoS
profile.
Direction The direction of the traffic that the Statistics Graph and Last Sample
Statistics table display.
Values: Inbound, Outbound
Units The unit according to which the Statistics Graph and Last Sample Statistics
table display the traffic.
Values:
KbpsKilobits per second
Packets/SecPackets per second
QPSQueries per second
Table 135: Statistics Graph Parameters
IP Version The IP version of the traffic that the graph displays.
Values: IPv4, IPv6
Protection Type The protection type to monitor.
Values:
TCP ACK FIN
TCP FRAG
TCP RST
TCP SYN
TCP SYN ACK
UDP
ICMP
IGMP
Scale The scale for the presentation of the information along the Y-axis.
Values: Linear, Logarithmic
Attack Status (Read-only) The status of the attack.
Table 136: Statistics Graph Legend
Line Description
Total Traffic
( dark blue)
The total traffic that the device sees for the specific protection type and
direction.
Legitimate Traffic
( light blue)
The actual forwarded traffic rate, after DefensePro blocked the attack.
When there is no attack, the Total Traffic and Legitimate Traffic are
equal.
Last Sample Statistics Table
Monitoring DNS Flood Attack Traffic
You can monitor the traffic for a network-policy rule that includes DNS Flood protection. Traffic
information is displayed in the Statistics Graph and Last Sample Statistics table.
To display traffic information for a network policy rule that includes DNS protection
2. Select the Protection Monitoring tab, and select Network Rule DNS Traffic.
3. In the content pane Filter group box, configure the filter for the display of the Statistics Graph
and Last Sample Statistics table; and then, click Go.
4. Configure the settings for the display of the Statistics Graph.
Statistics Graph
The graph displays the traffic rates for the selected network policy rule according to the specified
parameters over a period of time. The time period depends on the polling refresh configuration.
Normal Edge
( dashed green)
The statistically calculated baseline traffic rate.
Suspected Edge
( dashed orange)
The traffic rate that indicates a change in traffic that might be an
attack.
Attack Edge
( dashed red)
The traffic rate that indicates an attack.
Table 137: Last Sample Statistics Parameters
Traffic Type The protection type. Each specific traffic type and direction has a baseline
that the device learns automatically.
Baseline The normal traffic rate expected by the device.
Total Traffic The total traffic rate that the DefensePro device sees for the specific traffic
type and direction.
Baseline Portion % An indication for the rate invariant baselinethat is, the normal percentage
of the specific traffic type to all other traffic in the same direction.
RT Portion % The actual percentage of the specific traffic type relative to all other traffic in
the same direction.
Legitimate Traffic The actual forwarded traffic rate, after the device blocked the attack.
When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type
relative to other types of traffic, after the device blocked the attack.
Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or
greater signifies an attack.
Line Description
Table 138: Filter Parameters for the Statistics Graph and Last Sample Statistics Table
Rule The network policy rule. The list only displays rules configured with a DNS
profile.
Direction The direction of the traffic that the Statistics Graph and Last Sample
Statistics table display.
Values: Inbound, Outbound
Units (Read-only) The unit according to which the Statistics Graph and Last
Sample Statistics table display the traffic.
Value: QPSQueries per second
Table 139: Statistics Graph Parameters
IP Version The IP version of the traffic that the graph displays.
Values: IPv4, IPv6
Protection Type The DNS query type to monitor.
Values:
Other
Text
A
AAAA
MX
NAPTR
PTR
SOA
SRV
Attack Status (Read-only) The status of the attack.
Line Description
Total Traffic
( dark blue)
The total traffic that the device sees for the specific protection type and
direction.
Legitimate Traffic
( light blue)
The actual forwarded traffic rate, after DefensePro blocked the attack.
When there is no attack, the Total Traffic and Legitimate Traffic are
equal.
Last Sample Statistics Table
HTTP Reports
HTTP Mitigator protection monitors rate-based and rate-invariant HTTP traffic parameters, learns
them, and generates normal behavior baselines accordingly.
You can monitor real-time and historical (normal baseline) values, and analyze HTTP traffic
anomalies using the following reports:
Monitoring Continuous Learning Statistics, page 299
Monitoring Hour-Specific Learning Statistics, page 300
HTTP Request Size Distribution, page 300
Normal Edge
1
( dashed green)
The statistically calculated baseline traffic rate.
Suspected Edge
1
( dashed orange)
The traffic rate that indicates a change in traffic that might be an
attack.
Attack Edge
1
( dashed red)
The traffic rate that indicates an attack.
1 This line is not displayed if the protection is configured to use a footprint bypass or manual
triggers.
Table 141: Last Sample Statistics Parameters
Traffic Type The protection type. Each specific traffic type and direction has a baseline
that the device learns automatically.
Baseline The normal traffic rate expected by the device.
Total Traffic The total traffic rate that the DefensePro device sees for the specific traffic
type and direction.
Baseline Portion % An indication for the rate invariant baselinethat is, the normal percentage
of the specific traffic type to all other traffic in the same direction.
RT Portion % The actual percentage of the specific traffic type relative to all other traffic in
the same direction.
Legitimate Traffic The actual forwarded traffic rate, after the device blocked the attack.
When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type
relative to other types of traffic, after the device blocked the attack.
Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or
greater signifies an attack.
Line Description
Monitoring Continuous LearningStatistics
You can generate and display normal HTTP traffic baselines based on continuous traffic statistics.
Continuous learning statistics are based on recent traffic, irrespective of time of day, or day of the
week.
The learning response period (that is, the exponential sliding-window period on which statistics
measurements are based) is set based on the HTTP Mitigator learning sensitivity settings (default:
1 week).
To build a comprehensive picture of the protected sites traffic, the device monitors various HTTP
attack statistics.
Continuous learning reports display normal HTTP traffic baselines (blue) and real-time HTTP traffic
statistics (orange) over the specified recent time period.
Note: Normal Requests per Source and Requests per Connection baseline parameters show
the highest number of HTTP requests generated by a single source IP address and TCP
connection respectively. This number fades out, unless a higher value is observed,
within about 30 seconds.
To display continuous learning HTTP reports
2. Select the HTTP Reports tab.
3. Select a report under the Continuous Learning Statistics node.
4. In the selected report pane, change display settings for the graph, as required, and click Go.
Table 142: Continuous Learning Statistics Reports
Channel Description
GET & POST Requests Rate The rate of HTTP GET and POST requests sent per second to the
protected server.
Other Requests Rate The rate of HTTP requests that are not POST or GET sent per
second to the protected server. Other HTTP request methods can
be used, but are used less frequently.
Requests Rate per Source The maximum rate of HTTP GET and POST requests per second
per source IP address.
This parameter characterizes the site users behavior, enabling
you to recognize abnormal activities, such as scanning or bots.
Legitimate users may generate many requests per second, but
automatic devices such as bots or scanners generate many more.
Requests per Connection The maximum number of HTTP GET and POST requests per TCP
connection.
This parameter characterizes the site users behavior, enabling
you to recognize abnormal activities, such as scanning or bots.
Many requests over a single TCP connection may indicate bot or
scanner activity.
Outbound Bandwidth The bandwidth, in megabits per second, of the HTTP servers
sending the responses.
Monitoring Hour-Specific LearningStatistics
The Hour-Specific Learning Statistics reports display normal traffic baselines for the last week. You
can view the hourly distribution of the site requests and outbound HTTP traffic for each day in the
past week and for each hour in a day.
The normal baseline for each hour in the week is calculated based on historical information for the
specific hour in the day and the specific day of the week over the past 12 weeks. The graph is
updated every hour.
The HTTP Mitigator learns the baseline traffic, and, based on these statistics, reports attacks based
on abnormal traffic.
To display hour-specific learning HTTP reports
2. Select the HTTP Reports tab.
3. Select a report under the Hour-Specific Learning Statistics node.
4. In the Server IP list, select the IP address of the protected Web server for which to display
information, and click Go.
HTTP Request Size Distribution
The HTTP Request Size Distribution graph displays the URI size distribution, which shows how server
resources are used, and helps you to analyze resource distribution. A large deviation from the
normal probability distribution of one or more HTTP request sizes indicates that relative usage of
these server resources has increased.
Table 143: HTTP Report Display Settings
Server IP The IP address of the protected Web server for which to display HTTP traffic
statistics.
Display Last The last number of hours for which the graph displays information.
Values: 1, 2, 3, 6, 12, 24
Default: 1 hour
Table 144: Hour-Specific Learning Statistics Reports
Channel Description
GET & POST Requests Rate The rate of HTTP GET and POST requests sent per second to the
protected server.
Other Requests Rate The rate of HTTP requests that are not POST or GET sent per
second to the protected server. Other HTTP request methods can
be used, but are used less frequently.
Outbound Bandwidth The bandwidth, in megabits per second, of the HTTP pages sent
as responses.
The HTTP Request Size Distribution graph x-axis values are request sizes in 10-byte increments. The
y-axis values are percentages of requests. The probability reflects the level of usage of each Request
size for the protected Web server. In the graph, the blue bars represent normal probability
distribution, and the orange bars represent real-time probability (short-term probability) as
calculated in intervals of a few seconds.
To display the HTTP request size distribution
2. Select the HTTP Reports tab, and in the navigation pane, select HTTP Request Size
Distribution.
3. Change display settings for the graph, as required, and click Go.
Table 145: HTTP Request Size Distribution Settings
Server IP Select the IP of the protected server for which to display information.
Display Last The last number of hours for which the map displays information.
Values: 1, 2, 3, 6, 12, 24
Default: 1 hour
Chapter 12 Administering DefensePro
This chapter describes administering DefensePro.
Note: DefensePro supports up to two simultaneous Telnet or SSH sessions.
When you log on to CLI through Telnet or SSH, there is a predefined time-out for completing the
authentication procedure. After establishing a CLI session with the device, the user name and
password must be inserted within the period defined by the Authentication Time-out parameter.
After three incorrect login attempts, the terminal is locked for 10 minutes and no further login
attempts are accepted from that IP address.
For Telnet or SSH sessions, you define the period of time the connection with the device is
maintained despite session inactivity with the Session Time-out parameter. If the session is still
inactive when the predefined period ends, the session automatically terminates.
Command Line Interface
Access to the Command Line Interface (CLI) requires a serial cable and a terminal emulation
application. Although each product has a slightly different list of commands, the majority of the
available options are the same:
You can also use CLI to debug. When debugging is required, DefensePro generates a separate file,
delivered in text format, aggregating all the CLI commands needed by Radware Technical Support.
The file also includes the output of various CLI commands, such as printouts of the Client table, ARP
table, and so on.
CLI Commands
Command Description
bwm Policy management and classification
cl asses Configures traffic attributes used for classification
devi ce Device Settings
hel p Displays help for the specified command
l ogi n Log in to the device
l ogout Log out of the device
DP DefensePro parameters
manage Device management configuration
net Network configuration
pi ng Sends echo requests
r eboot Reboot the device
secur i t y Security settings
ser vi ces General networking services
st at i st i cs Device statistics configuration
syst em System parameters
Administering DefensePro
You can download this file using APSolute Vision and send it to Radware Technical Support (see
Downloading a Devices Configuration File, page 245).
CLI Session Time-Out
You can define the period of time the connection with the device via the console remains open
despite the sessions inactivity with the Session Time-out parameter. After the predefined time, the
session is automatically terminated.
To configure the session time-out
For the console, use the following command:
Manage t er mi nal sessi on- t i meout
For the SSH session, use the following command:
Manage ssh sessi on- t i meout
For the Telnet session, use the following command:
Manage t el net sessi on- t i meout
For the SSH authentication, use the following command:
Manage ssh aut h- t i meout
For the Telnet authentication, use the following command:
Manage t el net aut h- t i meout
CLI Capabilities
You can use DefensePro CLI through console access, Telnet, or SSH.
The CLI provides the following capabilities:
Consistent, logically structured and intuitive command syntax.
A syst emconf i g command to view the current configuration of the device, formatted as CLI
command lines.
Pasting the output of syst emconf i g, or part of it, to the CLI of another device, using the
syst emconf i g set command. This option can be used for easy configuration replication.
Help and command completion keys.
Command line editing keys.
Command history.
Configurable prompt.
Configurable banner for Telnet and SSH.
Pingping other hosts on the network to test availability of the other hosts.
Tracerouteuse the command trace-route <destination IP address>.
Output format:
DP#t r ace- r out e www. r adwar e. com
t r ace- r out e t o host 209. 218. 228. 203:
1: 50ms 50ms 50ms 212. 150. 43. 130
2: 50ms 50ms 50ms 80. 74. 101. 129
3: 50ms 50ms 50ms 192. 116. 214. 2
4: * * *
5: 50ms 50ms 50ms 80. 74. 96. 40
Telnet clientto initiate a Telnet session to remote hosts, use the following CLI command:
telnet <IP address>
SSH clientto initiate a SSH session to remote hosts, use the following CLI command:
ssh <IP address>
CLI Traps
When connected to a physical DefensePro platform via a serial cable, the device generates traps
when events occur.
To send traps by CLI, Telnet, and SSH, the command is:
manage terminal traps-outputs set-on
For console only:
manage terminal traps-outputs set normal
Send Traps To All CLI Users
This option enables you to configure whether traps are sent only to the serial terminal or to SSH and
Telnet clients as well.
Web Based Management
Each DefensePro device can be managed using a Web-based interface. Web access can also be
confined to SSL. The administrator can specify the TCP port for Web Based Management (WBM) and
Secure Web Based Management (SWBM).
The Web Based Management user interface is an easy and fast single device manager, which does
not require any installation on a client.
When using Web Based Management, on-line help is available from the Radware corporate Web site,
or you can specify a custom location for help files.
Note: In Web Based Management, the online help is available by clicking on the ? Help icon
that is displayed in every screen.
Web Based Management Capabilities
You can also use secure Web Based Management, that is, an HTTPS session. By default, the device
has self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
To create a new SSL certificate using Web Based Management
1. Select Services > SSL > Certificates. The SSL Certificates window is displayed.
2. Click Create. The Create Self Signed Certificate window is displayed.
3. Fill in the relevant parameters and click OK.
Note: SSL Keys and certificates are not exported as part of the configuration.
Web Services
DefensePro devices can be managed through SNMP, serial port, Telnet, SSH, HTTP (via internal Web
application), and HTTPS. To provide customers with the capability to develop enhanced application
monitoring, customized application delivery network management applications and advanced
automation tools, Radware provides Web Service interfaces on DefensePro with APSolute API, an
open standards-based SOAP (XML) API.
Integration with APSolute API allows customers a comprehensive view of device performance,
including historical data analysis and trending, performance diagnostics, availability reports and the
automation of maintenance operations and fine-tuning of DefensePro for optimal application delivery
based on external parameters.
Key features:
Control of Radware product features and functions from any external application.
API enabled network devices appear as software for applications, resulting in true, software-
native integration.
Comprehensive SDK for multiple development platforms and languages.
Extensive sample application code, documentation, and configuration guidance.
Over 1,700 methods available through a Web Services-based API.
Support for SOAP/XML over HTTPS ensures flexible and secure communications.
API Structure
The APSolute API is a SOAP/XML interface that provides full access to DefensePro devices for third-
party applications utilizing common development languages, including Java, Visual Basic/C#, and
Perl. This interface enables both device configuration and monitoring status and performance
statistics.
APSolute API offers two approaches to interacting with DefensePro devices:
1. Issuing CLI commands:
This interface does not provide support for:
Commands that are not configuration commands or monitoring, such as ping, telnet and
trace-route.
Commands that have asynchronous output (such as accelerator related CLI commands).
The response to a CLI command is limited to the first 1000 rows.
2. Configuring and monitoring the devices via SOAP commands that mirror Radware's SNMP MIB:
The following type of commands are available:
For scalar MIB parameter, retrieve (get) the value and change (set) the value.
For a MIB table entry, create an entry, delete an entry, update one or more parameters of an
entry, retrieve (get) an entry, retrieve (get) the entire table, walk through the table (get first
entry and get next).
The DefensePro Web services operate via HTTP or HTTPS requests, like a regular Web browser. Web
Services are by default disabled on DefensePro.
You can enable DefensePro Web services by means of the following:
CLImanage Web-services status
WBMWeb Services window (Services > Web > Web Services window)
APSolute VisionAccess tab of Setup window
You can enable Web Services only if either the Web or secure Web management interface is enabled
on the device.
APSolute API Software Development Kit (SDK)
The APSolute API SDK comes with all the necessary components and documentation to enable rapid
development of control and monitoring capabilities in custom-developed applications. This includes
the following:
Web Service Description Language (WSDL) files for all interfaces and modules
API Reference
Product overview
Sample code for some basic device configuration/monitoring functions
To start working with the APSolute API SDK, install a SOAP client tool kit (supporting SOAP
version 1.1 and later) and a development environment for the tool kit on the workstation.
Appendix A Behavioral DoS Advanced
Settings
This appendix describes Footprint Bypass types according to protocol. For more information, see
Configuring BDoS Footprint Bypass, page 124.
TCP Protocols
Bypass Type Description
Sequence Number Sequence number value from the relevant TCP packet header.
ID Number ID Number from the IP packet header.
ID Number IPv6 ID Number from the IPv6 packet header.
Source Port Source port of the generated attack.
Frag Offset Indicates where this fragment belongs in the datagram. The fragment
offset is measured in units of 8 bytes (64 bits).
Frag Offset IPv6 Indicates where this IPv6 fragment belongs in the datagram. The IPv6
fragment offset is measured in units of 8 bytes (64 bits).
Flow Label Used by a source to label those products for which it requests special
handling by the IPv6 router. The flow is uniquely identified by the
combination of a Source address and a non-zero flow label.
Source IP Source IP address of the generated attack.
Source IP IPv6 Source IPv6 address of the generated attack.
ToS Type of Service value from the IP packet header.
Packet Size Size of the packet in bytes, including the data-link header.
Packet Size IPv6 Size of theIPv6 packet in bytes, including the data-link header.
Destination Port Destination TCP port of the attack.
Destination IP Destination IP address of the attack.
Destination IP IPv6 Destination IPv6 address of the attack.
Fragment UDP fragmented packet.
TTL Time-To-Live value in the IP packet header.
ICMP
Checksum Checksum value in the ICMP header of the packet.
ID Number ID number in the packet header.
ID Number IPv6 ID number in the IPv6 packet header.
Behavioral DoS Advanced Settings

Packet Size Size of the packet in bytes, including data-link header.
Packet Size IPv6 Size of the IPv6 packet in bytes, including data-link head
Destination IP Destination IP address of the attack, if this host is defined in the
Protected Hosts table.
Fragment ICMP Fragmented packet.
ICMP Message Type ICMP Message Type value.
ICMP Message Type IPv6 ICMP IPv6 Message Type value.
IGMP
Checksum Checksum value in the ICMP header of the packet.
Packet Size IPv6 Size of the IPv6 packet in bytes, including data-link header.
Destination IP Destination IP address of the attack, if this host is defined in the
Protected Hosts table.
Fragment IGMP Fragmented packet.
IGMP Message Type IGMP Message Type value.
ICMP
SYN
Sequence Number Sequence number value from the TCP packet header.
ID Number IPv6 ID Number from the IP packet header.
Source IP IV6 Source IPv6 address of the generated attack.
Packet Size IP V6 Size of the IPv6 packet in bytes, including data-link header.
Fragment TCP fragmented packet.
TCP Fragmentation
Sequence Number Sequence number value from the TCP Fragmentation packet header.
Packet Size IPv6 Size of the IPv6 packet in bytes, including data-link header.
Fragment TCP Fragmentation fragmented packet.
UDP
Checksum Checksum value in the UDP header of the packet.
ID Number IPv6 ID Number from the IPv6 packet head.
DNS ID Number ID number of a DNS query.
DNS Qname Domain name requested by a DNS query.
DNS Qcount Number of DNS queries in a single DNS session.
Source Port Source port of the attack.
Source IP Source IP address of the attack.
Source IP IPv6 Source IPv6 address of the attack.
Packet Size Size of the packet in bytes, including data-link layer.
Packet Size IPv6 Size of the IPv6 packet in bytes, including data-link layer.
Destination Port Destination port of the attack.
Fragment UDP Fragmented packet.
TCP Fragmentation
Appendix B Configuring SSL-Based Protection
with AppXcel
Note: This solution is deprecated.
DefensePro in conjunction with Radwares AppXcel, can inspect SSL encrypted sessions and protect
SSL tunnels from attacks. When a session is encrypted using SSL, an IPS/IDS device based on
signature matching cannot inspect the secured traffic. DefensePro passively inspects SSL encrypted
sessions. SSL traffic is mirrored by DefensePro and the decrypted session is inspected.
SSL traffic is classified by the device the same way regular traffic is. Traffic is mirrored by
DefensePro and sent to AppXcel. AppXcel decrypts the HTTPS to HTTP and DefensePro then applies
its security policies on the HTTP traffic. If an attack is identified, DefensePro sends a RST packet to
the source and/or destination of the original connection.
Figure 20: SSL-based Protection Flow
1. A client initiates an HTTPS session with the server.
2. When DefensePro forwards the traffic to the server, it replicates the HTTPS session to a
preconfigured port, where an AppXcel unit is connected.
3. AppXcel operates in passive SSL mode, decrypts the HTTPS session and returns it as an HTTP
session.
4. DefensePro inspects the HTTP traffic received from AppXcel based on its policies. If an attack is
detected, DefensePro sends a Reset packet to the source and/or destination.
Note: Bandwidth Management, DoS, SYN protection and other policies can also be applied to
the original SSL streams.
Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by
setting the operating mode to Process.
When you assign the same Destination Port to more than one Source Port, you must set the
Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with
Router DefensePro Web servers
AppXcel
HTTPS
RST
HTTPS HTTP
2 3
4
RST
4
1
Configuring SSL-Based Protection with AppXcel
Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the
Destination Port must be defined (1 or 2).
To configure SSL inspection
1. In the Configuration perspective Networking tab navigation pane, select SSL Inspection.
To add an SSL inspection physical port, click the (Add) button.
To edit a port, double-click the row.
3. Configure SSL inspection physical port settings and click OK.
4. Configure SSL inspection Layer 4 port settings.
Configuring SSL Inspection Layer 4 Ports for DefensePro
To configure SSL inspection Layer 4 ports
1. In the Configuration perspective Networking tab navigation pane, select SSL Inspection >
L4 Ports.
To add an SSL inspection Layer 4 port, click the (Add) button.
To edit a port, double-click the row.
3. Configure SSL inspection Layer 4 port settings and click OK.
Table 146: SSL Inspection Physical Port Parameters
Incoming Port The scanning port that was configured for one of the traffic directions.
Port towards AppXcel The port that is used for SSL acceleration.
This port must be dedicated to the SSL acceleration and cannot be used for
other purposes, such as static forwarding or network interface.
Table 147: SSL Inspection Layer 4 Port Parameters
TCP Incoming Port The SSL service port of the original traffic.
This TCP port is used for forwarding SSL sessions.
TCP Port towards
AppXcel
The corresponding service port that AppXcel uses for decrypted sessions.
This HTTP port is used after decryption.
Appendix C Troubleshooting
If the device does not operate as expected, you can diagnose the system or provide Radware
Technical Support with relevant information.
For troubleshooting hardware-related issues, see the Radware Installation and Maintenance Guide.
This appendix contains the following sections:
Diagnostic Tools, page 315
Technical Support File, page 322
Diagnostic Tools
DefensePro supports the following diagnostic tools:
Traffic Capture
Trace-Log
Diagnostic tools are only available using CLI or Web Based Management.
Diagnostic tools start working only after there is a diagnostic policy configured on the device (see
Diagnostics Policies, page 320) and the relevant options are enabled.
Diagnostic tools stop in the following cases:
You stop the relevant task.
You reboot the device. That is, when the device reboots, the status of the Capture Tool reverts to
Disabled.
Traffic Capture Tool, page 315
Trace-Log, page 316
Diagnostic Tools Files Management, page 319
Diagnostics Policies, page 320
Traffic Capture Tool
The Traffic Capture tool captures packets that enter the device, leave the device, or both. The
captured traffic is in TCPDUMP format. You can download the captured packets, and analyze the
traffic using Unix snoop or various tools. For remote administration and debugging, you can also
send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the device captures
packets to get a better understanding of the traffic flowespecially if the device manipulates the
packetsdue to NAT, traffic from a VIP to a real server, and so on.
Caution: Enabling this feature may cause severe performance degradation.
The Traffic Capture tool uses the following format for packet capture files:
capt ur e_<Devi ce Name>_ddMMyyyy_hhmmss_<f i l e number >. cap
Troubleshooting
To configure the Capture Tool using Web Based Management
1. Select Services > Diagnostics > Capture > Parameters. The Capture Tool Configuration
pane is displayed.
Trace-Log
The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for
debugging purposes only.
Caution: Enabling this feature may cause severe performance degradation.
DefensePro uses the following format for Trace-Log files:
t r ace_l og_<Devi ce Name>_ddMMyyyy_hhmmss_<f i l e number >. t xt
Capture Tool Configuration Parameters
Status Specifies whether the Capture Tool is enabled.
Values: Enabled, Disabled
Default: Disabled
Note: When the device reboots, the status of the Capture Tool
reverts to Disabled.
Output To File Specifies the location of the stored captured data.
Values:
RAM Drive and FlashThe device stores the data in RAM and
appends the data to the file on the CompactFlash drive. Due to
limits on CompactFlash size, DefensePro uses two files. When
the first file becomes full, the device switches to the second,
until it is full and then it overwrites the first file, and so on.
RAM DriveThe device stores the data in RAM.
NoneThe device does not store the data in RAM or flash, but
you can view the data using a terminal.
Output To Terminal Specifies whether the device sends captured data to the terminal.
Default: Disabled
Capture Point Specifies where the device captures the data.
Values:
On Packet ArriveThe device captures packets when they
enter the device.
On Packet SendThe device captures packets when they leave
the device.
BothThe device captures packets when they enter the device
and when they leave the device.
Troubleshooting
Trace-Log Tool Configuration, page 317
Diagnostics Trace-Log Message Format, page 317
Trace-Log Modules, page 318
Trace-Log Tool Configuration
To configure the Trace-Log tool using Web Based Management
1. Select Services > Diagnostics > Trace-Log > Parameters. The Diagnostics Trace-Log Tool
Configuration pane is displayed.
Diagnostics Trace-Log Message Format
Use the Diagnostics Trace-Log Message Format pane to specify which parameters appear in the
Trace-Log message.
To configure the diagnostics Trace-Log message format using Web Based
Management
1. Select Services > Diagnostics > Trace-Log > Message Format. The Diagnostics Trace-Log
Message Format pane is displayed.
Trace-Log Tool Configuration Parameters
Status Specifies whether the Trace-Log tool is enabled.
Default: Disabled
Output To File Specifies the location of the stored data.
Values:
RAM Drive and FlashThe device stores the data in RAM and
appends the data to the file on the CompactFlash drive. Due to
limits on CompactFlash size, DefensePro uses two files. When the
first file becomes full, the device switches to the second, until it is
full and then it overwrites the first file, and so on.
RAM DriveThe device stores the data in RAM.
NoneThe device does not store the data in RAM or flash, but you
can view the data using a terminal.
Output To Terminal Specifies whether the device sends Trace-Log data to the terminal.
Default: Disabled
Output To Syslog Server Specifies whether the device sends Trace-Log data to a syslog server.
Default: Disabled
Troubleshooting
Trace-Log Modules
To help pinpoint the source of a problem, you can specify which DefensePro modules the Trace-Log
feature works on and the log severity per module.
To configure the parameters of the Trace-Log modules using Web Based Management
1. Select Services > Diagnostics > Trace-Log > Modules. The Trace-Log Modules pane is
displayed.
The table in the pane comprises the following columns:
Diagnostics Trace-Log Message Format Parameters
Date Specifies whether the date that the message was generated is included in the
Trace-Log message.
Time Specifies whether the time that the message was generated is included in the
Trace-Log message.
Platform Name Specifies whether the platform MIB name is included in the Trace-Log
message.
File Name Specifies whether the output file name is included in the Trace-Log message.
Line Number Specifies whether the line number in the source code is included in the Trace-
Log message.
Packet Id Specifies whether an ID assigned by the device to each packet is included in
the Trace-Log message. This enables you see the order of the packets.
Module Name Specifies whether the name of the traced module is included in the Trace-Log
message is included in the Trace-Log message.
Task Name Specifies whether the name of the specific task of the d module is included in
the Trace-Log message.
Column Description
Name Name of the module.
Values:
ACL
BWM
GENERIC
LCD
Status Current status of the traced module.
Troubleshooting
2. Click the relevant link. The Trace-Log Modules Update pane is displayed.
Diagnostic Tools Files Management
DefensePro can store the output of the diagnostic tools in RAM and in the CompactFlash.
If the device is configured to store the output in the CompactFlash, when the data size in RAM
reaches its limit, the device appends the data chunk from RAM to the file on the CompactFlash drive.
For each enabled diagnostic tool, DefensePro uses two temporary files. When one temporary file
reaches the limit (1 MB), DefensePro stores the information in the second temporary file. When the
second temporary file reaches the limit (1 MB), DefensePro overwrites the first file, and so on. When
you download a CompactFlash file, the file contains both temporary files.
Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or
CompactFlash.
Severity The lowest severity of the events that the Trace-Log includes for this module.
Values:
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
Trace-Log Modules Update Parameters
Status Specifies whether the Trace-Log feature is enabled for the module.
Severity The lowest severity of the events that the Trace-Log includes for this module.
Values:
Emergency
Alert
Critical
Error
Warning
Notice
Info
Debug
Note: The default varies according to module.
Column Description
Troubleshooting
To download or delete Trace-Log data using Web Based Management
1. Select Services > Diagnostics > Files. The Diagnostic Tools Files Management pane is
displayed.
The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table comprises
the following columns:
2. From the Action column, select the action, Download or Delete, and follow the instructions.
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic
policies, the device can classify the traffic and store only the required information.
Note: To reuse the policy, edit the policy and set it again.
To configure a diagnostics policy using Web Based Management
1. Select Services > Diagnostics > Policies. The Diagnostics Policies pane is displayed.
2. Click Create. The Diagnostics Policies Create pane is displayed.
File Name The name of the file.
File Size The file size, in bytes.
Action The action that you can take on the data stored.
Values:
downloadStarts the download process of the selected data. Follow the
on-screen instructions.
deleteDeletes the selected file.
Diagnostics Policies Parameters
Name The user-defined name of the policy up to 20 characters.
Index The number of the policy in the order in which the diagnostics tools
classifies (that is, captures) the packets.
Default: 1
Description The user-defined description of the policy.
VLAN Tag Group The VLAN Tag group whose packets the policy classifies (that is,
captures).
Troubleshooting
Destination The destination IP address or predefined class object whose packets
the policy classifies (that is, captures).
Default: anyThe diagnostics tool classifies (that is, captures)
packets with any destination address.
Source The source IP address or predefined class object whose packets the
policy classifies (that is, captures).
Default: anyThe diagnostics tool classifies (that is, captures)
packets with any source address.
Outbound Port Group The port group whose outbound packets the policy classifies (that is,
captures).
Inbound Port Group The port group whose inbound packets the policy classifies (that is,
captures).
Service Type The service type whose packets the policy classifies (that is, captures).
Service The service whose packets the policy classifies (that is, captures).
Values:
None
Basic Filter
AND Group
OR Group
Default: None
Destination MAC Group The Destination MAC group whose packets the policy classifies (that is,
captures).
Source MAC Group The Source MAC group whose packets the policy classifies (that is,
captures).
Maximal Number of Packets The maximal number of packets the policy captures. Once the policy
captures the specified number of packets, it stops capturing traffic. In
some cases, the policy captures fewer packets than the configured
value. This happens when the device is configured to drop packets.
Maximal Packet Length The maximal length for a packet the policy captures.
Capture Status Specifies whether the packet-capture feature is enabled in the policy.
Default: Disabled
Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.
Default: Disabled
Diagnostics Policies Parameters
Troubleshooting
Technical Support File
A DefensePro device can generate a technical-support file, which you can save to a specified location
and send to Radware Technical Support to help diagnose problems.
Using the CLI, the technical-support file includes the following:
The data that Radware Technical Support typically needs to diagnose a problem with a
DefensePro deviceThe data comprises the collected output from various CLI commands.
A record of each configuration change to the device (by any management interface). A device
begins storing these records when the device receives its first command. The records are sorted
by date in ascending order. When the size of the data exceeds the maximum allowed size (2
MB), the oldest record is overwritten. The entire data is never cleared unless you erase the
device configuration.
dp_support.txtContains the data that Radware Technical Support typically needs to
diagnose a problem with a DefensePro device. The data comprises the collected output from
various CLI commands.
auditLog.logContains record of each configuration change to the device (by any
management interface). A device begins storing these records when the device receives its first
command. The records are sorted by date in ascending order. When the size of the data exceeds
the maximum allowed size (2 MB), the oldest record is overwritten. The entire data is never
cleared unless you erase the device configuration
The structure of each record in the audi t Log. l og file is as follows:
<dd>- <MM>- <yyyy> <hh>: <mm>: <ss> <Event descr i pt i on>
Example:
06- 12- 2009 19: 16: 11 COMMAND: l ogout by user r adwar e vi a Consol e
HTTPFLD.tarContains data on HTTP floods.
NTFLD.tarContains data on network floods.
To generate and display the output of the technical-support file on the terminal using
CLI
Enter the following command:
manage suppor t di spl ay
To generate a technical-support file and send it to a TFTP server using CLI
Enter the following command:
manage suppor t t f t p put <f i l e name> <TFTP ser ver I P addr ess> [ - v]
where:
- v displays also the output of the command.
Troubleshooting
To generate and download the technical-support file using Web Based Management
1. Select File > Support. The Download Tech Support Info File pane is displayed.
2. Click Set. A File Download dialog box opens.
3. Click Open or Save and specify the required information.
Troubleshooting
Appendix D Predefined Basic Filters
The following table lists predefined basic filters that DefensePro supports. The list may vary
depending on the product version. You can view the entire list of basic filters and their properties in
the Modify Basic Filter Table pane (using Web Based Management, Classes > Modify Services >
Basic Filters).
Table 148: Predefined Basic Filters
Name Description Protocol OMPC Offset OMPC Mask
000 Routine IP 1 e0000000
001 Priority IP 1 e0000000
010 Immediate IP 1 e0000000
011 Flash IP 1 e0000000
100 ToS Flash Override IP 1 e0000000
101 CRITIC/ECP IP 1 e0000000
110 Internetwork Control IP 1 e0000000
111 Network Control IP 1 e0000000
aim-aol-any AIM/AOL Instant Messenger TCP 0 ffff0000
aol-msg AOL Instant TCP 0 0
ares_ft_udp_0 Ares_FT_udp UDP 36 ffffffff
ares_ft_udp_1 Ares_FT_udp UDP 40 ff000000
bearshare_download_tcp_0 BearShare_Download_tcp TCP 0 ffffffff
bearshare_download_tcp_1 BearShare_Download_tcp TCP 4 ffffffff
bearshare_request_file_udp_0 BearShare_Request_File_udp UDP 0 ffffffff
bearshare_request_file_udp_1 BearShare_Request_File_udp UDP 4 00ffffff
bittorrent_command_1_0 BitTorrent TCP 0 ffffffff
bittorrent_command_3_5 BitTorrent TCP 20 ffff0000
bittorrent_command_4_0 BitTorrent TCP 8 ffffff00
bittorrent_command_4_1 BitTorrent TCP 11 ff000000
bittorrent_command_4_2 BitTorrent TCP 11 ff000000
bittorrent_udp_1_0 BitTorrent_UDP_1 UDP 8 ffffff00
bittorrent_udp_1_1 BitTorrent_UDP_1 UDP 12 ffff0000
citrix-admin Citrix Admin TCP 0 0
citrix-ica Citrix ICA TCP 0 0
citrix-ima Citrix IMA TCP 0 0
citrix-ma-client Citrix MA client TCP 0 0
citrix-rtmp Citrix RTMP TCP 0 0
diameter Diameter TCP 0 0
directconnect_file_transfer_0 DirectConnect_File_transfer TCP 0 ff000000
directconnect_file_transfer_1 DirectConnect_File_transfer TCP 21 ffffffff
directconnect_file_transfer_2 DirectConnect_File_transfer TCP 25 ffffffff
dns Session for DNS UDP 0 0
emule_tcp_file_request_0 eMule TCP 0 ff000000
emule_tcp_file_request_1 eMule TCP 4 ffff0000
emule_tcp_hello_message_0 eMule TCP 0 ff000000
emule_tcp_hello_message_1 eMule TCP 4 ffff0000
emule_tcp_secure_handshake_0 eMule TCP 0 ff000000
emule_tcp_secure_handshake_1 eMule TCP 4 ffff0000
ftp-session Session for FTP TCP 0 0
gnutella_tcp_1_0 Gnutella_TCP_1 TCP 0 ffffff00
gnutella_tcp_2_0 Gnutella_TCP_2 TCP 0 ffffffff
gnutella_tcp_2_1 Gnutella_TCP_2 TCP 4 ffffffff
gnutella_tcp_3_0 Gnutella_TCP_3 TCP 0 ffffff00
googletalk_ft_1_0 GoogleTalk_FT_1 UDP 24 ffffffff
googletalk_ft_1_3 GoogleTalk_FT_1 UDP 36 ffff0000
groove_command_1_0 Groove TCP 6 ffffffff
groove_command_2_1 Groove TCP 10 ffff0000
h.225-session Session Of H225 TCP 0 0
hdc1 High Drop Class 1 IP 1 fc000000
http World Wide Web HTTP TCP 0 0
http-alt HTTP alternate TCP 0 0
https HTTP over SSL TCP 0 0
icecast_1 IceCast_Stream TCP 0 ffffffff
icecast_2 IceCast_Stream TCP 4 ffffffff
icecast_3 IceCast_Stream TCP 8 ffff0000
icmp ICMP ICMP 0 0
icq ICQ TCP 0 0
icq_aol_ft_0 ICQ_AOL_FT TCP 0 ffffffff
icq_aol_ft_1 ICQ_AOL_FT TCP 0 ffffffff
icq_aol_ft_2 ICQ_AOL_FT TCP 2 ffff0000
imap Internet Message Access TCP 0 0
imesh_download_tcp_0 iMesh_Download_tcp TCP 0 ffffffff
imesh_download_tcp_1 iMesh_Download_tcp TCP 4 ffffffff
imesh_request_file_udp_0 iMesh_Request_File_udp UDP 0 ffffffff
imesh_request_file_udp_1 iMesh_Request_File_udp UDP 4 00ffffff
ip IP Traffic IP 0 0
itunesdaap_ft_0 iTunesDaap_FT TCP 0 ffffffff
itunesdaap_ft_1 iTunesDaap_FT TCP 4 ffffffff
itunesdaap_ft_2 iTunesDaap_FT TCP 8 ffffff00
itunesdaap_ft_3 iTunesDaap_FT TCP 2 ffff0000
kazaa_request_file_0 Kazaa_Request_File TCP 0 ffffffff
kazaa_request_file_1 Kazaa_Request_File TCP 4 ffffffff
kazaa_request_file_2 Kazaa_Request_File TCP 8 ffff0000
kazaa_udp_packet_0 Kazaa_UDP_Packet UDP 6 ffffffff
kazaa_udp_packet_1 Kazaa_UDP_Packet UDP 4 ffff0000
ldap LDAP TCP 0 0
ldaps LDAPS TCP 0 0
ldc1 Low Drop Class 1 IP 1 fc000000
lrp Load Report Protocol UDP 0 0
manolito_file_transfer_0_0 Manolito TCP 0 ffffffff
manolito_file_transfer_1_0 Manolito TCP 4 ff000000
mdc1 Medium Drop Class 1 IP 1 fc000000
meebo_get_0 MEEBO_GET TCP 0 ffffffff
meebo_get_8 MEEBO_GET TCP 32 ff000000
meebo_post_0 MEEBO_POST TCP 0 ffffffff
meebo_post_7 MEEBO_POST TCP 28 ffffff00
msn-any MSN Messenger Chat TCP 0 ffffffff
msn-msg MSN Messenger Chat TCP 0 0
msn_msgr_ft_0 MSN_MSGR_FT TCP 0 ffffffff
msn_msgr_ft_1 MSN_MSGR_FT TCP 48 ffffffff
mssql-monitor Microsoft SQL traffic-monitor TCP 0 0
mssql-server Microsoft SQL server traffic TCP 0 0
nntp Network News TCP 0 0
nonip Non IP Traffic NonIP 0 0
oracle-server1 Oracle server TCP 0 0
oracle-v1 Oracle SQL *Net version 1 TCP 0 0
oracle-v2 Oracle SQL *Net version 2 TCP 0 0
pop3 Post Office Protocol 3 TCP 0 0
prp PRP UDP 0 0
radius RADIUS protocol TCP 0 0
rexec Remote Process Execution TCP 0 0
rshell Remote Shell TCP 0 0
rtp_ft_0 RTP_FT UDP 0 ffff0000
rtsp RTSP TCP 0 0
sap SAP TCP 0 0
sctp SCTP Traffic SCTP 0 0
skype-443-handshake Skype signature for port 443 TCP 0 ff000000
skype-443-s-hello Skype signature for port 443 TCP 11 ffffffff
skype-80-l-56 Skype signature for port 80 TCP 2 ffff0000
skype-80-proxy Skype signature for port 80 TCP 0 ffffffff
skype-80-pshack Skype signature for port 80 TCP 13 ff000000
skype-ext-l-54 Skype signature TCP 2 ffff0000
skype-ext-pshack Skype signature TCP 13 ff000000
smtp Simple Mail Transfer TCP 0 0
snmp SNMP UDP 0 0
snmp-trap SNMP Trap UDP 0 0
softethervpn443 SoftEther Ethernet System TCP 0 ffffff00
softethervpn8888 SoftEther Ethernet System TCP 0 ffffff00
soulseek_pierce_fw_0 SoulSeek_Pierce_FW TCP 0 ffffffff
soulseek_pierce_fw_1 SoulSeek_Pierce_FW TCP 4 ff000000
soulseek_pierce_fw_2 SoulSeek_Pierce_FW TCP 2 ffff0000
ssh Secure Shell TCP 0 0
tcp TCP Traffic TCP 0 0
telnet Telnet TCP 0 0
tftp Trivial File Transfer UDP 0 0
udp UDP Traffic UDP 0 0
voip_sign_1 VOIP signature UDP 28 c03f0000
yahoo_ft_0 YAHOO_FT TCP 0 ffffffff
yahoo_ft_1 YAHOO_FT TCP 10 ffff0000
yahoo_get_0 YAHOO_GET TCP 0 ffffffff
yahoo_get_4 YAHOO_GET TCP 16 ff000000
yahoo_post_0 YAHOO_POST TCP 0 ffffffff
yahoo_post_4 YAHOO_POST TCP 16 ffff0000
Appendix E Glossary
This glossary is a list of terms and definitions used in the Radware technical environment. Some of
the words belong to the public domain, and some are Radware-specific, but all are used in the
Radware documentation.
A Radware glossary is intended to be a list of specialized words with their definitions that are used in
the Radware technical environment. Some of the words belong to the public domain, and some are
Radware-specific, but all are used in the Radware documentation, whether hardcopy or online.
Term Definition
Anomaly An anomaly is unusual or unexpected behavior of traffic patterns or a
protocol.
Attack An Attack, with an upper-case letter A is a realization of a threat, a
malicious action taken against a network, host or service.
Attack List An Attack List is a database of known attackers as defined in the
Signatures Database.
Attack Signature
Database
Radwares Attack signature database contains signatures of known
attacks.
These signatures are included in the predefined groups and profiles
supplied by Radware to create protection policies in the Connect and
Protect Table. Each attack group consists of attack signatures with
common characteristics intended to protect a specific application or range
of IPs.
Behavioral DoS (BDoS) Behavioral DoS (Behavioral Denial of Service) protection defends
networks from zero day network-flood attacks that jam available network
bandwidth with spurious traffic, denying use of network resources for
legitimate users.
BDoS profiles do this by identifying the footprint of the anomalous traffic.
Network-flood protection types include:
SYN Flood
TCP Flood, including TCP Fin + Ack Flood, TCP Reset Flood
TCP Syn + Ack Flood, TCP Fragmentation Flood
UDP Flood
ICMP Flood
IGMP Flood
Black List A Black List defines the IP addresses that are always blocked without
inspection.
Black lists are used as exceptions for security policies/rules, blocking all
traffic generated by IP addresses in the Black List.
Glossary
DDoS Distributed Denial of Server attack on a DNS server. A typical attack
involves numerous compromised zombie systems (botnets) sending
spoofed domain-name requests to DNS servers, which process the
legitimate request and send replies to the spoofed victims.
When the DNS server is configured to provide recursion, the DNS server,
if the requested domain name isnt available locally, will query the root
name servers for the IP address. The traffic then traverses the internet
backbone, affecting the Internet Service Provider and any upstream
provider to reach the intended target.
Radwares adaptive behavior-based DoS Protection learns the
characteristics of DNS traffic and re-establishes normal traffic behavior
baselines. An embedded decision engine, based on fuzzy logic, constantly
analyzes DNS traffic and detects when deviations from the normal
baselines occur. Upon detection, the system performs an in-depth
analysis of the suspicious DNS packets in order to identify abnormal
appearances of parameters in the packet headers and payload.
Deep Packet Inspection Inspection of the packet's payload as opposed to only its header. This
enables the security device to perform inspection at the application level.
DoS Denial of Service is an attack intended to consume system resources and
create a temporary loss of service.
Exploit An exploit is a program or technique that takes advantage of a software
vulnerability.
The program can be used for breaking security, or otherwise attacking a
host over the network.
Heuristic analysis Heuristic analysis is behavior-based analysis, targeted to provide a filter
blocking the abnormal phenomena.
Heuristic analysis is the ability of a virus scanner to identify a potential
virus by analyzing the behavior of the program, rather than looking for a
known virus signature.
Intrusion An intrusion is an attempted or successful access to system resources in
any unauthorized manner.
Intrusion Detection
System (IDS)
Radwares Intrusion Detection System (IDS) applies the latest security or
attack expertise to filter out potentially destructive/malicious events from
a much larger amount of legitimate activity.
There are two system-monitoring approaches:
NIDSnetwork-based IDSmonitors all network traffic passing on
the segment where the agent is installed, acting upon suspicious
anomalies or signature-based activity.
HIDShost-based IDSis confined to the local host and monitor
activity in detail, such as, command execution, file access, or system
calls.
Organizations generally choose a combination of these approaches,
based on known vulnerabilities.
Intrusion Prevention A security service that scans, detects and prevents real-time attempts to
compromise system security.
Intrusion prevention Intrusion prevention is a security service that scans, detects and
prevents real-time attempts aimed at compromising system security.
Term Definition
Glossary
IP interface An IP interface in DefensePro is comprised of two components: an IP
address and an associated interface. The associated interface can be a
physical interface or a virtual interface (VLAN). IP routing is performed
between DefensePro IP interfaces, while bridging is performed within an
IP interface that contains an IP address associated with a VLAN.
DefensePro is designed to intercept HTTP requests and to redirect them
to a content inspection server farm. The first assumption in designing a
DefensePro network is that the DefensePro device resides on the path
between the clients and both the Internet and the content inspection
servers. This is required since DefensePro needs to intercept the clients'
requests going to the Internet and to manipulate the packets returning
from the content inspection servers to the clients.
Except when using local triangulation or transparent proxy, all traffic
must physically travel through the DefensePro device. This includes
traffic from the users to the Internet and from the content inspection
server farm back to the users.
If there are users statically configured to use a content inspection server,
they should be configured to the DefensePro virtual address. This address
is the access IP address for the content inspection servers. This address
is used only for statically configured users.
NHR A Next-Hop Router (NHR) is a network element with an IP address
through which traffic is routed.
Server Cracking
Protection
Radwares Server Cracking Protection is a behavioral server-based
technology that detects and prevents both known and unknown
application scans and brute-force attacks.
This behavioral protection is part of Radwares DefensePro Full Spectrum
Protection Technology. The technology includes:
An adaptive behavioral network-based protection that mitigates
network DoS and DDoS attacks
Adaptive behavioral user-based protections that mitigate network
pre-attack probes and zero-day worm propagation activities
Stateful signature-based protections against exploitation attempts of
known application vulnerabilities.
See also Server Cracking Protection Profiles.
Server Cracking
Protection Profile
A Server Cracking Protection profile provides application level protection
that identifies excessive frequencies of error responses from various
applications. The profile initiates blocking of hacking sources, while
allowing legitimate traffic to pass through.
Application scanning and authentication brute force attempts are usually
precursors to more serious exploitation attempts. An attacker tries to
gain access to a restricted section, or to find a known vulnerability by
sending a list of legitimate-looking requests and analyzing the responses.
Both cracks and scanning attempts are characterized by a higher than
usual error responses from the application to a few specific users.
Server Protection Profile Server Protection Profiles are designed to defend from network and
application attacks targeting network servers or services, such as:
SYN Flood protection using SYN Cookies
Connection limit
Server Cracking
HTTP Page floods
Term Definition
Glossary
Server, Reporting A reporting server is the component responsible for running the required
services to display reports to the end user. It may contain a Web server
and provide services for both Eclipse and Web interfaces.
Service A feature that provides protection against a set of attacks.
Signature A Signature is a pattern-based analysis, used to search for packets
generated by known attack tools.
Spoof A spoof is when one system entity poses as or assumes the identity of
another entity.
SYN cookie SYN cookies are particular choices of initial TCP sequence numbers by
TCP servers. The difference between the server's initial sequence number
and the client's initial sequence number is:
Top 5 bits: t mod 32, where t is a 32-bit time counter that increases
every 64 seconds.
Next 3 bits: an encoding of an MSS selected by the server in
response to the client's MSS.
Bottom 24 bits: a server-selected secret function of the client IP
address and port number, the server IP address and port number,
and t.
This choice of sequence number complies with the basic TCP requirement
that sequence numbers increase slowly; the server's initial sequence
number increases slightly faster than the client's initial sequence number.
A server that uses SYN cookies does not have to drop connections when
its SYN queue fills up. Instead it sends back a SYN+ACK, exactly as if the
SYN queue had been larger. (Exceptions: the server must reject TCP
options such as large windows, and it must use one of the eight MSS
values that it can encode.) When the server receives an ACK, it checks
that the secret function works for a recent value of t, and then rebuilds
the SYN queue entry from the encoded MSS.
A SYN flood is simply a series of SYN packets from forged IP addresses.
The IP addresses are chosen randomly and don't provide any hint of
where the attacker is. The SYN flood keeps the server's SYN queue full.
Normally this would force the server to drop connections. A server that
uses SYN cookies, however, will continue operating normally. The biggest
effect of the SYN flood is to disable large windows.
Term Definition
Glossary
SYN flood A SYN attack/flood is a type of DoS (Denial of Service) attack. SYN flood
attacks are performed by sending a SYN packet without completing the
TCP three-way handshake, referred as single packet attack. Alternatively,
the TCP three-way handshake can be completed, but no data packets are
sent afterwards. Such attacks are known as connection flood attacks.
A SYN packet notifies a server of a new connection. The server then
allocates some memory in order to handle the incoming connection,
sends back an acknowledgement, then waits for the client to complete
the connection and start sending data. By spoofing large numbers of SYN
requests, an attacker can fill up memory on the server, which waits for
more data that never arrives. Once memory has filled up, the server is
unable to accept connections from legitimate clients. This effectively
disables the server. Key point: SYN floods exploit a flaw in the core of the
TCP/IP technology itself. There is no complete defense against this
attack. There are, however, partial defenses. Servers can be configured
to reserve more memory and decrease the amount of time they wait for
connections to complete.
Likewise, routers and firewalls can filter out some of the spoofed SYN
packets. Finally, there are techniques (such as SYN cookies) that can
play tricks with the protocol in order to help distinguish good SYNs from
bad ones.
SYN-ACK Reflection
Attack Prevention
SYN-ACK Reflection Attack Prevention is intended to prevent reflection of
SYN attacks and reduce SYN-ACK packet storms that are created as a
response to DoS attacks.
When a device is under SYN attack, it sends a SYN-ACK packet with an
embedded Cookie, in order to prompt the client to continue the session.
Threat A threat, in Internet security terms, is a person, thing, event, or idea,
that poses a danger to an asset.
A fundamental threat can be any of the following: information leakage,
Denial of Service, integrity violation, and illegitimate use.
Trojan Horse A Trojan horse (also known as a trojan) is a computer program that
appears benign, but is actually designed to harm or compromise the
system.
It is usually designed to provide unrestricted access into internal
systems, bypassing security monitoring and auditing policies.
Virus A virus is a malicious program code written with the intention to damage
computer systems and to replicate itself to extend the possible damage.
Worm A worm is a type of computer virus that uses the Internet or local
networks to spread itself by sending copies of itself to other hosts.
Zero Day Attack A Zero Day attack (0day) is an attack on a vulnerability no one knows
about except those who discovered it.
A zero day exploit is an attack against a non-public, unknown
vulnerability. Since there are no known signatures, it penetrates any
signature-based security defenses. If the exploit passes through a
common port, and there are no other defenses, such as behavioral-based
or impact-based techniques, it is hard or impossible to stop.
Term Definition

DefensePro User Guide v6.02

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DefensePro User Guide v6.02

Uploaded by

Copyright:

Available Formats

DefensePro User Guide

Software Version 6.02

You might also like