Documente Academic
Documente Profesional
Documente Cultură
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions: The AppShape++ Script Files provided by Radware Ltd. are subject to the Special License Terms included in each of the electronic AppShape++ Script Files and are also subject to Radware's End User License Agreement, a copy of which (as may be amended from time to time) can be found at the end of this document or at http://www.radware.com/Resources/eula.html. Please note that if you create your own scripts using any AppShape++ Scripts provided by Radware, such self-created scripts are not controlled by Radware and therefore Radware will not be liable for any malfunctions resulting from such self-created scripts. Copyright Radware Ltd. 2013. All rights reserved. The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd. The guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and use of the Radware products described in this document, and may not be used for any other purpose. The information contained in this guide is proprietary to Radware and must be kept in strict confidence. It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes: Les applications AppShape++ Script Files fournies par Radware Ltd. sont soumises aux termes de la Licence Spciale (Special License Terms) incluse dans chaque fichier lectronique AppShape++ Script Files mais aussi au Contrat de Licence d'Utilisateur Final de Radware qui peut tre modifi de temps en temps et dont une copie est disponible la fin du prsent document ou l'adresse suivante: http://www.radware.com/Resources/eula.html. Nous attirons votre attention sur le fait que si vous crez vos propres fichiers de commande (fichiers script) en utilisant l'application AppShape++ Script Files fournie par Radware, ces fichiers script ne sont pas contrls par Radware et Radware ne pourra en aucun cas tre tenue responsable des dysfonctionnements rsultant des fichiers script ainsi crs. Copyright Radware Ltd. 2013. Tous droits rservs. Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels contenus dans ce guide sont la proprit de Radware Ltd. Ce guide dinformations est fourni nos clients dans le cadre de linstallation et de lusage des produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui pour lequel il a t conu. Les informations rpertories dans ce document restent la proprit de Radware et doivent tre conserves de manire confidentielle. Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce manuel sans avoir obtenu le consentement pralable crit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert: Die von Radware Ltd bereitgestellten AppShape++ Scriptdateien unterliegen den in jeder elektronischen AppShape++ Scriptdatei enthalten besonderen Lizenzbedingungen sowie Radware's Endbenutzer-Lizenzvertrag (von welchem eine Kopie in der jeweils geltenden Fassung am Ende dieses Dokuments oder unter http://www.radware.com/Resources/eula.html erhltlich ist). Bitte beachten Sie, dass wenn Sie Ihre eigenen Skripte mit Hilfe eines von Radware bereitgestellten AppShape++ Skripts erstellen, diese selbsterstellten Skripte nicht von Radware kontrolliert werden und Radware daher keine Haftung fr Funktionsfehler bernimmt, welche von diesen selbsterstellten Skripten verursacht werden. Copyright Radware Ltd. 2013. Alle Rechte vorbehalten. Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und Geschftsgeheimnisse sind Eigentum von Radware Ltd. Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt, Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden. Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng vertraulich behandelt werden. Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
The programs included in this product are subject to a restricted use license and can only be used in conjunction with this application. This product contains code developed by the OpenSSL Project. This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit. (http://www.openssl.org/). Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. This product contains the Rijndael cipher The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license: @version 3.0 (December 2000) Optimized ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @author Paulo Barreto <paulo.barreto@terra.com.br> The OnDemand Switch may use software components licensed under the GNU General Public License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This code is hereby placed in the public domain. This product contains code developed by the OpenBSD Project Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. This product includes software developed by Markus Friedl This product includes software developed by Theo de Raadt This product includes software developed by Niels Provos This product includes software developed by Dug Song This product includes software developed by Aaron Campbell This product includes software developed by Damien Miller This product includes software developed by Kevin Steves This product includes software developed by Daniel Kouril This product includes software developed by Wesley Griffin This product includes software developed by Per Allansson This product includes software developed by Nils Nordman This product includes software developed by Simon Wilkinson Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. This product contains work derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. RSA Data Security, Inc. makes no representations concerning either the merchantability of the MD5 Message - Digest Algorithm or the suitability of the MD5 Message - Digest Algorithm for any particular purpose. It is provided as is without express or implied warranty of any kind.
@author Paulo Barreto <paulo.barreto@terra.com.br>. Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande auprs de Radware. Une copie de la licence est rpertorie sur: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html Ce code est galement plac dans le domaine public. Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL. Copyright (c) 1983, 1990, 1992, 1993, 1995 Les membres du conseil de lUniversit de Californie. Tous droits rservs. La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise pour autant que les conditions suivantes soient remplies: 1. 2. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant. Le nom de luniversit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour approuver ou promouvoir un produit driv de ce programme sans lobtention pralable dune autorisation crite.
3.
Ce produit inclut un logiciel dvelopp par Markus Friedl Ce produit inclut un logiciel dvelopp par Theo de Raadt Ce produit inclut un logiciel dvelopp par Niels Provos Ce produit inclut un logiciel dvelopp par Dug Song Ce produit inclut un logiciel dvelopp par Aaron Campbell Ce produit inclut un logiciel dvelopp par Damien Miller Ce produit inclut un logiciel dvelopp par Kevin Steves Ce produit inclut un logiciel dvelopp par Daniel Kouril Ce produit inclut un logiciel dvelopp par Wesley Griffin Ce produit inclut un logiciel dvelopp par Per Allansson Ce produit inclut un logiciel dvelopp par Nils Nordman Ce produit inclut un logiciel dvelopp par Simon Wilkinson. La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise pour autant que les conditions suivantes soient remplies: 1. 2. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant.
LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS SY LIMITER, TOUTE GARANTIE IMPLICITE DE QUALIT MARCHANDE ET DADQUATION UN USAGE PARTICULIER EST EXCLUE. EN AUCUN CAS LAUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS, INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS SY LIMITER, LACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE DUSAGE, DE DONNES OU DE PROFITS OU LINTERRUPTION DES AFFAIRES), QUELLE QUEN SOIT LA CAUSE ET LA THORIE DE RESPONSABILIT, QUIL SAGISSE DUN CONTRAT, DE RESPONSABILIT STRICTE OU DUN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE QUELLE QUE FAON QUE CE SOIT DE LUSAGE DE CE LOGICIEL, MME SIL A T AVERTI DE LA POSSIBILIT DUN TEL DOMMAGE.
Copyrightvermerke
Die in diesem Produkt enthalten Programme unterliegen einer eingeschrnkten Nutzungslizenz und knnen nur in Verbindung mit dieser Anwendung benutzt werden. Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code. Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL Toolkit. (http://www.openssl.org/). Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die Rijndael cipher Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist ffentlich zugnglich und wird unter folgender Lizenz vertrieben: @version 3.0 (December 2000) Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @author Paulo Barreto <paulo.barreto@terra.com.br> Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich. Eine Kopie dieser Lizenz kann eingesehen werden unter: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html Dieser Code wird hiermit allgemein zugnglich gemacht. Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. Alle Rechte vorbehalten. Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind unter folgenden Bedingungen erlaubt: 1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss beibehalten. 2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere Materialien, die mit verteilt werden, reproduzieren. 3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete Produkte zu empfehlen oder zu bewerben. Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses Produkt enthlt von Dug Song entwickelte Software Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt enthlt von Nils Nordman entwickelte Software Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind unter folgenden Bedingungen erlaubt: 1. 2. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss beibehalten. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND (AS IS) BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH, DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN. UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE, GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.
Standard Warranty
The following standard warranty is presented in English, French, and German.
Standard Warranty
Radware offers a limited warranty for all its products (Products). Radware hardware products are warranted against defects in material and workmanship for a period of one year from date of shipment. Radware software carries a standard warranty that provides bug fixes for up to 90 days after date of purchase. Should a Product unit fail anytime during the said period(s), Radware will, at its discretion, repair or replace the Product. For hardware warranty service or repair, the product must be returned to a service facility designated by Radware. Customer shall pay the shipping charges to Radware and Radware shall pay the shipping charges in returning the product to the customer. Please see specific details outlined in the Standard Warranty section of the customer's purchase order. Radware shall be released from all obligations under its Standard Warranty in the event that the Product and/or the defective component has been subjected to misuse, neglect, accident or improper installation, or if repairs or modifications were made by persons other than Radware authorized service personnel, unless such repairs by others were made with the written consent of Radware. EXCEPT AS SET FORTH ABOVE, ALL RADWARE PRODUCTS (HARDWARE AND SOFTWARE) ARE PROVIDED BY AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Garantie standard
Radware octroie une garantie limite pour l'ensemble de ses produits (" Produits "). Le matriel informatique (hardware) Radware est garanti contre tout dfaut matriel et de fabrication pendant une dure d'un an compter de la date d'expdition. Les logiciels (software) Radware sont fournis avec une garantie standard consistant en la fourniture de correctifs des dysfonctionnements du
logiciels (bugs) pendant une dure maximum de 90 jours compter de la date d'achat. Dans l'hypothse o un Produit prsenterait un dfaut pendant ladite(lesdites) priode(s), Radware procdera, sa discrtion, la rparation ou l'change du Produit. S'agissant de la garantie d'change ou de rparation du matriel informatique, le Produit doit tre retourn chez un rparateur dsign par Radware. Le Client aura sa charge les frais d'envoi du Produit Radware et Radware supportera les frais de retour du Produit au client. Veuillez consulter les conditions spcifiques dcrites dans la partie " Garantie Standard " du bon de commande client. Radware est libre de toutes obligations lies la Garantie Standard dans l'hypothse o le Produit et/ou le composant dfectueux a fait l'objet d'un mauvais usage, d'une ngligence, d'un accident ou d'une installation non conforme, ou si les rparations ou les modifications qu'il a subi ont t effectues par d'autres personnes que le personnel de maintenance autoris par Radware, sauf si Radware a donn son consentement crit ce que de telles rparations soient effectues par ces personnes. SAUF DANS LES CAS PREVUS CI-DESSUS, L'ENSEMBLE DES PRODUITS RADWARE (MATERIELS ET LOGICIELS) SONT FOURNIS " TELS QUELS " ET TOUTES GARANTIES EXPRESSES OU IMPLICITES SONT EXCLUES, EN CE COMPRIS, MAIS SANS S'Y RESTREINDRE, LES GARANTIES IMPLICITES DE QUALITE MARCHANDE ET D'ADEQUATION A UNE UTILISATION PARTICULIERE.
Standard Garantie
Radware bietet eine begrenzte Garantie fr alle seine Produkte ("Produkte") an. Hardware Produkte von Radware haben eine Garantie gegen Material- und Verarbeitungsfehler fr einen Zeitraum von einem Jahr ab Lieferdatum. Radware Software verfgt ber eine Standard Garantie zur Fehlerbereinigung fr einen Zeitraum von bis zu 90 Tagen nach Erwerbsdatum. Sollte ein Produkt innerhalb des angegebenen Garantiezeitraumes einen Defekt aufweisen, wird Radware das Produkt nach eigenem Ermessen entweder reparieren oder ersetzen. Fr den Hardware Garantieservice oder die Reparatur ist das Produkt an eine von Radware bezeichnete Serviceeinrichtung zurckzugeben. Der Kunde hat die Versandkosten fr den Transport des Produktes zu Radware zu tragen, Radware bernimmt die Kosten der Rckversendung des Produktes an den Kunden. Genauere Angaben entnehmen Sie bitte dem Abschnitt zur Standard Garantie im Bestellformular fr Kunden. Radware ist von smtlichen Verpflichtungen unter seiner Standard Garantie befreit, sofern das Produkt oder der fehlerhafte Teil zweckentfremdet genutzt, in der Pflege vernachlssigt, einem Unfall ausgesetzt oder unsachgem installiert wurde oder sofern Reparaturen oder Modifikationen von anderen Personen als durch Radware autorisierten Kundendienstmitarbeitern vorgenommen wurden, es sei denn, diese Reparatur durch besagte andere Personen wurden mit schriftlicher Genehmigung seitens Radware durchgefhrt. MIT AUSNAHME DES OBEN DARGESTELLTEN, SIND ALLE RADWARE PRODUKTE (HARDWARE UND SOFTWARE) GELIEFERT "WIE GESEHEN" UND JEGLICHE AUSDRCKLICHEN ODER STILLSCHWEIGENDEN GARANTIEN, EINSCHLIESSLICH ABER NICHT BEGRENZT AUF STILLSCHWEIGENDE GEWHRLEISTUNG DER MARKTFHIGKEIT UND EIGNUNG FR EINEN BESTIMMTEN ZWECK AUSGESCHLOSSEN.
BUSINESS INTERRUPTION). THE ABOVE LIMITATIONS WILL APPLY EVEN IF RADWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES OR LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
Safety Instructions
The following safety instructions are presented in English, French, and German.
Safety Instructions
CAUTION A readily accessible disconnect device shall be incorporated in the building installation wiring. Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that involve opening panels or changing components must be performed by qualified service personnel only. To reduce the risk of fire and electrical shock, disconnect the device from the power line before removing cover or panels.
10
The following figure shows the caution label that is attached to Radware platforms with dual power supplies.
DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE The following figure is the warning for Radware platforms with dual power supplies.
Translation of Dual-Power-Supply-System Safety Warning in Chinese: This unit has more than one power supply. Disconnect all power supplies before maintenance to avoid electric shock. SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so. There are no serviceable parts inside the unit. HIGH VOLTAGE Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided as much as possible and, when inevitable, must be carried out only by a skilled person who is aware of the hazard involved. Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply. GROUNDING Before connecting this device to the power line, the protective earth terminal screws of this device must be connected to the protective earth in the building installation. LASER This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 + A2:2001 Standard. FUSES Make sure that only fuses with the required rated current and of the specified type are used for replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided. Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be made inoperative and be secured against any unintended operation.
11
LINE VOLTAGE Before connecting this instrument to the power line, make sure the voltage of the power source matches the requirements of the instrument. Refer to the Specifications for information about the correct power rating for the device. 48V DC-powered platforms have an input tolerance of 36-72V DC. SPECIFICATION CHANGES Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the interference at his own expense. SPECIAL NOTICE FOR NORTH AMERICAN USERS For North American power connection, select a power supply cord that is UL Listed and CSA Certified 3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [10 A], with a minimum length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated 250 V, 3 A. RESTRICT AREA ACCESS The DC powered equipment should only be installed in a Restricted Access Area. INSTALLATION CODES This device must be installed according to country national electrical codes. For North America, equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16, 110 -17, and 110 -18 and the Canadian Electrical Code, Section 12. INTERCONNECTION OF UNITS Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or DP-2. (Note- when residing in non LPS circuit) OVERCURRENT PROTECTION A readily accessible listed branch-circuit over current protective device rated 15 A must be incorporated in the building wiring for each power input. REPLACEABLE BATTERIES If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type, then an explosion may occur. This is the case for some Lithium batteries and the following is applicable: If the battery is placed in an Operator Access Area, there is a marking close to the battery or a statement in both the operating and service instructions. If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a statement in the service instructions.
This marking or statement includes the following text warning: CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
12
Caution To Reduce the Risk of Electrical Shock and Fire 1. This equipment is designed to permit connection between the earthed conductor of the DC supply circuit and the earthing conductor equipment. See Installation Instructions. 2. All servicing must be undertaken only by qualified service personnel. There are not user serviceable parts inside the unit. 3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit. 4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED. 5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label adjacent to the power inlet, housing the fuse. 6. Do not operate the device in a location where the maximum ambient temperature exceeds 40C/104F. 7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove and/or check the main power fuse. CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60 825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001 AC units for Denmark, Finland, Norway, Sweden (marked on product): Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket outlet which is connected to a protective earth. Socket outlets which are not connected to earth are not to be used! Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla varustettuun pistorasiaan Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt Unit is intended for connection to IT power systems for Norway only. Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.
To connect the power connection: 1. Connect the power cable to the main socket, located on the rear panel of the device. 2. Connect the power cable to the grounded AC outlet. CAUTION Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one power supply module. To isolate the unit completely, disconnect all power supplies.
Instructions de scurit
AVERTISSEMENT Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment. En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et dincendie, chaque procdure impliquant louverture des panneaux ou le remplacement de composants sera excute par du personnel qualifi. Pour rduire les risques dincendie et de chocs lectriques, dconnectez le dispositif du bloc dalimentation avant de retirer le couvercle ou les panneaux.
13
La figure suivante montre ltiquette davertissement appose sur les plateformes Radware dotes de plus dune source dalimentation lectrique.
AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES DALIMENTATION LECTRIQUE (EN CHINOIS) La figure suivante reprsente ltiquette davertissement pour les plateformes Radware dotes de deux sources dalimentation lectrique.
Figure 4: Avertissement de scurit pour les systmes dotes de deux sources dalimentation lectrique (en chinois)
Traduction de la Avertissement de scurit pour les systmes dotes de deux sources dalimentation lectrique (en chinois): Cette unit est dote de plus dune source dalimentation lectrique. Dconnectez toutes les sources dalimentation lectrique avant dentretenir lappareil ceci pour viter tout choc lectrique. ENTRETIEN Neffectuez aucun entretien autre que ceux rpertoris dans le manuel dinstructions, moins dtre qualifi en la matire. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare. HAUTE TENSION Tout rglage, opration dentretien et rparation de linstrument ouvert sous tension doit tre vit. Si cela savre indispensable, confiez cette opration une personne qualifie et consciente des dangers impliqus. Les condensateurs au sein de lunit risquent dtre chargs mme si lunit a t dconnecte de la source dalimentation lectrique. MISE A LA TERRE Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de cette unit doivent tre relies au systme de mise la terre du btiment. LASER Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1: 1993 + A1: 1997 + A2: 2001.
14
FUSIBLES Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en remplacement. Lusage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre vits. Lorsquil est pratiquement certain que la protection offerte par les fusibles a t dtriore, linstrument doit tre dsactiv et scuris contre toute opration involontaire. TENSION DE LIGNE Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source dalimentation correspond aux exigences de linstrument. Consultez les spcifications propres lalimentation nominale correcte du dispositif. Les plateformes alimentes en 48 CC ont une tolrance dentre comprise entre 36 et 72 V CC. MODIFICATIONS DES SPCIFICATIONS Les spcifications sont sujettes changement sans notice pralable. Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022 Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC 61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et, sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur devra corriger le problme ses propres frais. NOTICE SPCIALE POUR LES UTILISATEURS NORD-AMRICAINS Pour un raccordement lectrique en Amrique du Nord, slectionnez un cordon dalimentation homologu UL et certifi CSA 3 - conducteur, [18 AWG], muni dune prise moule son extrmit, de 125 V, [10 A], dune longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la connexion europenne, choisissez un cordon dalimentation mondialement homologu et marqu <HAR>, 3 - conducteur, cble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isole. La prise lextrmit du cordon, sera dote dun sceau moul indiquant: 250 V, 3 A. ZONE A ACCS RESTREINT Lquipement aliment en CC ne pourra tre install que dans une zone accs restreint. CODES DINSTALLATION Ce dispositif doit tre install en conformit avec les codes lectriques nationaux. En Amrique du Nord, lquipement sera install en conformit avec le code lectrique national amricain, articles 110-16, 110 -17, et 110 -18 et le code lectrique canadien, Section 12. INTERCONNEXION DES UNTES. Les cbles de connexion lunit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou DP-2. (Remarque- sils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES SURCHARGES. Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit tre intgr au cblage du btiment pour chaque puissance consomme. BATTERIES REMPLAABLES Si lquipement est fourni avec une batterie, et quelle est remplace par un type de batterie incorrect, elle est susceptible dexploser. Cest le cas pour certaines batteries au lithium, les lments suivants sont donc applicables: Si la batterie est place dans une zone daccs oprateur, une marque est indique sur la batterie ou une remarque est insre, aussi bien dans les instructions dexploitation que dentretien. Si la batterie est place ailleurs dans lquipement, une marque est indique sur la batterie ou une remarque est insre dans les instructions dentretien.
15
RISQUE DEXPLOSION SI LA BATTERIE EST REMPLACE PAR UN MODLE INCORRECT. METTRE AU REBUT LES BATTERIES CONFORMMENT AUX INSTRUCTIONS. Attention - Pour rduire les risques de chocs lectriques et dincendie 1. 2. 3. 4. 5. 6. 7. Cet quipement est conu pour permettre la connexion entre le conducteur de mise la terre du circuit lectrique CC et lquipement de mise la terre. Voir les instructions dinstallation. Tout entretien sera entrepris par du personnel qualifi. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare. NE branchez pas, nallumez pas ou nessayez pas dutiliser une unit manifestement endommage. Vrifiez que lorifice de ventilation du chssis dans lunit nest PAS OBSTRUE. Remplacez le fusible endommag par un modle similaire de mme puissance, tel quindiqu sur ltiquette de scurit adjacente larrive lectrique hbergeant le fusible. Ne faites pas fonctionner lappareil dans un endroit, o la temprature ambiante dpasse la valeur maximale autorise. 40C/104F. Dbranchez le cordon lectrique de la prise murale AVANT dessayer de retirer et/ou de vrifier le fusible dalimentation principal.
PRODUIT LASER DE CLASSE 1 ET RFRENCE AUX NORMES LASER LES PLUS RCENTES: IEC 60 825-1: 1993 + A1: 1997 + A2: 2001 ET EN 60825-1: 1994+A1: 1996+ A2: 2001 Units CA pour le Danemark, la Finlande, la Norvge, la Sude (indiqu sur le produit): Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les dviations du Danemark. Le cordon inclut un conducteur de mise la terre. Lunit sera branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas utilises! Finlande (tiquette et inscription dans le manuel) - Laite on liitettv suojamaadoituskoskettimilla varustettuun pistorasiaan Norvge (tiquette et inscription dans le manuel) - Apparatet m tilkoples jordet stikkontakt Lunit peut tre connecte un systme lectrique IT (en Norvge uniquement). Sude (tiquette et inscription dans le manuel) - Apparaten skall anslutas till jordat uttag.
Pour brancher lalimentation lectrique: 1. 2. Branchez le cble dalimentation la prise principale, situe sur le panneau arrire de lunit. Connectez le cble dalimentation la prise CA mise la terre.
AVERTISSEMENT Risque de choc lectrique et danger nergtique. La dconnexion dune source dalimentation lectrique ne dbranche quun seul module lectrique. Pour isoler compltement lunit, dbranchez toutes les sources dalimentation lectrique. ATTENTION Risque de choc et de danger lectriques. Le dbranchement dune seule alimentation stabilise ne dbranche quun module Alimentation Stabilise. Pour Isoler compltement le module en cause, il faut dbrancher toutes les alimentations stabilises. Attention: Pour Rduire Les Risques dlectrocution et dIncendie 1. 2. 3. 4. Toutes les oprations dentretien seront effectues UNIQUEMENT par du personnel dentretien qualifi. Aucun composant ne peut tre entretenu ou remplace par lutilisateur. NE PAS connecter, mettre sous tension ou essayer dutiliser une unit visiblement dfectueuse. Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES. Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme capacit, comme indiqu sur ltiquette de scurit proche de lentre de lalimentation qui contient le fusible.
16
5. NE PAS UTILISER lquipement dans des locaux dont la temprature maximale dpasse 40 degrs Centigrades. 6. Assurez vous que le cordon dalimentation a t dconnect AVANT dessayer de lenlever et/ou vrifier le fusible de lalimentation gnrale.
Sicherheitsanweisungen
VORSICHT Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert integrieren. Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge, in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von qualifiziertem Servicepersonal durchgefhrt werden. Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der Abdeckung oder der Paneele von der Stromversorgung getrennt werden. Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit Doppelspeisung angebracht ist.
SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FR SYSTEME MIT DOPPELSPEISUNG Die folgende Abbildung ist die Warnung fr Radware-Plattformen mit Doppelspeisung.
bersetzung von Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung: Die Einheit verfgt ber mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von Stromschlag vor Wartungsarbeiten smtliche Stromversorgungsleitungen ab. WARTUNG Fhren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angefhrt sind, es sei denn, Sie sind dafr qualifiziert. Es gibt innerhalb des Gertes keine wartungsfhigen Teile. HOCHSPANNUNG Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geffneten Gert unter Spannung mssen so weit wie mglich vermieden werden. Sind sie nicht vermeidbar, drfen sie ausschlielich von qualifizierten Personen ausgefhrt werden, die sich der Gefahr bewusst sind.
17
Innerhalb des Gertes befindliche Kondensatoren knnen auch dann noch Ladung enthalten, wenn das Gert von der Stromversorgung abgeschnitten wurde. ERDUNG Bevor das Gert an die Stromversorgung angeschlossen wird, mssen die Schrauben der Erdungsleitung des Gertes an die Erdung der Gebudeverkabelung angeschlossen werden. LASER Dieses Gert ist ein Laser-Produkt der Klasse 1 in bereinstimmung mit IEC60825 - 1: 1993 + A1:1997 + A2:2001 Standard. SICHERUNGEN Vergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstrke und der angefhrten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie die Kurzschlieung von Sicherungsfassungen muss vermieden werden. In Fllen, in denen wahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeintrchtigt ist, muss das Gert abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden. LEITUNGSSPANNUNG Vor Anschluss dieses Gertes an die Stromversorgung ist zu gewhrleisten, dass die Spannung der Stromquelle den Anforderungen des Gertes entspricht. Beachten Sie die technischen Angaben bezglich der korrekten elektrischen Werte des Gertes. Plattformen mit 48 V DC verfgen ber eine Eingangstoleranz von 36-72 V DC. NDERUNGEN DER TECHNISCHEN ANGABEN nderungen der technischen Spezifikationen bleiben vorbehalten. Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC 61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung. Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese Interferenzen auf eigene Kosten zu korrigieren. BESONDERER HINWEIS FR BENUTZER IN NORDAMERIKA Whlen Sie fr den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgefhrt und CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, fr 125 V, [10 A], mit einer Mindestlnge von 1,5 m [sechs Fu], doch nicht lnger als 4,5 m. Fr europische Anschlsse verwenden Sie ein international harmonisiertes, mit <HAR> markiertes Stromkabel, mit 3 Leitern von mindestens 0,75 mm2, fr 300 V, mit PVC-Umkleidung. Das Kabel muss in einem gegossenen Stecker fr 250 V, 3 A enden. BEREICH MIT EINGESCHRNKTEM ZUGANG Das mit Gleichstrom betriebene Gert darf nur in einem Bereich mit eingeschrnktem Zugang montiert werden. INSTALLATIONSCODES Dieses Gert muss gem der landesspezifischen elektrischen Codes montiert werden. In Nordamerika mssen Gerte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden. VERKOPPLUNG VON GERTEN Kabel fr die Verbindung des Gertes mit RS232- und Ethernetmssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem nicht-LPS-Stromkreis) BERSTROMSCHUTZ Ein gut zugnglicher aufgefhrter berstromschutz mit Abzweigstromkreis und 15 A Strke muss fr jede Stromeingabe in der Gebudeverkabelung integriert sein.
18
AUSTAUSCHBARE BATTERIEN Wird ein Gert mit einer austauschbaren Batterie geliefert und fr diese Batterie durch einen falschen Batterietyp ersetzt, knnte dies zu einer Explosion fhren. Dies trifft zu fr manche Arten von Lithiumsbatterien zu, und das folgende gilt es zu beachten: Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung. Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie eine Markierung oder einer Erklrung in der Wartungsanleitung.
Diese Markierung oder Erklrung enthlt den folgenden Warntext: VORSICHT EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD. GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN. Denmark - Unit is class I - mit Wechselstromkabel benutzen, dass fr die Abweichungen in Dnemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine geerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden! Finland - (Markierungsetikett und im Handbuch) - Laite on liitettv suojamaadoituskoskettimilla varustettuun pistorasiaan Norway - (Markierungsetikett und im Handbuch) - Apparatet m tilkoples jordet stikkontakt Ausschlielich fr Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen Sweden - (Markierungsetikett und im Handbuch) - Apparaten skall anslutas till jordat uttag.
Anschluss des Stromkabels: 1. Schlieen Sie das Stromkabel an den Hauptanschluss auf der Rckseite des Gertes an. 2. Schlieen Sie das Stromkabel an den geerdeten Wechselstromanschluss an. VORSICHT Stromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur ein Stromversorgungsmodul von der Stromversorgung. Um das Gert komplett zu isolieren, muss es von der gesamten Stromversorgung getrennt werden. Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr 1. Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe Montageanleitung. 2. Wartungsarbeiten jeglicher Art drfen nur von qualifiziertem Servicepersonal ausgefhrt werden. Es gibt innerhalb des Gertes keine vom Benutzer zu wartenden Teile. 3. Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen, einzuschalten oder zu betreiben. 4. Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT SIND. 5. Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem Stromkabelanschluss, am Sicherungsgehuse. 6. Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung 40C berschreitet. 7. Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die Hauptsicherung entfernen und/oder prfen.
19
Electromagnetic-Interference Statements
The following statements are presented in English, French, and German.
Electromagnetic-Interference Statements
SPECIFICATION CHANGES Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the interference at his own expense. VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS
Translation of Statement for Class A VCCI-certified Equipment: This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur, in which case, the user may be required to take corrective action.
Translation of Statement for Class B VCCI-certified Equipment: This is a Class B product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a domestic environment, it may cause radio interference. Install and use the equipment according to the instruction manual.
20
KCC KOREA
Translation of Statement for Class A KCC-certified Equipment in Korean: This equipment is Industrial (Class A) electromagnetic wave suitability equipment and seller or user should take notice of it, and this equipment is to be used in the places except for home. BSMI
Translation of Statement for Class A BSMI-certified Equipment: This is a Class A product, in use in a residential environment, it may cause radio interference in which case the user will be required to take adequate measures.
21
Traduction de la Dclaration pour lquipement de classe A certifi VCCI: Il sagit dun produit de classe A, bas sur la norme du Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Si cet quipement est utilis dans un environnement domestique, des perturbations radiolectriques sont susceptibles dapparatre. Si tel est le cas, lutilisateur sera tenu de prendre des mesures correctives.
Traduction de la Dclaration pour lquipement de classe B certifi VCCI: Il sagit dun produit de classe B, bas sur la norme du Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Sil est utilis proximit dun poste de radio ou dune tlvision dans un environnement domestique, il peut entraner des interfrences radio. Installez et utilisez lquipement selon le manuel dinstructions. KCC Core
Figure 14: KCCCertificat de la commission des communications de Core pour les equipements de radiodiffusion et communication.
Figure 15: Dclaration pour lquipement de classe A certifi KCC en langue corenne
22
Translation de la Dclaration pour lquipement de classe A certifi KCC en langue corenne: Cet quipement est un matriel (classe A) en adquation aux ondes lectromagntiques et le vendeur ou lutilisateur doit prendre cela en compte. Ce matriel est donc fait pour tre utilis ailleurs qu la maison. BSMI
Translation de la Dclaration pour lquipement de classe A certifi BSMI: Il sagit d'un produit de Classe A; utilis dans un environnement rsidentiel il peut provoquer des interfrences, l'utilisateur devra alors prendre les mesures adquates.
bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse A: Dies ist ein Produkt der Klasse A gem den Normen des Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt, knnen elektromagnetische Strungen auftreten. In einem solchen Fall wre der Benutzer verpflichtet, korrigierend einzugreifen.
23
bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse B: Dies ist ein Produkt der Klasse B gem den Normen des Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt, knnen elektromagnetische Strungen auftreten. Montieren und benutzen Sie das Gert laut Anweisungen im Benutzerhandbuch. KCC KOREA
bersetzung von Erklrung zu KCC-zertifizierten Gerten der Klasse A: Verkufer oder Nutzer sollten davon Kenntnis nehmen, da dieses Gert der Klasse A fr industriell elektromagnetische Wellen geeignete Gerten angehrt und dass diese Gerte nicht fr den heimischen Gebrauch bestimmt sind. BSMI
bersetzung von Erklrung zu BSMI-zertifizierten Gerten der Klasse A: Dies ist ein Class A Produkt, bei Gebrauch in einer Wohnumgebung kann es zu Funkstrungen kommen, in diesem Fall ist der Benutzer verpflichtet, angemessene Manahmen zu ergreifen.
24
2000m DD 2000m
DD DD.1
Document Conventions
The following describes the conventions and symbols that this guide uses:
Item
Description
An example scenario
Description (French)
Un scnario dexemple
Beschreibung (German)
Ein Beispielszenarium
Example
Possible damage to equipment, software, or data Caution: Additional information Note: Endommagement Mgliche Schden an possible de lquipement, Gert, Software oder des donnes ou du Daten logiciel Informations complmentaires Zustzliche Informationen
25
Item
Description
A statement and instructions
Description (French)
Rfrences et instructions
Beschreibung (German)
Eine Erklrung und Anweisungen
To
A suggestion or workaround Tip: Possible physical harm to Blessure possible de the operator loprateur Warning: Verletzungsgefahr des Bedieners Une suggestion ou solution Ein Vorschlag oder eine Umgehung
26
Table of Contents
Important Notices .......................................................................................................... 3 Copyright Notices .......................................................................................................... 4 Standard Warranty ........................................................................................................ 8 Limitations on Warranty and Liability ............................................................................. 9 Safety Instructions ....................................................................................................... 10 Electromagnetic-Interference Statements ................................................................... 20 Altitude and Climate Warning ...................................................................................... 24 Document Conventions ............................................................................................... 25
Chapter 1 Introduction......................................................................................... 35
Introducing DefensePro ............................................................................................... 35 DefensePro System Components ............................................................................... 35 Radware Security Update Service on the Web ........................................................... 36 Typical Deployment ..................................................................................................... 37 Network Connectivity ................................................................................................... 38 Management InterfacesAPSolute Vision and Others .............................................. 38 DefensePro Features .................................................................................................. 39
Security Protections ............................................................................................................. 39 Real-time Security Reporting for DefensePro ...................................................................... 40 Historical Security ReportingAPSolute Vision Reporter .................................................. 40
Logging into APSolute Vision ...................................................................................... 45 Changing Password for Local Users ........................................................................... 45
27
APSolute Vision Sites and DefensePro Devices ........................................................ 52 Configuring Inspection Ports ...................................................................................... 52
Configuring Port Pairs ......................................................................................................... 52 Managing the Status of Physical Ports ................................................................................ 53
Updating the Attack Description File .......................................................................... 54 Managing DefensePro Security Groups ..................................................................... 55
28
Configuring the SNMP Group Table ................................................................................. Configuring SNMP Access Settings ................................................................................. Configuring SNMP Notify Settings .................................................................................... Configuring SNMP View Settings ..................................................................................... Configuring the SNMP Target Parameters Table ............................................................. Configuring SNMP Target Addresses ...............................................................................
Configuring Device Users ......................................................................................... 114 Configuring Access Permissions on Physical Ports ................................................. 116 Configuring Port Pinging ........................................................................................... 116
29
Configuring BDoS Profiles for Network Protection ............................................................ Configuring Anti-Scanning Protection for Network Protection ........................................... Configuring Connection Limit Profiles for Network Protection ........................................... Configuring SYN Profiles for Network Protection .............................................................. Configuring DNS Protection Profiles for Network Protection ............................................. Configuring Out of State Protection Profiles for Network Protection .................................
Configuring Application Classes ............................................................................... 240 Configuring Physical Port Classes ........................................................................... 242 Configuring VLAN Tag Classes ................................................................................ 242 Configuring MAC Address Classes .......................................................................... 243 Viewing Active Class Configurations ........................................................................ 244
Viewing the Active Network Class Configuration .............................................................. Viewing the Active Service Class Configurations .............................................................. Viewing the Active Application Class Configuration .......................................................... Viewing the Active Physical Port Class Configuration ....................................................... Viewing the Active VLAN Tag Class Configuration ........................................................... Viewing the Active MAC Address Class Configuration ..................................................... 244 244 245 246 246 246
Upgrading Device Software ...................................................................................... 250 Downloading a Devices Log File to the APSolute Vision Client .............................. 252 Updating a Radware Signature File or RSA Signature File ...................................... 252 Downloading a Technical Support File to the APSolute Vision Client ...................... 253 Managing DefensePro Device Configurations .......................................................... 254
Configuration File Content ................................................................................................ 254 Downloading a Devices Configuration File ...................................................................... 255 Restoring a Devices Configuration .................................................................................. 255
Updating Policy Configurations on a DefensePro Device ........................................ 256 Checking Device Memory Availability ....................................................................... 256 Resetting the Baseline for DefensePro .................................................................... 257 Enabling and Disabling Interfaces ............................................................................ 257 Scheduling APSolute Vision and Device Tasks ....................................................... 258
Overview of Scheduling .................................................................................................... 258 Configuring Tasks in the Scheduler .................................................................................. 259 Task Parameters .............................................................................................................. 260
31
Monitoring Attack SourcesGeographical Map ...................................................... 311 Protection Monitoring ................................................................................................ 313
Displaying Attack Status Information ................................................................................. 313 Monitoring Network Rule Traffic ........................................................................................ 314 Monitoring DNS Flood Attack Traffic ................................................................................. 316
Appendix C Predefined Basic Filters ............................................................... 337 Appendix D DefensePro Attack-Protection IDs .............................................. 347 Appendix E Protocols and OSs Protected by DefensePro Signatures......... 357
32
Appendix G Glossary......................................................................................... 369 Radware Ltd. End User License Agreement....................................................... 375
33
34
Chapter 1 Introduction
This guide describes DefensePro 7.20.00 and how to use it. Unless specifically stated otherwise, the procedures described in this guide are performed using APSolute Vision version 2.15. This chapter introduces Radwares DefensePro and provides a general explanation of its main features and modules. This chapter contains the following sections: Introducing DefensePro, page 35 DefensePro System Components, page 35 Radware Security Update Service on the Web, page 36 Typical Deployment, page 37 Network Connectivity, page 38 Management InterfacesAPSolute Vision and Others, page 38 DefensePro Features, page 39 Related Documentation, page 40
Introducing DefensePro
Radwares award-wining DefensePro is a real-time Intrusion Prevention System (IPS) and DoSprotection device, which maintains business continuity by protecting the application infrastructure against existing and emerging network-based threats that cannot be detected by traditional IPSs such as: network- and application-resource misuse, malware spreading, authentication defeat and information theft. DefensePro features full protection from traditional vulnerability-based attacks through proactive signature updates, preventing the already known attacks, including worms, trojans, bots, SSL-based attacks, and VoIP attacks. Unlike market alternatives that rely on static signatures, DefensePro provides unique behavioralbased, automatically generated, real-time signatures, preventing attacks that are not vulnerabilitybased and zero-minute attacks such as: network and application floods, HTTP page floods, malware propagation, Web application hacking, brute force attacks aiming to defeat authentication schemes, and moreall without blocking legitimate users traffic and with no need for human intervention. With multiple-segment protection in a single unit, a pay-as-you-grow license-upgrade approach, and ease of management through hands-off security features such as no-configuration and self-tuning, DefensePro is the industrys leading IPS for best functionality, maximum affordability, and ease of management.
35
DefensePro User Guide Introduction The DefensePro system contains the following components: DefensePro deviceThe term device refers to the physical platform and the DefensePro product. Management interfaceAPSolute Vision and others. Radware Security Update Service on the Web.
For up-to-date security information, refer to the Radware Security Zone, available from the Radware Web site: http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.
36
Typical Deployment
The following illustration shows an in-line installation of DefensePro IPS in an enterprise. In this deployment, DefensePro is located at the gateway, protecting hosts, servers and network resources against incoming network attacks. DefensePro also protects DMZ servers against attacks targeting Web, e-mail, VoIP and other services. This Radware deployment is at the enterprise gateway, in front of the DMZ servers, where DefensePro provides perimeter protection for the enterprise servers, users, routers and firewalls.
37
Network Connectivity
The following figure shows the typical network topology of DefensePro.
You can perform most tasks using any of the management systems. However, for the most part, this guide describes management tasks by means of APSolute Vision. APSolute Vision is a graphical application that enables you to configure, modify, monitor, and generate reports centrally for single or multiple DefensePro deployments. You can connect a DefensePro device to management interfaces through network physical interfaces or through serial ports. DefensePro supports the following port types: Using the network connection: SNMP, HTTP, HTTPS, Telnet, SSH Using the serial port connection: RS-232 up to 115 Kbit/s (default is 19,200 Kbit/s)
38
DefensePro User Guide Introduction The following table lists the DefensePro physical interfaces and supporting management interfaces:
Protocol
SNMPv1, SNMPv3 HTTP Secure Web Telnet SSH RS-232
APSolute Vision
DefensePro Features
This section provides a brief description of the main DefensePro features and includes the following topics: Security Protections, page 39 Real-time Security Reporting for DefensePro, page 40 Historical Security ReportingAPSolute Vision Reporter, page 40
Security Protections
DefensePros multi-layer security approach combines a set of features detecting and mitigating a wide range of network attacks. DefensePro supports the following types of security protections: Network-wide protections comprise the following: Behavioral DoS Protects against zero-day flood attacks, including SYN Floods, TCP Floods, UDP floods, ICMP and IGMP floods. Scanning and worm protection Zero-day protection against self-propagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps. SYN protection Protects against any type of SYN flood attack using advanced SYN cookies. A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements. Connection limit Protects against session-based attacks, such as half open SYN attacks, request attacks and connection attacks. Server-cracking protection Zero-day protection against application-vulnerability scanning, brute-force and dictionary attacks. HTTP Mitigator Mitigates zero-day HTTP page flood attacks.
39
DefensePro User Guide Introduction Signature-based protections Protects against known application vulnerabilities, and common malware, such as worms, trojans, spyware, and DoS. Out-of-State inspection Ensures that transmission and application stateful rules are enforced based on the TCP RFCs. Access Control List Provides stateful access control.
Related Documentation
See the following documents for information related to DefensePro: DefensePro Release Notes and Maintenance Release Notes Radware Installation and Maintenance Guide APSolute Vision Documentation APSolute Vision Reporter Documentation
40
DefensePro User Guide Introduction Connecting and installing DefensePro, which includes: Information on DefensePro physical platforms Connecting the Management port cable Connecting the inspection ports cables
Installing APSolute Vision Initializing DefensePro using APSolute Vision, which comprises the following: Connecting DefensePro using APSolute Vision Adding a DefensePro device
The DefensePro Installation and Maintenance Guide includes additional useful information on the following: Maintenance and software upgrade Troubleshooting Hardware upgrades Specifications
APSolute Vision online helpSee this for information about monitoring managed devices
41
42
43
DefensePro User Guide Getting Started Although most configuration and monitoring in DefensePro x420 devices is transparent, there are some issues that you should note.
Management-Interface Issues
When working with instances, note the following management-interface issue: All management interfaces operate from a single location: Instance 0 This applies to all management interfaces (CLI, WBM, and APSolute Vision).
Instance-Configuration Issues
When working with instances, note the following instance-configuration issues: All configuration actions are executed on both instances simultaneously by an internal process called iCDE The values for various tuning parameters displayed in the APSolute Vision Configuration perspective are the values per instance. Network policies The configuration of Network Protection policies was enhanced with an Instance ID field in the Basic Parameters group box of the Network Protection Rule dialog box. You need to set the instance ID that handles the traffic and protection set for the policy. Server policies The configuration of the Server Protection policies was enhanced with a Policy field in the Server Protection Policy dialog box. You need to specify the name of the Network Protection policy of which the Server Protection policy is a subset.
44
3. Click OK.
45
Note: You can configure which perspective is displayed by default when you start an APSolute Vision client session.
Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to configure in the Configuration perspective system pane Organization tab. You can view and modify device settings in the content pane tabs, which have their own navigation panes for easier navigation through configuration tasks. You can filter the sites and devices that APSolute Vision displays. The filter does not change the contents of the tree, only how APSolute Vision displays the tree to you. The Configuration perspective also includes the Properties pane, which displays information about the currently selected device.
46
Properties pane Alerts paneDisplays the Alerts tab. The Alerts tab displays APSolute Vision alerts, device alerts, and DefensePro security alerts.
47
DefensePro User Guide Getting Started The following points apply to all configuration tasks in the Configuration perspective: To configure a device, you must lock it. For more information, see the APSolute Vision documentation. When you change a field value, the field label is displayed in italics. Mandatory fields are displayed in red. You must enter data, or select an option in these fields. After setting a mandatory field, the field label changes to black. By default, tables display up to 20 rows per table page. You can change the number of rows per table up to a maximum of 100 rows. You can perform one or more of the following operations on table entries: Add a new entry to the table, and define its parameters. Edit one or more parameters of an existing table entry. Delete a table entry.
Device configuration information is saved only on the DefensePro device, not in the APSolute Vision database. To commit information to the device, you must do the following: Click OK when you modify settings in a configuration dialog box. Click (Submit) when you modify settings in a configuration page. Some configuration changes require an immediate device reboot. When you submit the configuration change the device will reboot immediately. Some configuration changes require a device reboot to take effect, but you can save the change without an immediate reboot. When you submit a change without a reboot, the Properties pane displays a Reboot Required notification until you reboot the device. Click Update Policies to implement policy-configuration changes if necessary. Policyconfiguration changes for a device are saved on the DefensePro device, but the device does not apply the changes until you perform a device configuration update.
48
Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects, such as farms and servers. The Monitoring perspective navigation pane contains two navigation tabs. The System tab contains the physical devices and interfaces. The Properties pane displays information about the currently selected device. The content pane for each type of entity contains tabs in which you can view different types of information. Some tabs contain a navigation pane. You can filter the sites and devices that APSolute Vision displays. The filter does not change the contents of the tree, only how APSolute Vision displays the tree to you.
Properties pane Alerts paneDisplays the Alerts tab. The Alerts tab displays APSolute Vision alerts, device alerts, and security alerts.
49
50
Alerts paneDisplays the Alerts tab. The Alerts tab displays APSolute Vision alerts, device alerts, and DefensePro security alerts.
51
52
Parameter
Source Port Destination Port Operation
In Port
Specifies which port in the pair is designated as the inbound portthe source or destination port. This setting is used in real-time reports for inbound and outbound traffic.
Advanced Parameters
Enable Interface Grouping Specifies whether the device groups the statuses of the port-pair interfaces. When the option is enabled, if one port of a port pair is disconnected, DefensePro sets the status of the paired port to disconnected also; so, a remote device connected to the DefensePro device perceives the same disconnected status. Typically, the option is enabled when DefensePro is configured between switches that use link redundancy. Interface grouping is the only way both switches always perceive the same DefensePro interfaces status. Default: Disabled
53
1 enable 2 disable
2.
54
DefensePro User Guide Getting Started 3. Click Send and OK. 4. The Alerts pane displays a success or failure notification and whether the operation was performed using a proxy server.
Note: For more information on black-list rules, see Configuring Black Lists, page 218. DefensePro devices running version 6.05 and later can be senders and/or receivers. DefensePro devices running versions prior to 6.05 can be senders only. A receiver in a DefensePro Security Group cannot be a secondary device in a cluster. Security Groups reduce false-negatives in various environments and enhance DefensePros proactive approach to security. Especially in asymmetrical network environments, there are cases where a DefensePro device inspects only one direction of the traffic while other DefensePro devices inspect the rest of the traffic. In such cases, without a Security Group to share information, when a DefensePro device identifies a source as a threat and suspends it (blocks it), other DefensePro devices can continue to forward traffic from the same source. In an extreme example of an asymmetric (stateful) environment, a DefensePro device may identify a malicious source based on server responses, though the DefensePro device cannot block the source because the sources originated traffic passes through another DefensePro device. In such cases, with a Security Group to share the information, all the receiver DefensePro devices can block the malicious traffic.
Caution: The Security Groups feature does not support redundant APSolute Vision servers. Unexpected results may occur if more than one APSolute Vision server manages the DefensePro devices that are members of a Security Group.
Note: APSolute Vision does not limit the number of Security Groups, the number of senders, or the number of receivers. Radware has tested the feature with five Security Groups, each with five senders and five receivers.
55
DefensePro User Guide Getting Started Security Group behavior: 1. The Anti-Scanning or Server Cracking module of a sender detects an attack. The configuration of the Security Group includes the modules (Anti-Scanning and/or Server Cracking) that participate in the group. The sender notifies APSolute Vision using the regular security-event traps. APSolute Vision configures each receiver with a Dynamic Black List rule. The rule name is in the following format:
2. 3.
hhmm is the time (hour and minutes) that the Security Group configured the rule. This is the time set in the APSolute Vision server (and not on the DefensePro receiver or sender). $$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.
The configuration of the black-list rule (in the receiver) exposes the Detector Module and the Detector IP Address (in the Detector Security Module and Detector text boxes), which identify the protection module (for example, Anti-Scanning) and the sender that detected the attack. APSolute Vision does not configure a sender with a black-list rule based on its own security events. That is, if a DefensePro device is a sender and a receiver in a Security Group, when the device sends a security-event trap to the Security Group, APSolute Vision does not configure that same device with the corresponding black-list rule. The configuration of the Security Group determines the blocking period and whether the rule blocks all the traffic from the source or only combination of the following: Attacked address Attacked port Protocol
Parameter
Enabled
Description
Specifies whether the Security Group is enabled. This enables you to keep a Security Group configuration even when it is not in use. Default: Disabled The name of the Security Group.
Group Name
56
Parameter
Blocking Period
Description
The time, in minutes, that the receivers block traffic. This is the value of the Expiration Timer in the black-list rule with which APSolute Vision configures the receivers. The Expiration Timer fields display the time remaining. Values: 1120 Note: For information on black lists, see Configuring Black Lists, page 218.
Destination IP Address Specifies that the receivers block the IP address of the attacked machine.
Security Modules
Anti-Scanning Specifies that the receivers block malicious traffic detected by the AntiScanning module of the senders. Default: Enabled Server Cracking Specifies that the receivers block malicious traffic detected by the Server Cracking module of the senders. Default: Enabled
Senders
The Available Devices list and the Selected Devices list. The Available Devices list displays the available DefensePro devices. The Selected Devices list displays the senders of the Security Group.
Receivers
The Available Devices list and the Selected Devices list. The Available Devices list displays the available DefensePro devices. The Selected Devices list displays the receivers of the Security Group.
57
58
Note: Only one APSolute Vision server should manage any one Radware device. For more information, see the APSolute Vision Administrator Guide. While the device is locked: The device icon in the main navigation pane System tab includes a small lock symbol DefensePro. Configuration panes are displayed in read-only mode to other users with configuration permissions for the device. If applicable, the If applicable, the (Commit) button is displayed. (Add) button is displayed. for
To lock a device
In the Configuration perspective main navigation pane System tab, right-click the device name, and select Lock Device.
59
To unlock a device
In the Configuration perspective main navigation pane System tab, right-click the device name, and select Unlock Device.
Parameter
Device Description Device Name
60
Parameter
Location Contact Information System Up Time Base MAC Address Device Serial Number
Description
Enter the device location, if required. Enter contact information, if required. (Read-only) The length of time since that the device has been up since last device reboot. (Read-only) The MAC address of the device hardware. (Read-only) The serial number of the device hardware.
Version Information
Software Version Hardware Version (Read-only) The version of the product software on the device. (Read-only) The version of device hardware.
Note: When NTP is disabled, the time and date must be set manually for the device.
Parameter
Enable NTP
Description
Enables or disables the NTP feature. Default: Disabled Note: The NTP Server Address must be configured to enable the NTP feature.
The IP address of the NTP server. The NTP server port. Default: 123
61
Parameter
Polling Interval
Description
The interval, in seconds, between time query messages sent to the NTP server. Default: 64
Time Zone
The time-zone offset from GMT (-12:00 to +12:00 hours). Default: 00:00
Note: When the system clock is manually configured, the system time is changed only when daylight saving time starts or ends. When daylight saving time is enabled during the daylight saving time period, the device does not change the system time.
2.
Parameter
Enabled Begins at Ends at Current Mode
Description
Enables or disables daylight saving time. Default: Disabled The start date and time for daylight saving time. The end date and time for daylight saving time. Specifies whether the device is on standard time or daylight saving time.
62
Parameter
Enable Web Access L4 Port Web Help URL
Telnet
Enable Telnet L4 Port Session Timeout Specifies whether to enable Telnet access to the device. Default: Disabled The TCP port used by the Telnet. Default: 23 The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. Values: 1120 Default: 5 Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore, the actual timeout can be up to 10 seconds longer than the configured time.
63
Parameter
Authentication Timeout
Description
The timeout, in seconds, required to complete the authentication process. Values: 1060 Default: 30
SSH
Enable SSH L4 Port Session Timeout Specifies whether to enable SSH access to the device. Default: Disabled The source port for the SSH server connection. Default: 22 The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. Values: 1120 Default: 5 Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore the actual timeout can be up to 10 seconds longer than the configured time. Authentication Timeout The timeout, in seconds, required to complete the authentication process. Values: 1060 Default: 10
Web Services
Enable Web Services Specifies whether to enable access to Web services. Default: Enabled
64
Parameter
Supported SNMP Versions Supported SNMP Versions after Reset
Description
The currently supported SNMP versions. The SNMP versions supported by the SNMP agent after resetting the device. Select the SNMP version to support. Clear the versions that are not supported.
Parameter
Base MAC Address
License Upgrade
License ID New License Key Throughput License ID Throughput License Key Reports the device software license ID and must be provided to Radware when requesting a new license. The device software license allows you to activate advanced software functionality. Manages the device throughput license ID and must be provided to Radware when requesting a new throughput license. Manages the device throughput level license.
65
DefensePro User Guide Basic Device Configuration You can configure the device to send information messages via e-mail to device users. This feature can be used for sending trap information via e-mail. When you configure device users, you can specify whether an individual user should receive notifications via e-mail and the minimal event severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity and higher. The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP notifications are enabled globally for the device.
Note: The device optimizes the mailing process by gathering security and system events, which it sends in a single notification message when the buffer is full, or when a timeout of 60 seconds expires.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail address and notification severity level for each user. For information about configuring users, see Configuring Device Users, page 219.
Parameter
Enable Email Client
Enable Sending Email upon Specifies whether the device sends notifications via e-mail. Errors Default: Disabled
66
Note: The DefensePro devices must have access to the RADIUS server and must allow device access.
Parameter
Server IP Address L4 Port
Description Main
The IP address of the primary RADIUS server. The access port number of the primary RADIUS server. Values: 1645, 1812 Default: 1645
The authentication password for the primary RADIUS server. When defining the password, reenter for verification.
Backup
Server IP Address L4 Port The IP address of the backup RADIUS server. The access port number of the backup RADIUS server. Values: 1645, 1812 Default: 1645 Secret Verify Secret The authentication password for the backup RADIUS server. When defining the password, reenter for verification.
Basic Parameters
Timeout The time, in seconds, that the device waits for a reply from the RADIUS server before a retry, or, if the Retries value is exceeded, before the device acknowledges that the server is offline. Default: 1
67
Parameter
Retries
Description
The number of connection retries to the RADIUS server, after the RADIUS server does not respond to the first connection attempt. After the specified number of Retries, if all connection attempts have failed (Timeout), the backup RADIUS server is used. Default: 2 The duration, in seconds, of client's authentication. After the RADIUS Client Lifetime expires, the device re-authenticates the user. The value is not absolute (fixed), but rather, is based on the idle timeout of the last activity. Default: 30
Client Lifetime
Note: Instead of configuring each individual device, Radware recommends configuring the APSolute Vision server to convey the syslog messages from all devices.
Default: Enabled Do one of the following: 4. To add an entry, click the (Add) button.
To modify an entry, double-click the entry in the table. (Submit) to submit the changes.
68
Parameter
Enable Syslog Server
Description
Specifies whether the syslog server is enabled. Default: Enabled Note: The device sends syslog messages using UDP. That is, the device sends syslog messages with no verification of message delivery. The Status is N/R in the DefensePro Syslog Monitor (Monitoring perspective > Resource Utilization tab > Syslog Monitor).
The IP address or hostname of the device running the syslog service (syslogd). The syslog source port. Default: 514 Note: Port 0 specifies a random port.
The syslog destination port. Default: 514 The type of device of the sender. This is sent with syslog messages. You can use this parameter to distinguish between different devices and define rules that split messages. Values: Authorization Messages Clock Daemon Clock Daemon2 FTP Daemon Kernel Messages Line Printer Subsystem Local 0 Local 1 Local 2 Local 3 Local 4 Local 5 Local 6 Local 7 Log Alert Log Audit Mail System Network News Subsystem NTP Daemon Syslogd Messages System Daemons User Level Messages UUCP
Managing Certificates
This section describes certificates for AppDirector and DefensePro, and how to manage the certificates using APSolute Vision.
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually provided in the form of an electronic key or value. The digital certificate represents the certification of an individual business or organizational public key but can also be used to show the privileges and roles for which the holder has been certified. It can also include information from a third-party verifying identity. Authentication is needed to ensure that users in a communication or transaction are who they claim to be.
69
DefensePro User Guide Basic Device Configuration A basic certificate includes the following: The certificate holders identity The certificates serial number The certificate expiry date A copy of the certificate holders public key The identity of the Certificate Authority (CA) and its digital signature to affirm the digital certificate was issued by a valid agency
Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or interpret the data. The recipient also uses the key to authenticate that the data comes from the sender. The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the appropriate key can the information be easily deciphered or understood. Stolen or copied data would be incomprehensible without the appropriate key to decipher it and prevent forgery. DefensePro supports the following key size lengths: 512, 1024, or 2048 bytes.
Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an HTTPS session, the DefensePro device uses a certificate for identification. By default, the device has self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
70
Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management (WBM). You can also create certificate signing requests and keys for new certificates.
Parameter
Name Type
Description
The name of Key or Certificate. The type of certification. Values: Certificate Certificate of Client CA1 Certificate Signing Request Intermediate CA Certificate1 KeyWhen you select Key, only the Key Size and Passphrase fields are available.
Default: Key Key Size The key size, in bytes. Larger key sizes offer an increased level of security. Radware recommends that certificates have a key size of 1024 or more. Using a certificate of this size makes it extremely difficult to forge a digital signature or decode an encrypted message. Values: 512 Bytes, 1024 Bytes, 2048 Bytes Default: 1024 Bytes Common Name Organization Email Address Key Passphrase The domain name of the organization (for example, www.radware.com) or IP address. The name of the organization. Any e-mail address that you want to include within the certificate. The Key Passphrase encrypts the key in storage and is required to export the key. Since Private Keys are the most sensitive parts of PKI data, they must be protected by a passphrase. The passphrase should be at least four characters and Radware recommends using stronger passphrases than that based on letters, numbers and signs. After you define the key passphrase, re-enter it for verification. The name of the city.
71
Parameter
State / Province Organization Unit Country Name Certificate Expiration
Description
The state or province. The department or unit within the organization. The organization country. The duration (in days) that the certificate remains valid. Values: 14,294,967,295 (4 GB) Default: 365
1 If you select this option when it is not allowed (according to the type of certificate you are using), the device alerts you with an error message.
2.
Parameter
Common Name Locality State / Province Organization Organization Unit Country Name Email Address
Description
The domain name of the organization. For example, www.radware.com. The name of the city. The state or province. The name of the organization. The department or unit within the organization. The organization country. Any e-mail address to include in the certificate.
Importing Certificates
You can import keys and certificates from another machine, and import a certificate to an existing Signing Request to complete its process. Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for certificate, you must import them consecutively with the same entry name.
72
Parameter
Entry Name Entry Type
Description
A new entry name to create by import, or an existing entry name to overwrite or complete a Key or CSR. Values: KeyImports a key from backup or exported from another system. To complete the configuration, you will need to import a certificate into this key. CertificateImports a certificate from backup or exported from another machine. The certificate must be imported onto a matching key or signing request. Certificate of Client CAImports a Client CA certificate.
Default: Key Note: In Web Based Management, DefensePro supports the following three additional options: Intermediate CA Certificate, Certificate and Key, SSH Public Key. Passphrase (This parameter is available only when the Entry Type is Key.) Verify Passphrase (This parameter is available only when the Entry Type is Key.) File Name Since Private Keys are the most sensitive parts of PKI data they must be protected by a passphrase. The passphrase should be at least four characters, and Radware recommends using stronger passwords than that based on letters, numbers, and signs. Since Private Keys are the most sensitive parts of PKI data they must be protected by a passphrase. The passphrase should be at least four characters, and Radware recommends using stronger passwords than that based on letters, numbers, and signs. The certificate file to import.
Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing configurations to another system or for completion of Signing Request processes. You can export certificates from a device by copying and pasting a key or by downloading a file. Keys and certificates are exported to PEM format.
Note: The Radware key is created without a Radware password at system startup, thus it can be exported without a Radware password.
73
Parameter
Entry Name Entry Type Passphrase
Description
Select the name of the entry to export. By default, the name of the selected certificate in the Certificates table is displayed. According to the selected entry name, you can export Certificate, Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request. Required when exporting Keys. Use the passphrase entered when the key was created or imported. You must enter the key passphrase to validate that you are authorized to export the key.
High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in a two-node cluster. One member of the cluster is the primary; the other member of the cluster is the secondary.
74
DefensePro User Guide Basic Device Configuration Both cluster members must meet the following requirements: Must use the same: Platform Software version Software license Throughput license Radware signature file
Must be on the same network. Must use the same management port (that is, MNG-1 on both devices, MNG-2 on both devices, or both MNG-1 and MNG-2 on both devices).
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster. When you configure a cluster and submit the configuration, the newly designated primary device configures the required parameters on the designated secondary device. You can configure a DefensePro high-availability cluster in the following ways: To configure the primary device of the cluster, the failover parameters, and the advanced parameters, you can use the High Availability pane (Configuration perspective, Setup > High Availability). When you specify the primary device, you specify the peer device, which becomes the secondary member of the cluster. To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and Associated Management Ports), you can use the Configuration perspective system pane.
The members of a cluster work in an active-passive architecture. When a cluster is created: The primary device becomes the active member. The secondary device becomes the passive member. The primary device transfers the relevant configuration objects to the secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode. A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users). The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections. The following situations trigger the active device and the passive device to switch states (active to passive and passive to active): The passive device does not detect the active device according to the specified Heartbeat Timeout. All links are identified as down on the active device according to the specified Link Down Timeout. Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout. You issue the Switch Over command. To switch the device states, in the Monitoring perspective system pane, right-click the cluster node; and then select Switch Over.)
75
DefensePro User Guide Basic Device Configuration You cannot perform many actions on a secondary device. You can perform only the following actions on a secondary device: Switch the device state (that is, switch over active to passive and passive to active) Break the cluster if the primary device is unavailable Configure management IP addresses and routing Configure the port-pair Failure Mode. Manage device users Download a device configuration Upload a signature file Download the device log file Download the support log file Reboot Shut down Change the device name Change the device time Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.
Notes Before you can configure a cluster, the devices must be locked. By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster. You can initiate a baseline synchronization if a cluster member is passive, using CLI or Web Based Management. When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster as you require. In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require. If the devices of a cluster belong to different sites, APSolute Vision creates the cluster node under the site where the primary device resides; and APSolute Vision removes the secondary device from the site where it was configured. APSolute Vision issues an alert if the state of the device clusters is ambiguous. For example, if there has been no trigger for switchover and both cluster members detect traffic. This state is normal during the initial synchronization process. There is no failback mechanism. There is only the automatic switchover action and the manual Switch Over command. When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer). You can monitor high-availability operation in the High Availability pane of the Monitoring perspective. The Properties pane displays the high-availability information of the selected device.
76
Note: You can monitor high-availability operation in the High Availability pane of the Monitoring perspective. The following table describes the icons that APSolute Vision displays in the system pane for DefensePro high-availability clusters.
Icon
Description
Cluster Primary device Secondary device
The following table describes the icon elements that APSolute Vision displays in the system pane for DefensePro high-availability clusters.
Icon
Description
The cluster is operating nominally. The cluster is synchronizing its members. The cluster is unavailable. The primary device is active, unlocked, and operating nominally. The primary device is passive, unlocked, and operating nominally. The secondary device is passive, unlocked, and operating nominally.
77
Icon
Description
The secondary device is active, unlocked, and operating nominally. The secondary device is unlocked and unavailable.
Note: To rename the cluster, in the Configuration perspective system pane, right-click the cluster node, and select Rename <Cluster Name>. Rename the cluster (up to 32 characters); and then, click outside the cluster node.
Parameter
Cluster Member
Peer Device
The name of the other device in the cluster. The drop-down list contains the names of all the DefensePro devices that are not part of a cluster. When the device is a member of an existing high-availability cluster, the drop-down list is unavailable. Specifies the management (MNG) port or ports through which the primary and secondary devices communicate. Values: MNG1, MNG2, MNG1+2 Note: You cannot change the value if the currently specified management port is being used by the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you cannot change the value to MNG2.
78
Parameter
Heartbeat Timeout
Description Failover
The time, in seconds, that the passive device detects no heartbeat from the active device before the passive device becomes active. Values: 1030 Default: 10
The time, in seconds, after all links to the active device are identified as being down before the devices switch states. Values: 165,535 Default: 1 Note: If a dead link or idle line is detected on both cluster members, there is no switchover.
Specifies whether the devices switch states due to an idle line detected on the active device. Default: Disabled Note: If an idle line is detected on both cluster members, there is no switchover.
The minimum bandwidth, in Kbit/s, that triggers a switchover when the Use Idle Line Detection option is enabled. Values: 5124,294,967,296 Default: 512 Note: If the Use Idle Line Detection checkbox is cleared, this parameter is ignored.
The time, in seconds, with line bandwidth below the Idle Line Threshold that triggers a switchover when the Use Idle Line Detection option is enabled. Values: 365,535 Default: 10 Note: If the Use Idle Line Detection checkbox is cleared, this parameter is ignored.
Advanced Configuration
Baseline Sync. Interval The interval, in seconds, that the active device synchronizes the BDoS and HTTP Mitigator baselines. Values: 360086,400 Default: 3600 Note: The active device synchronizes the baselines also when the cluster is created. Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster members will not change states. Values: 303600 Default: 180
79
Notes Before you can configure a cluster, the devices must be locked. By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster. When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster as you require.
Parameter
Cluster Name Primary Device Associated Management Ports
Description
The name for the cluster (up to 32 characters). Specifies which of the cluster members is the primary device. Specifies the management (MNG) port or ports through which the primary and secondary devices communicate. Values: MNG1, MNG2, MNG1+2 Note: You cannot change the value if the currently specified management port is being used by the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you cannot change the value to MNG2.
80
To change the associated management ports of a DefensePro high-availability cluster from the system pane
1. In the Configuration perspective system pane, select the cluster node and click Edit Cluster. 2. Configure the parameters; and then click OK.
Note: You cannot change the value if the currently specified management port is being used by the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you cannot change the value to MNG2.
Configuring BOOTP
BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.
Parameter
Server Address Relay Threshold
Description
The IP address of the BootP server. The device forwards BootP requests to the BootP server and acts as a BootP relay. The time, in seconds, that the device waits before relaying requests to the BootP server. This delay allows local BootP servers to answer first.
81
To add or modify static DNS entries, do one of the following: To add an entry, click the (Add) button.
4.
Parameter
DNS Client
The IP address of the primary DNS server to which DefensePro sends queries. The IP address of the alternative DNS to which DefensePro sends queries.
82
DefensePro User Guide Basic Device Configuration For example, if a DefensePro device, working as customer premises equipment (CPE), is configured to detect low-volume attacks, when a DoS attack starts, the signals will alert the NOC or SOC that an attack has started. Then, using the information, the NOC or SOC can divert traffic through additional mitigation devices in the cloud, and thus, prevent pipe saturation.
Note: Typically, in the context of DefensePro signaling, NOCs are carriers, and SOCs are managedsecurity-service providers (MSSPs). When signaling is enabled: DefensePro exposes situational data through its SOAP interface. The data includes device-health information, traffic statistics, and management information. Under normal circumstancesthat is, when there is no attack, the SOAP queries and responses get through. However, during attacks, the pipe may be saturated, and the SOAP queries and responses get lost. When DefensePro detects an attack, DefensePro sends signals to a specified syslog server. The signals include the attack events and, optionally, additional attack data.
For information on the SOAP API and syslog signals, see the DefensePro Signaling API Integration Guide. You configure signaling policies to send signals to a syslog server configured in the DefensePro device. The configuration of each signaling policy specifies the Network Protection Rules, Servers Protection Rules, and protection types.
Parameter
Enabled Policy ID
Description
Specifies whether the signaling policy is enabled. Default: Enabled A numerical identifier for the signaling policy. Values: 1100
83
Parameter
Policy Name Syslog Server Customer Name
Description
The name of the signaling policy. Maximum characters: 80 The syslog server to which DefensePro sends the attack alert signals. The name of the customer, which is included in the alert messages. Maximum characters: 32 The description of the customer, which is included in the alert messages. This description can include, for example, details of the specific device or environment. Maximum characters: 100 The total size, in Mbps, of the ISP link of the customer. DefensePro uses this value to calculate the pipe-utilization percentage, which is included in attack alerts. Values: Events and DataAttack signals contain the basic attack alerts and the additional metadata for the alert events. Events OnlyAttack signals contain the basic attack alerts only.
Customer Description
Pipe Size
Signaling Mode
Specifies whether the signaling policy sends signals for all enabled Network Protection policies/rules or only for specific rule groups. Default: Enabled The ID of the Network-Policies Group ID, which define specific Network Protection policies/rules.
Network-Policies Group ID (This parameter is available only when the All Network Rules checkbox is cleared.) All Servers
Specifies whether the signaling policy sends signals for all enabled Server Protection policies/rules or only for specific rule groups. Default: Enabled The ID of the Network-Policies Group ID, which define specific Server Protection policies/rules.
Server-Protection Group ID (This parameter is available only when the All Servers checkbox is cleared.)
Advanced Parameters
This section describes the advanced parameters that are relevant for the basic configuration of a DefensePro device. This section contains the following topics: Configuring Advanced Settings, page 85 Configuring Configuration Auditing, page 86 Configuring Dynamic Protocols, page 86 Configuring Tuning Parameters, page 88
84
DefensePro User Guide Basic Device Configuration Configuring Security Reporting, page 97 Configuring Out-of-Path Settings for DefensePro, page 100 Configuring Session Table Settings, page 101 Configuring Suspend Settings, page 104 Configuring the Device Event Scheduler, page 105 Configuring Tunneling Inspection, page 105
The Overload Mechanismthat is, the overload-protection mechanism identifies and reports overload conditions, and acts to reduce operations with high resource consumption. DefensePro device uses the overload-protection mechanism to prevent the following: SME Overload When the overload occurs in the string-matching engine (SME), the accelerator reduces the number of new sessions sent to the SME. The existing sessions continue to pass through the SME and are inspected. Features that require the SME, including some of the attack signatures, will not be applied to some of the sessions. Master Overload When the overload occurs in the Master CPU, only a percentage of the traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data, ensuring the continuation of the feature, but SYN Protection does not work. Accelerator Overload When the overload occurs in the Accelerator CPU, only a percentage of the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is passed to the Master and SME if they are not overloaded. System Wide Overload If all offload operations have failed to prevent overloaded conditions, then a full bypass is implemented. Every device application is bypassed, including Statistics, Security, and so on.
Parameter
Accept Weak SSL Ciphers
Description
Specifies whether the device allows management connections over secure protocols with ciphers shorter than 128 bits. Default: Enabled
85
Parameter
Description
Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which identifies and reports overload conditions. Radware recommends that the overload-protection mechanism always be enabled. SRP Management Host IP Address The IP address to which the device sends Statistics Reporting Protocol (SRP) data. SRP is a private Radware protocol for efficient transmission of statistical data from the device to the APSolute Vision server. Enter the APSolute Vision server IP address. This parameter must be configured to view real-time reports and attack details in APSolute Vision.
Note: To prevent overloading the managed device and prevent degraded performance, the feature is disabled by default.
86
Parameter
Enable FTP Control Session Aging Time Data Session Aging Time
Description FTP
Enables/disables FTP Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 The Data Session Aging Time, in seconds. Default: 0
TFTP
Enable TFTP Data Session Aging Time Enables/disables TFTP Dynamic Protocol. Default: Enabled The Data Session Aging Time, in seconds. Default: 0
Rshell
Enable Rshell Control Session Aging Time Data Session Aging Time Enables/disables Rshell Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 Enter a value for Data Session Aging Time, in seconds.
Rexec
Enable Rexec Control Session Aging Time Data Session Aging Time Enables/disables Rexec Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 The Data Session Aging Time, in seconds.
H.225
Enable H.225 Control Session Aging Time H.245 Data Session Aging Time Enables/disables H.225 Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 The Data Session Aging Time, in seconds. Default: 0
87
Parameter
Enable SIP
Description SIP
Enables/disables SIP Dynamic Protocol. Session Initiation Protocol (SIP) is an IETF standard for initiating an interactive user session involving multimedia elements such as video, voice, chat, gaming, and so on. SIP can establish, modify, or terminate multimedia sessions or Internet telephony calls. When a policy for SIP is configured to block traffic from one direction, it is not possible to open a SIP connection from another direction (SIP uses the same port number for both source and destination). Default: Disabled
The Signaling Session Aging Time, in seconds. When the clients communicate directly with each other, or work with non-standard SIP ports, increase the aging time of the Signaling Session Aging Time parameter. Default: 20 The RTCP Session Aging Time, in seconds. Default: 0 The SIP TCP Segments Aging Time, in seconds. Default: 5
Caution: Radware strongly recommends that you perform any device tuning only after consulting with Radware Technical Support. This section contains the following: Configuring Device Tuning, page 89 Configuring Security Tuning, page 90 Configuring SYN Protection Tuning, page 93 Configuring Authentication Table Tuning, page 94 Configuring Classifier Tuning, page 95 Configuring SDM Tuning, page 97
88
Note: Radware recommends performing a memory check before rebooting the device.
Parameter
IP Fragmentation Table
Description
The maximum number of IP fragments that the device stores. Values: 1256,000 Default: 10,240
Session Table
The maximum number of sessions that the device can track. Values: 204,000,000 Default: 2, 700,000
The maximum number of sessions that the device tracks to send RESET when Send Reset To Server is enabled in the Session table. Values: 110,000 Default: 1000
Routing Table
The maximum number of entries in the Routing table. Values: 2032,767 Default: 64
Pending Table
The maximum number of new simultaneous dynamic sessions the device can open. Values: 1616,000 Default: 1024
The maximum number of SIP calls the device can track. Values: 16256,000 Default: 1024
The maximum number of TCP Segments. This parameter is used when SIP Protocol is enabled and SIP is running over TCP. Values: 132,768 Default: 256
89
Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several TCP sessions to one destination address. Each security table is responsible for clearing tables of old entries that are no longer required, and ensuring that traffic is properly classified and inspected.
Parameter
Max. Number of HTTP Mitigator Suspect Sources
Description
The maximum number of suspect sources in HTTP Mitigation policies. Values: 1000500,000 Default: 100,000
The maximum number of entries in the Server Protection policy. Values: 10010,000 Default: 350 The maximum number of configurable Behavioral DoS policies. Values: 150 Default: 10
The maximum number of configurable DNS Flood Protection policies. Values: 150 Default: 10
Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device Pairs stores for anti-scanning purposes. Values: 10,0001,000,000 Default: 50,000
90
Parameter
Max. Number of Entries in Counter Target Table
Description
The maximum number of sessions in which a Destination address is tracked. Some attack signatures use thresholds per destination for activation. The Counter Target Table counts the number of times traffic to a specific destination matches a signature. When the number of packets sent to a particular destination exceeds the predefined limit, it is identified as an attack. Values: 10065,536 Default: 65,536
The maximum number of sessions in which a source address is tracked. Some attack signatures use thresholds per source for activation. The Counter Source Table counts the number of times traffic from a specific source matches a signature. When the number of packets sent from a particular source exceeds the predefined limit, it is identified as an attack. Values: 10065,536 Default: 65,536
Max. Number of Entries in The maximum number of sessions in which Source and Counter Source and Target Table Destination addresses are tracked. Some signatures use thresholds per source and destination for activation. The Counter Source & Target Table counts the number of times traffic from a specific source to a specific destination matches a signature. When the number of packets sent from a particular source to a particular destination exceeds the predefined limit, it is identified as an attack. Values: 10065,536 Default: 65,536 Max. Number of Concurrent Active DoS Shield Protections The maximum number of filters tracked. DoS Shield filters use thresholds for activation. The tablethe New Count Per Filter (NCPF) tablecounts the number of times traffic matches a DoS Shield signature per policy. When the number of packets exceeds the predefined limit, it is identified as an attack. Values: 10016,000 Default: 10,000 Max. Number of Entries in Counters Report The maximum number of entries for reports on active concurrent Tracking Signatures attacks. Values: 10064,000 Default: 20,000
91
Parameter
Max. Number of Entries in Counters Server Cracking Protection
Description
The maximum number of entries for concurrent active Server Cracking protections. When the Server Cracking protection feature is enabled, DefensePro uses one entry in this table whenever DefensePro receives a response from the server that can indicate a potential Server Cracking attack. The entry includes the IP address of the potential attacker, the protected server, and the protocol. The entry remains in use as long as DefensePro receives such server responses. Values: 10065,536 Default: 100
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests. Table The DHCP Discover table detects attacks by counting the IP requests for each MAC address. The requests are made using Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address exceeds the predefined limit, it is identified as an attack. Values: 10064,000 Default: 100 Max. Number of Signatures Configured by User The maximum number of user-configurable IPS signatures and RSA signatures. DefensePro can store up to 500 concurrent RSA signatures. Values: 1010,000 Default with fraud protection not enabled: 100 Default with fraud protection not enabled: 3,000 Note: RSA signatures on the device accumulate until the device ages them. The device ages RSA signatures according to the specified aging times, Phishing Signatures Aging, Drop Points Aging, and Malicious Download Aging. If the Max. Number of Signatures Configured by User is greater than 500, and number of RSA signatures reaches 500, you cannot add any new RSA signature. If you must add new RSA signatures immediately, you can reduce the aging time, add the RSA signature, and increase the aging time as appropriate. Max. Number of Source IPs in Suspend Table The maximum number of hosts that the Suspend table is able to block simultaneously. This value affects the abilities of other defenses, such as, AntiScanning, Server Cracking, and SYN protection. Values: 1000100,000 Default: 10,000 Max. Number of Concurrent Connection PPS Attacks1 The maximum number of concurrent Connection Packet Rate Limit attacks that the device can handle. Values: 51000 Default: 50 Max. Number of IPs in the quarantine table1 The maximum number of IP addresses in the Quarantine table. Values: 1,00010,000 Default: 1000 1 This parameter is not relevant for DefensePro 7.20.
92
Parameter
SYN Protection Table
Description
The number of entries in the table that stores data regarding the delayed binding process. An entry exists in the table from the time a client starts the three-way handshake until the handshake is complete. Values: 10500,000 Default: 200,000
The number of entries in the table that stores the ACK, or data packet, the client sends, until the handshake with the server is complete and the packet is sent to the server. The Request table and the SYN Protection tables are approximately the same size, whereas the Triggers table is much smaller. Values: 10500,000 Default: 200,000
93
Parameter
SYN Protection Signature Detection Entries
Description
The number of entries in the table that stores active triggers that is, the destination IP addresses and ports from which the device identifies an ongoing attack. Values: 100020,000 Default: 1000 Note: There are several reasons that might cause the table to become full: Too many services in the protected networksThis might happen in extremely large networks. Too many protected servicesIf there are too many services running in the protected network, or if all TCP ports are protected by SYN Protection, this may cause problems in networks that use multiple TCP ports for providing a service such as gaming applications, which use numerous high TCP ports. Vertical TCP-SYN floodIf the attackers are using an attack technique that repeatedly performs high-rate scans on the entire protected range. Limit the size of the network protected by SYN Protection Because the SYN Protection Signature Detection Entries is forced to include records for every destination, it should be applied only on servers and not on network classes that include a PC. Remove some of the protected protocolsIf you are unnecessarily protecting all TCP ports by SYN protection, remove SYN protection and apply the policy only on relevant services. Increase the table sizeNote that increasing the table size consumes memory allocation and therefore requires system reboot.
The number of entries in the SYN Flood Statistics table. Values: 100020,000 Default: 1000
94
Parameter
HTTP Authentication Table Size
95
Note: Radware recommends performing a memory check before rebooting the device.
Parameter
Max. Number of Networks
Description
The maximum number of entries in the table for ranges. Values: 3210,000 Default: 256
The maximum number of entries in the table for IP addresses that are allocated to a network. Values: 161024 Default: 64
The maximum number of entries in the table for network subnets. Values: 16256 Default: 64
The maximum number of entries in the table for MAC groups. Values:162048 Default: 128
The maximum number of entries in the table for basic filters. Values:5122048 Default: 512
The maximum number of entries in the advanced filters table for AND groups. Values: 2562048 Default: 256
The maximum number of entries in the advanced filters table for OR groups. Values: 2562048 Default: 256
The maximum number of entries in the table for application port groups. Values: 322000 Default: 512
Max. Number of Content Entries The maximum number of content entries in the table. Values: 164096 Default: 256
96
Parameter
SDM Table Size
Description
The size of the SDM table. Values: Small, Medium, Large Default: Medium
Caution: DefensePro does not provide sampled captured packets from suspicious sources that DefensePro challenged. (DefensePro supports an option to challenge sources in HTTP Flood Protection, SYN Flood Protection, DNS Flood Protection, and SSL Protection.) You can also configure DefensePro devices to send captured attack packets along with the attack event for further offline analysis. Packet reporting and SRP use the same default port, 2088.
97
Parameter
Report Interval
The maximum number of attack events that can appear in each report (sent within the reporting interval). Values: 12000 Default: 1000
The number of events for a specific attack during a reporting interval, before the events are aggregated to a report. When the number of the generated events exceeds the Aggregation Threshold value, the IP address value for the event is displayed as 0.0.0.0, which specifies any IP address. Values: 165,535 Default: 5
The port used for packet reporting and SRP. Values: 165,535 Default: 2088
Enable Sending Traps Minimal Risk Level for Sending Traps Enable Sending Syslog Minimal Risk Level for Sending Syslog Enable Sending Terminal Echo
When selected, the device uses the traps reporting channel. Default: Enabled The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. Default: Low When selected, the device uses the syslog reporting channel. Default: Enabled The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. Default: Low When selected, the device uses the Terminal Echo reporting channel. Default: Disabled The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. Default: Low When selected, the device uses the security logging reporting channel.
Minimal Risk Level for Sending Terminal Echo Enable Security Logging
98
Parameter
Maximum Packets per Report
Description
The maximum number of packets that the device can send within the Report Interval. Values: 165,535 Default: 100
Destination IP Address
The destination IP address for the packet reports. Default: 0.0.0.0 Note: Only one destination IP address can be configured for packet reporting, even when more than one APSolute Vision server manages the device.
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the feature and specifies the physical port to which the DefensePro device sends identified attack traffic (when the Packet Trace feature is enabled in the policy rule or profile). Values: noneThe Packet Trace feature is disabled. The physical, inspection ports (that is, excluding the management ports)
Default: none Caution: A change to this parameter takes effect only after you update policies. Caution: A change to this parameter takes effect only after you update policies. Maximum Rate The maximum number of packets per second that the Packet Trace feature sends. Values: 1200,000 Default: 50,000 Caution: A change to this parameter takes effect only after you update policies. Maximum Length of Dropped Packets The maximum length, in bytes, of dropped packets that the Packet Trace feature sends. DefensePro can limit the size of Packet Trace sent packets only for dropped packets. That is, when a rule is configured with Report Only (as opposed to Block), the Packet Trace feature sends the whole packets. Values: 641550 Default: 1550 Tip: If you are interested only in the packet headers of the dropped packets, to conserve resources, modify the minimal value, 64. Caution: A change to this parameter takes effect only after you update policies.
netForensics Reporting
Enable netForensics Reporting When selected, enables reporting using netForensics reporting agent. Default: Disabled
99
Parameter
Agent IP Address L4 Port
Description
The IP address of the netForensics agent. The port used for netForensics reporting. Values: 165,535 Default: 555
Note: The feature works on Cisco routers that have the capability to mirror an interface and accept ACL commands to reroute traffic. This feature was tested on Cisco 6509 IOS 12.2.
Parameter
Enable Out of Path Mode Router IP Address Routers Enable Password Verify Password
Description
You must enable and reboot the device before you can configure out-ofpath settings. When Out of Path is enabled, the only available protection is BDoS. The IP address of the organization router that manages all the incoming traffic. Administrators password for the router. Verification of password for the router.
100
Parameter
SSH User Name SSH Password Verify SSH Password Router Interface for Receiving Traffic
Description
The name of the SSH user. The password of the SSH user. Verification of password for the SSH user. The router interface that is being monitored, and traffic from it will be redirected.
Parameter
Enable Session Table
101
Parameter
Idle ICMP-Session Aging Time
Description
The time, in seconds, that the Session table keeps idle ICMP sessions. Values: 17200 Default: 100
The time, in seconds, that the Session table keeps idle GRE sessions. Values: 17200 Default: 100
The time, in seconds, that the Session table keeps idle sessions of protocols other than TCP, UDP, SCTP, ICMP, or GRE. Values: 17200 Default: 100
How long, in seconds, the device waits for the three-way handshake to be achieved for a new TCP-session. When the timeout elapses, the device deletes the session and, if the Send Reset To Server checkbox is selected, sends a reset packet to the server. Values: 0The device uses the specified Session Aging Time. 110The TCP Handshake Timeout in seconds.
Default: 10
Advanced Parameters
Remove Session Entry at Session End Specifies whether the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session within the Remove Session Entry at Session End Timeout period. Default: Enabled Remove Session Entry at Session End Timeout (This option is available only if Remove Session Entry at Session End is enabled.) Send Reset to Destination of Aged TCP Connection When Remove Session Entry at Session End is enabled, the time, in seconds, after which the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session. Values: 060 Default: 5 Specifies whether the DefensePro device sends a RST packet to the destination of aged TCP sessions. Values: EnabledDefensePro sends reset a RST packet to the destination and cleans the entry in the DefensePro Session table. DisabledDefensePro ages the session normally (using short SYN timeout), but the destination might hold the session for quite some time.
Default: Disabled
102
Parameter
Session-Table-Full Action
Description
The action that the device takes when the Session Table is at full capacity. Values: Allow new trafficThe device bypasses new sessions until the till session table has room for new entries. Block new trafficThe device blocks new sessions until the session table has room for new entries.
Default: Allow new traffic Alert-Start Threshold The percentage of full capacity of the Session Table when the device starts issuing alerts. Default: 95 Alert-Stop Threshold The percentage of full capacity of the Session Table when the device stops issuing alerts. Default: 90 Lookup Mode The layer of address information that is used to categorize packets in the Session table. Values: Full L4 An entry exists in the Session table for each source IP, source port, destination IP, and destination port combination of packets passing through the device. L4 Destination PortEnables traffic to be recorded based only on the TCP/UDP destination port. This mode uses minimal Session table resources (only one entry for each port that is secured).
Default: Full L4 Caution: Radware recommends that you always use the Full L4 option. When Session Table Lookup Mode is Layer 4 Destination Port, the following protections do not work: Disable Session Aging ACL Anti Scanning Connection Packet Rate Limit Connection Rate Limit HTTP Mitigator HTTP Replies Signatures Out-of-State protection Server Cracking SYN Protection
When enabled, the device enables aging sessions in the Session (This option is available only for table. L4 Destination Port Lookup Default: Disabled Mode.)
103
2.
Parameter
Minimal Aging Timeout
Description
The time, in seconds, for which the DefensePro suspends first-time offending source IP addresses. Default: 10 The maximal time, in seconds, for which the DefensePro suspends a specific source. Each time the DefensePro suspends the same source, the suspension length doubles until it reaches the Maximal Aging Timeout. Default: 600
Maximum Entries with Same The number of times the DefensePro suspends the same source IP Source IP address before the DefensePro suspends all traffic from that source IP addressregardless of the specified Suspend Action. For example, if the value for this parameter is 4 and the specified Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the DefensePro suspends all traffic from a source IP address that had an entry in the Suspend list more than four times, even if the destination IP address, source port, and destination ports were different for the previous updates to the Suspend table. This parameter is irrelevant when the specified Suspend Action is SrcIP. Values: 0The device does not implement the feature. 110
Default: 0
104
Parameter
Task Name Frequency
Description
The name of the schedule. How often the event occurs. Values: daily, once, weekly Default: once
Time
The time on the designated day in the format hhmm. When multiple days are selected, the value is the same for all the configured days.
If the event frequency is once, configure the date that the event occurs in the DD/MM/YYYY format. If the selected event frequency is weekly, select the day or days the event occurs.
105
DefensePro User Guide Basic Device Configuration You can install DefensePro in different environments, which might include encapsulated traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators deploy GRE and GTP. DefensePro can inspect traffic that may use various encapsulation protocols. In some cases, the external header (tunnel data) is the data that DefensePro needs to inspect. In other cases, DefensePro needs to inspect the internal data (IP header and even the payload). You can configure DefensePro to meet your specific inspection requirements.
Caution: Changing the configuration of this feature takes effect only after a device reset.
2.
Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between APSolute Vision and network devices. Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3. The default Radware user is configured in SNMPv1.
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the APSolute Vision are discarded.
Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and authentication details must match one of the users configured on the device. The following topics describe the procedures to configure SNMP on a selected device: Configuring SNMP Users, page 107 Configuring SNMP Community Settings, page 108 Configuring the SNMP Group Table, page 109 Configuring SNMP Access Settings, page 109 Configuring SNMP Notify Settings, page 110 Configuring SNMP View Settings, page 111
106
DefensePro User Guide Basic Device Configuration Configuring the SNMP Target Parameters Table, page 112 Configuring SNMP Target Addresses, page 113
Note: In the SNMP configuration, a user name is also known as a security name.
To configure an SNMP users for a device connected with SNMPv3 with Authentication and Privacy
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP User Table. 2. Do one of the following: To add a user, click the (Add) button.
Parameter
User Name Authentication Protocol
Description
The user name, also known as a security name. The name can be up to 18 characters. The protocol used during authentication process. Values: None MD5 SHA
Default: None Authentication Password Privacy Protocol If an authentication protocol is specified, enter an authentication password. The algorithm used for encryption. Values: Privacy Password NoneThe data is not encrypted. DESThe device uses Data Encryption Standard.
107
Note: You cannot change the community string associated with the user name that you are currently using.
Parameter
Index
Description
A descriptive name for this entry. This name cannot be modified after creation. Default: public The community string. Default: public The security name identifies the SNMP community used when the notification is generated. Default: public Specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps can be sent. The target addresses identified by this tag are defined in the SNMP Target Addresses table. At least one entry in the SNMP Target Addresses table must include the specified transport tag. If no tag is specified, addresses are not checked when an SNMP request is received or when a trap is sent.
Transport Tag
108
Parameter
Group Name Security Model
Description
The name of the SNMP group. The SNMP version that represents the required security model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Values: SNMPv1 SNMPv2c User Based (SNMPv3)
Default: SNMPv1 Security Name If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated.
109
Description
The name of the group. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. Select the SNMP version that represents the required Security Model to determine the permissions set to be used. Values: SNMPv1 SNMPv2c User BasedThat is, SNMPv3
Default: SNMPv1 Security Level The security level required for access. Values: No AuthenticationNo authentication or privacy are required. Authentication & No PrivacyAuthentication is required, but privacy is not required. Authentication & PrivacyBoth authentication and privacy are required.
Default: No Authentication Read View Name Write View Name Notify View Name The name of the View that specifies which objects in the MIB tree are readable by this group. The name of the View that specifies which objects in the MIB tree are writable by this group. The name of the View that specifies which objects in the MIB tree can be accessed in notifications (traps) by this group.
110
Parameter
Name Tag
Description
A descriptive name for this entry, for example, the type of notification. A string that defines the target addresses that are sent this notification. All the target addresses that have this tag in their tag list are sent this notification.
Parameter
View Name Sub-Tree Type
Description
The name of this entry. Note: The Object ID of a subtree of the MIB. Specifies whether the object defined in the entry is included or excluded in the MIB view. Values: Included, Excluded Default: Included
111
Parameter
Name Message Processing Model
Description
The name of the target parameters entry. Maximum characters: 32 The SNMP version to use when generating SNMP notifications. Values: SNMPv1, SNMPv2c, SNMPv3 Default: SNMPv1 Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the APSolute Vision are discarded.
Security Model
The SNMP version that represents the required Security Model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Values: SNMPv1 SNMPv2c User BasedThat is, SNMPv3
Default: SNMPv1 Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the APSolute Vision are discarded.
112
Parameter
Security Name
Description
If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated. Specifies whether the trap is authenticated and encrypted before it is sent. Values: No AuthenticationNo authentication or privacy are required. Authentication and No PrivacyAuthentication is required, but privacy is not required. Authentication and PrivacyBoth authentication and privacy are required.
Security Level
Default: No Authentication
Parameter
Name IP Address and L4 Port [IP-port number]
Description
The name of the target address entry. The IP address of the management station (APSolute Vision server) and TCP port to be used as the target of SNMP traps. The format of the values is <IP address >-<TCP port>, where <TCP port> must be 162. For example, if the value for IP Address and L4 Port is 1.2.3.4162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is the port number for SNMP traps. Note: APSolute Vision listens for traps only on port 162. A subnet mask of the management station.
Mask
113
Parameter
Tag List
Description
Specifies sets of target addresses. Tags are separated by spaces. The tags contained in the list may be either tags from the Notify table or Transport tags from the Community table. Each tag can appear in more than one tag list. When a significant event occurs on the network device, the tag list identifies the targets to which a notification is sent. Default: v3Traps
The set of target parameters to be used when sending SNMP Traps. Target parameters are defined in the Target Parameters table.
Parameter
User Name Password Email Address Minimal Severity for Sending Traps
Description
The name of the user. The password of the user. Then, repeat to verify. The e-mail address of the user to which notifications will be sent. The minimum severity level of traps sent to this user. Values: NoneThe user receives no traps. InfoThe user receives traps with severity info or higher. WarningThe user receives Warning, Error, and Fatal traps. ErrorThe user receives Error and Fatal traps. FatalThe user receives Fatal traps only.
Default: None
114
Parameter
Description
Enable Configuration Tracing When selected, the specified user receives notifications of configuration changes made in the device. Every time the value of a configurable variable changes, information about all the variables in the same MIB entry is reported to the specified users. The device gathers reports and sends them in a single notification message when the buffer is full or when the timeout of 60 seconds expires. The notification message contains the following details: Access Level Name of the MIB variable that was changed. New value of the variable. Time of configuration change. Configuration tool that was used (APSolute Vision, Telnet, SSH, WBM). User name, when applicable.
The users level of access to the WBM and CLI. Default: Read-Write
Parameter
Authentication Mode
Description
The method for of authenticating a users access to the device. Values: Local User TableThe device uses the User Table to authenticate access. RadiusThe device uses the RADIUS servers to authenticate access. Radius and Local User TableThe device uses the RADIUS servers to authenticate access. If the request to the RADIUS server times out, the device uses the User Table to authenticate access.
115
Parameter
Port SNMP Access Telnet Access
Description
(Read-only) The name of the physical port. When selected, allows access to the port using SNMP. When selected, allows access to the port using Telnet. Note: In AppDirector 2.31.03 and later, you can open up to five (5) simultaneous Telnet sessions.
When selected, allows access to the port using SSH. When selected, allows access to the port using WBM. When selected, allows access to the port using SSL.
116
To configure IP interfaces
1. 2. In the Configuration perspective Networking tab navigation pane, select IP Management. Do one of the following: 3. To add an IP interface, click the (Add) button.
Parameter
IP Address Mask Port Forward Broadcast
Description
IP address of the interface. The associated subnet mask. The interface identifier, for example, G-1. Specifies whether the device forwards incoming broadcasts to this interface. Default: Enabled Specifies whether to fill the host ID in the broadcast address with ones or zeros. Values: Fill 1Fill the host ID in the broadcast address with ones. Fill 0Fill the host ID in the broadcast address with zeros.
Broadcast Address
Default: Fill 1
117
Parameter
VLAN Tag
Description
The VLAN tag to be associated with this IP Interface. When multiple VLANs are associated with the same switch port, the switch must identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header that enables the switch to make the correct decision. The IP address of the interface on the peer device, which is required in a redundant configurationthat is, a cluster for high availability. Default: 0.0.0.0
Peer Address
Managing IP Routing
DefensePro devices forward IP packets to their destination using an IP routing table. This table stores information about the destinations and how they can be reached. By default, all networks directly attached to the device are registered in the IP routing table. Other entries can either be statically configured or dynamically created through the routing protocol.
Configuring IP Routing
IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP interface that contains an IP address associated with a VLAN.
To configure IP routing
1. 2. In the Configuration perspective Networking tab navigation pane, select IP Management > IP Routing. Do one of the following: 3. 4. To add a static route, click the (Add) button.
Configure the static route settings and click OK. Configure global advanced parameters, if required.
Notes When editing a static route, you can modify only the Via Interface and Metric fields. The Type field is displayed only in the Static Routes Table, not in the dialog box. It cannot be configured.
118
Parameter
Enable Proxy ARP
Description
When enabled, a network host answers ARP queries for the network address that is not configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed to the destination host via another interface. Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols ICMP Error of the Internet Protocol Suite and is used by networked computers operating systems to send error messagesindicating, for example, that a requested service is not available, or that a host or router could not be reached. Default: Enabled Note: When this option is enabled, a trap is sent when there is an ICMP error message.
Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite and is used by networked computers operating systems to send error messagesindicating, for instance, that a requested service is not available or that a host or router could not be reached.
Parameter
IP Address Destination Address
Description
IP address of the interface. IP destination address for multicast Router Advertisements sent from the interface. Values: 224.0.0.1The All Hosts multicast group that contains all systems on the same network segment 255.255.255.255The limited-broadcast address
Advertise Interval
Minimum The minimum time, in seconds, between sending unsolicited multicast Router Advertisements from the interface. Values: 3 maximum specified interval Default: 75% of the maximum specified interval
119
Parameter
Maximum
Description
The maximum time, in seconds, between multicast Router Advertisements from the interface. Values: minimum specified interval 1800 The maximum time, in seconds, that the advertised addresses are considered valid. Values: Maximum specified interval 9000 Default: Three times (3) the maximum interval
Lifetime
Enables you to advertise the device IP using ICMP Router Advertise. The preference level of the address as the default router address, relative to other router addresses on same subnet. Resets ICMP interface parameters to default values.
Configure the ARP parameters and click OK. Modify advanced parameters, if required; and then click (Submit) to submit the changes.
Parameter
Port IP Address
Description
The interface number where the station resides. The stations IP address.
120
Parameter
MAC Address Type
Description
The stations MAC address. Entry type. Values: OtherNot Dynamic or Static. InvalidInvalidates ARP entry and effectively deletes it. DynamicEntry is learned from ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table. StaticEntry has been configured by the network management station and is permanent.
Parameter
Inactive ARP Timeout
Description
The time, in seconds, that inactive ARP cache entries can remain in the ARP table before the device deletes them. If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address. Values: 19999999 Default: 60000
Configuring Ports
You can change the duplex mode of each port on the DefensePro device.
To configure ports
1. In the Configuration perspective Networking tab navigation pane, select Port Configuration. 2. To change a ports configuration, double-click the row. 3. Configure the port settings and click OK.
121
Parameter
Port Speed
Description
(Read-only) The index number of the port. (Read-only) The traffic speed of the port. Values: Auto Ethernet Fast Ethernet GbE 10GbE 40GbE
(Read-only) Specifies whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex). (Read-only) Specifies the autonegotiation status of the hardware.1 Values: AutoThere is no transceiver installed in the physical port. OnAutonegotiation is ON. OffAutonegotiation is OFF.
Autonegotiation Setting
Specifies the autonegotiation configuration for the physical port.1 Values: AutoThe Autonegotiation Status value determines whether autonegotiation is ON or OFF. OnAutonegotiation is enabled by the user. OffAutonegotiation is disabled by the user. Fiber GbE transceivers: ON Management ports: ON For fiber GbE transceivers and for management ports, autonegotiation is configurable. That is, the Autonegotiation Setting determines the Autonegotiation Status. 10GbE and 40GbE transceivers do not support autonegotiation. Copper GbE transceivers (not management ports) only support autonegotiation.
Defaults:
Notes:
Caution: You can configure the Autonegotiation Setting even when there is no transceiver currently installed in the physical port. If you specify ON and later insert a transceiver that does not support autonegotiation, DefensePro issues a trap, the Autonegotiation Setting will remain ON but the behavior will be undetermined. If you specify OFF and later insert a transceiver that supports only ON, DefensePro issues a trap, the Autonegotiation Setting will remain OFF but the behavior will be undetermined. 1 Autonegotiation refers to the port automatically detecting and configuring the speed and duplex mode for the interface.
122
Notes Port mirroring requires that the input port be configured to Static-Forwarding Process mode. When the input port is configured to Static-Forwarding Forward mode, traffic is not mirrored. In Static Forwarding mode, traffic with the same destination MAC address as the device is not mirrored (rare).
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the DefensePro device) to a dedicated sniffer port. This allows collecting packet data during an attack and sending the data to Radwares Security Operation Center (SOC) to develop an attack signature. DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate port mirroring when the device is under attack. Traffic-rate port mirroring is based on a specified traffic threshold. When the threshold value is reached, the DefensePro device starts copying traffic from the interface to its mirroring output port. The process continues for the specified time, and then the copying process stops. For example, if you have a single network segment connected between interfaces 1 and 2, whenever traffic reaches the configured threshold, DefensePro device copies the traffic arriving on interface #1 to interface #3.
3. Configure the port mirroring settings; and then, click OK. 4. To configure advanced parameters for port mirroring, in the navigation pane, select Port Mirroring > Advanced Parameters. 5. Configure the advanced parameters; and then, click (Submit) to submit the changes.
Parameter
Input Interface Output Port Traffic to Mirror
Description
The traffic port. The port for the mirrored traffic. The direction of the traffic that the device mirrors. Values: Transmit and Receive, Receive Only, Transmit Only
123
Parameter
Enable Promiscuous Mode
Description
Values: EnabledThe device copies all traffic to the specified output port. DisabledThe device copies only the traffic destined to the input.
Default: Enabled Backup Port Mode Threshold The backup port for the mirrored traffic. The mode of port mirroring. Values: Enabled, Traffic Rate The number of threshold units (PPS/Kbps) that can pass through the specified input port (Input Interface) before the mirroring process starts.
Note: The Threshold Units parameter and the Threshold Interval parameter are defined globally for each device and not for each pair of ports.
Parameter
Description
Values: PPSPackets per second KbpsKilobits per second
Threshold Interval
How long, in seconds, mirroring continues after the traffic rate falls below the specified threshold. Default: 30 Click to set the device to record the traffic that exceeds the predefined limit within a new Threshold Interval.
124
Caution: Changing the configuration of this feature takes effect only after a device reset. DefensePro supports processing of IPv6 packets and ICMPv6 packets, including the following: Setting networks with IPv6 addresses Applying security policies Blocking attacks Security reporting
IP Fragmentation
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of the routers transmitting the packet, must fragment the packet to multiple shorter packets. Using IP fragmentation, the DefensePro device can classify the Layer 4 information of IP fragments. The device identifies all the fragments belong to same datagram, then classifies and forwards them accordingly. The device does not reassemble the original IP packet, but forwards the fragmented datagrams to their destination, even if the datagrams arrive at the device out of order.
Traffic Exclusion
Traffic Exclusion is when DefensePro passes through all traffic that matches no network policy configured on the device. In DefensePro 7.20, the device always passes through all traffic that matches no network policy configured on the device.
125
Parameter
IP Version Mode
Note: If the IPv4 option is selected and IPv6 network classes are configured, all IPv6 policies (rules) are automatically disabled. Policies applied on both IPv4 and IPv6 traffic continue to process IPv4 traffic only. The IPv6 information remains visible.
Jumbo Frames
Bypass Jumbo Frames Specifies whether jumbo frames bypass the device. Values: EnabledFrames of 15509216 bytes bypass the device without any inspection or monitoring. DisabledThe device discards frames that are larger than 1550 bytes.
Default: Disabled Notes: Changing the configuration of the option takes effect only after a device reset. When the option is enabled, there is no sampling for Black List rules. When the option is enabled, TCP SYN Protection may not behave as expected because the third packet in the TCP three-wayhandshake can include data and be in itself a jumbo frame. When the option is enabled, some protections that rely on the DefensePro session table might produce false-negatives and drop traffic when all the session traffic bypasses the device in both directions for a period longer than Session Aging Time.
IP Fragmentation
Enable IP Fragmentation Specifies whether IP fragmentation is enabled. Default: Disabled Queuing Limit The percentage of IP packets the device allocates for out-of-sequence fragmented IP datagrams. Values: 0100 Default: 25 Aging Time The time, in seconds, that the device keeps the fragmented datagrams in the queue. Values: 1255 Default: 1
126
Parameter
Source Port Destination Port Operation
In Port
Specifies which port in the pair is designated as the inbound portthe source or destination port. This setting is used in real-time reports for inbound and outbound traffic.
Advanced Parameters
Enable Interface Grouping Specifies whether the device groups the statuses of the port-pair interfaces. When the option is enabled, if one port of a port pair is disconnected, DefensePro sets the status of the paired port to disconnected also; so, a remote device connected to the DefensePro device perceives the same disconnected status. Typically, the option is enabled when DefensePro is configured between switches that use link redundancy. Interface grouping is the only way both switches always perceive the same DefensePro interfaces status. Default: Disabled
127
128
Notes All the configuration procedures in this section assume that the relevant device is selected in the Configuration perspective navigation pane. Some protections are not supported on management interfaces. Security Protections, page 129 Selecting a Device for Security Configuration, page 130 Configuring Global Security Settings, page 130 Managing the Network Protection Policy, page 155 Managing the Server Protection Policy, page 196 Configuring White Lists, page 215 Configuring Black Lists, page 218 Managing the ACL Policy, page 223
Security Protections
DefensePros multi-layer security approach combines features for detecting and mitigating a wide range of network and server attacks. DefensePro supports three types of security protections: Network-wide protections, Server protections, and Access-control policies. Network-wide protections include the following: Behavioral DoS Protects against zero-day flood attacks, including SYN Floods, TCP Floods, UDP floods, ICMP and IGMP floods. SYN-flood protection Protects against any type of SYN flood attack using SYN cookies. A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements. Signature-based protection Protects against known application vulnerabilities, and common malware, such as worms, trojans, spyware, and DoS. Fraud protection using RSA feeds.
129
DefensePro User Guide Security Configuration Packet-anomaly protections. Scanning and worm-propagation protection Provides zero-day protection against selfpropagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps. Out of State protection Ensures that TCP connections are established based on the protocol RFCs. Connection limit Protects against session-based attacks, such as half-open SYN attacks, request attacks, and connection attacks. Server-cracking protection Provides zero-day protection against application-vulnerability scanning, brute-force, and dictionary attacks. HTTP-flood protection Mitigates zero-day HTTP page flood attacks.
Access control (ACL) policies block or allow traffic to or from specified networks, based on protocols, applications, and other criteria.
Note: After a protection feature is enabled on a device, the device requires a reboot. However, you need to reboot only once after enabling features within the same navigation branch. Use APSolute Vision to configure the following protection features on a selected device: Configuring Global Signature Protection, page 131 Configuring DoS Shield Protection, page 131 Configuring Global Behavioral DoS Protection, page 133 Configuring Global Anti-Scanning Protection Settings, page 138 Configuring Global SYN Flood Protection, page 140 Configuring Global Out of State Protection, page 141 Configuring Global HTTP Flood Protection, page 142 Configuring Global SIP Cracking Protection, page 143
130
DefensePro User Guide Security Configuration Configuring Global Fraud Protection, page 144 Configuring Global Packet Anomaly Protection, page 146 Configuring Global DNS Flood Protection, page 149
Parameter
Enable Application Security Protection
Description
If the protection is disabled, enable it before setting up the protection profiles. Note: Changing the setting of this parameter requires a reboot to take effect.
Reassemble Fragmented TCP Packets Encoding Enable Session Drop Mechanism Security Tracking Tables Free-Up Frequency
Specifies whether the device tries to reassemble fragmented TCP packets. Default: Enabled The encoding (the language and character set) to use for detecting security events. Enable dropping of all session packets when a signature was detected in one of the session packets. How often, in milliseconds, the device clears unnecessary entries from the table, and stores information about newly detected security events. Values: 065,535 Default: 1250
Notes DoS Shield protection is enabled by default. This feature is also supported on management interfaces.
131
DefensePro User Guide Security Configuration DoS Shield profiles prevent the following: Known TCP, UDP, and ICMP floods Known attack tools available in the Internet Known floods created by BOTs, which are automated attacks
DoS Shield protection uses signatures from the Radware Signatures database. This database is continuously updated and protects against all known threats. Radware Signature profiles include all DoS Shield signatures as part of the signature database and Radware predefined profiles that already include DoS Shield protection. To create a profile that includes DoS Shield protection, you configure a profile with the Threat Type attribute set to Floods. Radware also supplies a predefined profile, the All-DoS-Shield profile, which provides protection against all known DoS attacks. The All-DoS-Shield profile is applied when a DoS-only solution is required. Note that if the DoS Shield Radware-defined profile is applied, you cannot apply other Signature profiles in the same security policy. To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the bandwidth of traffic recognized as a DoS attack with predefined actions. Most networks can tolerate sporadic attacks that consume negligible amounts of bandwidth. Such attacks do not require any counter action. An attack becomes a threat to the network when it starts to consume large amounts of the networks bandwidth. DoS Shield detects such events using an advanced sampling algorithm for optimized performance, acting automatically to solve the problem. The DoS Shield considers two protection states: Dormant state Indicates that Sampling mechanism is used for recognition prior to active intervention. A protection in Dormant state becomes active only if the number of packets entering the network exceeds the predefined limit. Active state Indicates that the action is implemented on each packet matching the Attack Signature, without sampling.
DoS Shield counts packets matching Dormant and Active states. Samples of the traffic are compared with the list of protections in Dormant state. When a specified number of packets is reached, the status of the protection changes to Active. The DoS Shield module uses two processes working in parallel. One process statistically monitors traffic to check if any dormant protection has become active. Then, when DoS Shield detects the protection as active, the module compares each packet that passes through the device to the list of Currently Active Protections. The module compares some of the packets that do not match the Active signature with the Dormant protections list. The module forwards the rest of the packets to the network without inspection. In DefensePro, to configure DoS Shield protection, you must enable Signature Protection. For more information, see Configuring Global Signature Protection, page 131.
132
Parameter
Enable DoS Shield
Description
Specifies whether the DoS Shield feature is enabled. Note: If the protection is disabled, enable it before configuring the protection profiles.
Sampling Time
How often, in seconds, DoS Shield compares the predefined thresholds for each dormant attack to the current value of packet counters matching the attack. Default: 5 Note: If the sampling time is very short, there are frequent comparisons of counters to thresholds, so regular traffic bursts might be considered attacks. If the sampling time is too long, the DoS Shield mechanism cannot detect real attacks quickly enough.
The packet-sampling rate. For example, if the specified value is 5001, the DoS Shield mechanism checks 1 out of 5001 packets. Default: 5001
The main advantage of BDoS Protection is the ability to detect statistical traffic anomalies and generate an accurate DoS-attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and sometimes hours.
133
2.
Parameter
Enable BDoS Protection
The initial period from which baselines are primarily weighted. The default and recommended learning response period is one week. If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one day period for testing purposes only. Values: Day, Week, Month Default: Week
Specifies whether the BDoS module uses traffic-statistics sampling during the creation phase of the BDoS footprint. When the BDoS module is trying to generate a real-time signature and there is a high rate of traffic, the device evaluates only a portion of the traffic. The BDoS module tunes the sampling factor automatically, according to the traffic rate. The BDoS module screens all traffic at low traffic rates (below 100K PPS) and only a portion of the traffic at higher rates (above 100K PPS). Default: Enabled Note: For best performance, Radware recommends that the parameter be Enabled.
134
Parameter
Footprint Strictness
Description
When the Behavioral DoS module detects a new attack, the module generates an attack footprint to block the attack traffic. If the Behavioral DoS module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the device cannot generate a footprint. Values: HighEnforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives. MediumEnforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint. LowAllows any footprint suggested by the Behavioral DoS module. This level achieves the best attack blocking, but increases the probability of false positives. DefensePro always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness. Footprint Strictness Examples, page 135 shows examples of footprint strictness requirements.
Notes:
Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block these attack types. Duration of Non-attack Traffic in Blocking State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. When the time elapses, DefensePro declares the attack to be terminated. Values: 45300 Default: 45 Duration of Non-attack Traffic in Anomaly or NonStrictness State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Anomaly state or the Non-strictness state. When the time elapses, DefensePro declares the attack to be terminated. Values: 45300 Default: 45
Footprint Example
TTL TTL AND Packet Size
Medium
No Yes Yes
High
No No Yes
135
3. 4.
Parameter
Footprint Bypass Controller Bypass Field Bypass Status
Description
(Read-only) The selected attack protection for which you are configuring footprint bypass. (Read-only) The selected bypass type to configure. The bypass option. Values: BypassThe Behavioral DoS module bypasses all possible values of the selected Bypass Field when generating a footprint. AcceptThe Behavioral DoS module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Bypass Values
If the value of the Bypass Status parameter is Accept, when generating the footprint, the Behavioral DoS mechanism does not use the specified Bypass Values of the corresponding selected Bypass Field. The valid Bypass Values vary according to the selected Bypass Field. Multiple values in the Bypass Values field must be comma-delimited.
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DefensePro generates. When DefensePro detects a new DoS attack (by default, after 10 seconds), DefensePro generates a DoS-attack footprint and then blocks or drops the relevant flood traffic.
136
DefensePro User Guide Security Configuration In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DoS Traffic, you can configure thresholds for generating DoS-attack footprints, which shorten the time to start blocking the relevant traffic. DefensePro generates each footprint using values from fields (parameters) in the packet header (for example: Sequence Number, Checksum, and IP ID). The values from fields in the packet header characterize the attack. The thresholds that you can configure for the protection to change from the Analysis state to the Blocking state are Packet-header fields or Packet-header-field values: The Packet-header fields threshold is the number of anomalously distributed packet-header fields that DefensePro must detect to generate a footprint and start early blocking prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You can define either the number of packet-header fields, or the specific fields that DefensePro must detect. For more information, see Selecting Packet Header Fields for Early Blocking of DoS Traffic, page 138. The Packet-header-field values threshold is the number of anomalous packet-header-field values that DefensePro must detect to generate a footprint and start early blocking.
Note: The threshold (that is, the packet-header fields or the number of packet-header fields) cannot conflict with the Footprint Strictness level. You cannot change the specified Footprint Strictness to one that is lower than the strictness necessary for the BDoS mechanism to operate properly. Likewise, you cannot configure fewer packet-header fields than the specified strictness level requires for the BDoS mechanism to operate properly.
Parameter
Protection Type Any Packet Header Field
Description
(Read-only) The protection for which you are configuring early blocking. When selected, DefensePro blocks DoS traffic early based on the specified number of packet-header fields and number of packetheader-field values thresholds. Clear the selection to use specific packet header fields that you select in the BDoS Packet Header table.
The number of anomalous packet-header fields that DefensePro must detect to generate a footprint and start early blocking. Values: 120 Default (per protection): ICMP18, IGMP11, TCP-ACK-FIN14, TCP-Fragment17, TCP-RST14, TCP-SYN14, TCP-SYN-ACK 14, UDP21.
137
Parameter
Packet Header Field Values
Description
The number of anomalous packet-header-field values that DefensePro must detect to generate a footprint and start early blocking. The number of packet-header-field values must not be less than the specified packet-header field threshold. Values: 11000 Default 500
Parameter
Protection Type Packet Header Field Enable Early Blocking Condition
Description
(Read-only) The protection for which you are configuring early blocking. (Read-only) The packet header field. When selected, the packet header is included in the set of specific packet headers that DefensePro must detect to generate a footprint and start early blocking.
138
Parameter
Enable Anti-Scanning Protection
Specifies whether Anti-Scanning Protection blocks slow scans, which can result in very long blocking periods. When enabled, Anti-Scanning Protection adapts the blocking interval based on the scanner-activity frequency. Thus, the device will detect the scanner activity again before the blocking duration elapses. The blocking duration is calculated as the time between scanning events multiplied by the Attack Trigger value. Radware recommends using this option only in exceptional circumstances, when one scan attempt in 20 minutes is considered a security threat. Default: Disabled
Specifies whether the Anti-Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024 (that is, usually unassigned ports). Values: EnabledThe Anti-Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024. Select this checkbox when using applications that utilize standard system ports (that is, port values less than 1024). DisabledThe Anti-Scanning Protection treats all the scan activities equally. Clear this checkbox when using applications utilizing nonstandard ports (that is, port values greater than 1024).
Default: Enabled Note: When the parameter is enabled and you have legitimate applications using high-range ports, the DefensePro device is prone to more false positives. Maximal Blocking Duration The maximum time, in seconds, that the Anti-Scanning Protection blocks the source of a scanif that source continues to scan the network. Values: 203600 Default: 80 Note: This setting overrides the maximum time set in the suspend table parameters.
139
2.
Parameter
Enable SYN Flood Protection Specifies whether SYN Flood Protection is enabled on the device. Default: Enabled Note: Changing the setting of this parameter requires a reboot to take effect.
Advanced Parameters
Tracking Time The time, in seconds, during which the number of SYN packets directed to a single protected destination must be lower than the Termination Threshold to cause the attack state to terminate for that destination. Values: 110 Default: 5
SSL Parameters
For more information on the SSL Mitigation feature, see Configuring SSL Mitigation Policies, page 191. Enable SSL Mitigation Specifies whether the device enables the SSL Mitigation mechanism with an Alteon device. The IP address of the Alteon management port. The health-check port (that is, the SNMP Traps port) on the Alteon device. The table that displays the pair of static-forwarding ports.
140
Parameter
Enable Out-of-State Protection Activate (Without Reboot)
Startup Mode
Default: Graceful Startup Timer For Graceful startup mode, this parameter specifies the time, in seconds, after startup when the device ignores Out-of-State Protection and registers all sessions in the Session table, including those whose initiation was not registered (for example, SYN with TCP). After this time, the device drops new sessions whose initiation was not registered (for example, SYN with TCP). Values: 065,535 Default: 1800
141
2.
Parameter
Enable HTTP Mitigator
Description
Specifies whether the HTTP Mitigator is enabled on the device. HTTP flood protection must be enabled to set HTTP flood protection parameters. Default: Enabled
The time, in days, the HTTP Mitigator takes to collect the data needed to establish the baseline that HTTP Mitigation uses. Values: 065,536 Default: 7
Learning Mode
The learning mode of the HTTP Mitigator. Values: Continuous OnlyThe learning process about the traffic environment is continuous. AutomaticThe HTTP Mitigator can switch to 24x7 learning when it detects a recurring pattern per hour of the day of the week in a period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity
The period from which the HTTP Mitigator establishes baselines. Select the time unit based on the site characteristics. For example, if the site traffic fluctuates during the course of a day, but fluctuates the same way each day, select Day; but if there are significant fluctuations between the days of the week, select Week. Values: Day, Week, Month Default: Week
The number of automatic attempts the device makes before announcing it cannot mitigate the attack. Values: 1100 Default: 3
142
DefensePro detects attacks based on the frequency and quantity of SIP reply codes. DefensePro performs analysis of authentication, call initiation, registration processes, and reply codes per source IP address and the SIP URI (SIP FROM). A SIP server can send replies and error responses to clients either on the same connection or open a new connection for this purpose. This is also applicable for UDP, where either the same flow or a new one is used. To support such environments, the SIP Server Cracking protection can monitor all outgoing messages from the protected server to the SIP Application Port Group or from the SIP Application Port Group. When DefensePro detects an attack, it does the following: Adds the source IP address of the attacker to the Suspend table. The suspend entry will have both the SIP port and the server IP address. Blocks all traffic from the attacker to the protected server and to the SIP Application Port group. The device also drops existing sessions or flows from the attacker to the protected server and to the Application Port Group.
Before you configure global SIP Cracking Protection, you must configure a profile that includes SIP protection. For more information, see Configuring Server Cracking Profiles for Server Protection, page 205.
143
Parameter
Tracking Type Application Code for Reset
Description
The data that the SIP Cracking feature monitors. Values: SIP-URI, Source IP, Both The SIP error code that is sent back to the source IP address. Values: AmbiguousEvent number 485. Request-URI is ambiguous/not assigned. Busy EverywhereEvent number 600. All possible destinations are busy. Busy HereEvent number 486. User busy. DeclineEvent number 603. Call rejected. Not Acceptable ErrorEvent number 406. Client Failure Response. The resource identified by the request is only capable of generating response entities that have content characteristics but not acceptable according to the Accept header field sent in the request. Not Acceptable FailEvent number 606. Global Failure Response. The users agent was contacted successfully but some aspects of the session description, such as the requested media, bandwidth, or addressing style, were not acceptable) Not Acceptable HereEvent number 488. Some aspects of the session description of the Request-URI is not acceptable. Not FoundEvent number 404. The user does not exist at the specified domain. Request TerminatedEvent number 487. Request has terminated by bye or cancel. Temporarily UnavailableEvent number 480. The user is currently unavailable.
Default: Not Acceptable Error Detect Error Codes in Server Originated Sessions Enables detection of error codes on sessions that originate from the server to the client. Default: Disabled
Note: RSA updates require purchasing a relevant license. DefensePro can periodically receive the RSA-signature feeds by means of a scheduled task, Update RSA Security Signature. You can also trigger an update of RSA signatures manuallyusing the Update Security Signature operation. DefensePro can store up to 500 concurrent RSA signatures.
144
DefensePro User Guide Security Configuration When RSA finds a new malicious server or URL, RSA approaches the hosting provider or service provider to take the site down. DefensePro expects that the feeds it receives become irrelevant after a certain time. DefensePro ages the stored signatures according to the specified estimated time for bringing down various types of malicious sites. When Fraud Protection is enabled, you can configure Network Protection with a Signature Profile rule that uses one or more of the following threat-type attribute values: Fraud - Phishing Fraud - Drop Points Fraud - Malicious Download
Parameter
Enable Fraud Protection
Advanced Settings
Error Reporting Frequency How often, in hours, the device sends a trap notifying when an expected feed was not received. Values: 124 Default: 1 Phishing Signatures Aging How often, in hours, the device deletes the signatures of phishing sites. Values: 1168 Default: 48 Drop Points Aging How often, in hours, the device deletes the addresses of drop points. Values: 1168 Default: 70 Malicious Download Aging How often, in hours, the device deletes the addresses of maliciousdownload sites. Values: 1168 Default: 48
145
Enabling and Disabling the Packet Trace Feature for Packet Anomaly Protection
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device.
Notes When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for Packet Anomaly Protection
1. In the Configuration perspective Security Settings tab navigation pane, select Packet Anomaly. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.
2.
Parameter
ID
Description
(Read-only) The ID number for the packet-anomaly protection. The ID is a Radware ID that appears in the trap sent to APSolute Vision Security
logs.
Protection Name (Read-only) The name of the packet-anomaly protection.
146
Parameter
Action
Description
The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection. Values: DropThe device discards the anomalous packets and issues a trap. ReportThe device issues a trap for anomalous packets. If the Report Action is Process, the packet goes to the rest of the device modules. If the Report Action is Bypass, the packet bypasses the rest of the device modules. No ReportThe device issues no trap for anomalous packets. If the Report Action is Process, the packet goes to the rest of the device modules. If the Report Action is Bypass, the packet bypasses the rest of the device modules.
Note: Click Drop All to set the action for all packet-anomaly protections to Drop. Click Report All to set the action for all packetanomaly protections to Report. Click No Report All to set the action for all packet-anomaly protections to No Report. Risk The risk associated with the trap for the specific anomaly. Values: Info, Low, Medium, High Default: Info Report Action The action that the DefensePro device takes on the anomalous packets when the specified Action is Report or No Report. The Report Action is only for the specified packet-anomaly protection. Values: BypassThe anomalous packets bypass the device. ProcessThe DefensePro modules process the anomalous packets. If the anomalous packets are part of an attack, DefensePro can mitigate the attack.
Note: You cannot select Process for the following packet-anomaly protections: 104Invalid IP Header or Total Length 107Inconsistent IPv6 Headers 131Invalid L4 Header Length
147
Anomaly
Unrecognized L2 Format1
Description
Packets with more than two VLAN tags or MPLS labels, L2 broadcast, or L2 multicast traffic. ID: 100 Default Action: No Report Default Risk: Low Default Report Action: Process
The IP packet header checksum does not match the packet header. ID: 103 Default Action: Drop Default Risk: Low Default Report Action: Bypass
Invalid IPv4 Header or Total The IP packet header length does not match the actual header length, Length or the IP packet total length does not match the actual packet length. ID: 104 Default Action: Drop Default Risk: Low Report Action: Bypass2 TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1. ID: 105 Default Action: Report Default Risk: Low Default Report Action: Process Inconsistent IPv6 Headers Inconsistent IPv6 headers. ID: 107 Default Action: Drop Default Risk: Low Report Action: Bypass2 IPv6 Hop Limit Reached IPv6 hop limit is not be greater than 1. ID: 108 Default Action: Report Default Risk: Low Default Report Action: Process Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP. ID: 110 Default Action: No Report Default Risk: Low Default Report Action: Process
148
Anomaly
Invalid TCP Flags
Description
The TCP flags combination is not according to the standard. ID: 113 Default Action: Drop Default Risk: Low Default Report Action: Bypass
The IP packet source address or destination address is equal to the local host. ID: 119 Default Action: Drop Default Risk: Low Default Report Action: Bypass
The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack. ID: 120 Default Action: Drop Default Risk: Low Default Report Action: Bypass
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero. ID: 125 Default Action: Drop Default Risk: Low Default Report Action: Bypass Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid. ID: 131 Default Action: Drop Default Risk: Low Report Action: Bypass2 1 This anomaly cannot be sampled. 2 You cannot select Process for this packet-anomaly protection.
149
DefensePro User Guide Security Configuration DNS Flood Protection types can include the following DNS query types: A MX PTR AAAA Text SOA NAPTR SRV Other
Caution: DefensePro does not support DNS queries of type ANY. DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and sometimes hours. Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You can also change the default global device settings for DNS Flood Protection. The DNS Flood Protection global settings apply to all the network protection-policy rules with DNS Flood profiles on the device.
2.
Parameter
Enable DNS Flood Protection Specifies whether DNS Flood Protection is enabled. Note: Changing the setting of this parameter requires a reboot to take effect. Learning Response Period The initial period from which baselines are primarily weighted. The default and recommended learning response period is one week. If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one day period for testing purposes only. Values: Day, Week, Month Default: Week
150
Parameter
Footprint Strictness
Description
When the DNS Flood Protection module detects a new attack, the module generates an attack footprint to block the attack traffic. If the module is unable to generate a footprint that meets the footprintstrictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the module cannot generate a footprint. Values: HighEnforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives. MediumEnforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint. LowAllows any footprint suggested by the DNS Flood Protection module. This level achieves the best attack blocking, but increases the probability of false positives. The DNS Flood Protection module always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness. Table 74 - DNS Footprint Strictness Examples, page 152 shows examples of footprint strictness requirements.
Notes:
Mitigation Actions
When the protection is enabled and the device detects that a DNS-flood attack has started, the device implements the mitigation actions in escalating orderin the order that they appear in the group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a certain Escalation Period), the device implements the next more-severe enabled mitigation actionand so on. As the most severe mitigation action, the device always implements the Collective Rate Limit, which limits the rate of all DNS queries to the protected server. Enable Signature Challenge Specifies whether the device challenges suspect DNS queries that match the real-time signature. Default: Enabled Note: DefensePro challenges only A and AAAA query types. Enable Signature Rate Limit Specifies whether the device limits the rate of DNS queries that match the real-time signature. Default: Enabled Enable Collective Challenge Specifies whether the device challenges all unauthenticated DNS queries to the protected server. Default: Enabled Note: DefensePro challenges only A and AAAA query types. Enable Collective Rate Limit (Read-only) The device limits the rate of all DNS queries to the protected server. Value: Enabled
151
Parameter
These settings affect periodic attack behavior. The settings are used to effectively detect and block these attack types. Duration of Non-attack Traffic in Blocking State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. When the time elapses, DefensePro declares the attack to be terminated. Values in DefensePro 7.20: 45300 Default in DefensePro 7.20: 45 Duration of Non-attack Traffic in Anomaly or NonStrictness State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Anomaly state or the Non-strictness state. When the time elapses, DefensePro declares the attack to be terminated. Values in DefensePro 7.20: 45300 Default in DefensePro 7.20: 45 Enable DNS Protocol Compliance Checks Specifies whether the device checks each DNS query for DNS protocol compliance and drops the non-compliant queries.
(This parameter is available Default: Disabled only when the SDM table is enabled.)
Footprint Example
DNS Query DNS Query AND DNS ID DNS Query AND DNS ID AND Packet Size
Medium
No Yes Yes
High
No No Yes
152
Parameter
Footprint Bypass Controller Bypass Field Bypass Status
Description
(Read-only) The selected DNS query type for which you are configuring footprint bypass. (Read-only) The selected Bypass Field to configure. The bypass option. Values: BypassThe DNS Flood Protection module bypasses all possible values of the selected Bypass Field when generating a footprint. AcceptThe DNS Flood Protection module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Bypass Values
Used if the value of the Bypass Status parameter is Accept. DNS Flood Protection bypasses only the values of a selected Bypass Type, while it may use all other values. These values vary according to the Bypass Field selected. The values in the field must be comma-delimited.
Caution: Modifying the values exposed in the Early Blocking of DNS Traffic feature may impair the accuracy of the DNS-Flood-attack footprint that DefensePro generates. When DefensePro detects a new DNS-flood attack (by default, after 10 seconds), the device generates a DNS-flood-attack footprint and then blocks or drops the relevant flood traffic. In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DNS Traffic, you can configure thresholds for generating DNS-flood-attack footprints, which shorten the time to start blocking the relevant traffic. DefensePro generates each footprint using values from fields in the packet header (for example: Sequence Number, Checksum, and IP ID). The values from fields in the packet header characterize the attack.
153
DefensePro User Guide Security Configuration The thresholds that you can configure for the protection to change from the Analysis state to the Blocking state are Packet-header fields or Packet-header-field values: The Packet-header fields threshold is the anomalously distributed packet-header fields that the DefensePro device must detect to generate a footprint and start early blocking prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You can define either the number of packet-header fields, or the specific fields that the DefensePro device must detect. For more information, see Selecting Packet Header Fields for Early Blocking of DNS Traffic, page 155. The Packet-header-field values threshold is the number of anomalous packet-header-field values that the DefensePro device must detect to generate a footprint and start early blocking.
Note: The threshold (that is, the packet-header fields or number of packet-header fields) cannot conflict with the Footprint Strictness level. You cannot change the specified Footprint Strictness to one that is lower than the strictness necessary for the DNS Flood Protection mechanism to operate properly. Likewise, you cannot configure fewer packet-header fields than the specified strictness level requires for the DNS Flood Protection mechanism to operate properly.
Parameter
Protection Type Any Packet Header Field
Description
(Read-only) The protection for which you are configuring early blocking. When selected, DefensePro blocks DNS traffic early based on the specified number of packet-header fields and number of packetheader-field values thresholds. Clear the selection to use specific packet header fields that you select in the DNS Packet Header table.
The number of anomalous packet-header fields that DefensePro must detect to generate a footprint and start early blocking. Values: 030 Default: 21
The number of anomalous packet-header-field values that DefensePro must detect to generate a footprint and start early blocking. The number of packet-header-field values must not be less than the specified packet-header field threshold. Values: 11000 Default 500
154
Parameter
Protection Type Packet Header Field Enable Early Blocking Condition
Description
(Read-only) The protection for which you are configuring early blocking. (Read-only) The packet header field. When selected, the packet header is included in the set of specific packet headers that DefensePro must detect to generate a footprint and start early blocking.
Note: The terms Network Protection Rule, DefensePro Rule, Network Protection Policy, and Network Policy may be used interchangeably in APSolute Vision and in the documentation. There are two main types of network protections, Intrusion Preventions (see Table 78 - Intrusion Prevention Protections, page 156) and Denial of Service protection (see Table 79 - Denial of Service Protections, page 156).
155
Protection
Signatures Anti-Scanning
Description
Prevents known application vulnerabilities, exploitation attempts, and protects against known DoS/DDoS flood attacks. Prevents zero-day self-propagating network worms, horizontal scans, and vertical scans.
Protection
Behavioral DoS Connection Limit SYN Protection DoS Shield DNS Protection Out of State Protection
Description
Detects and prevents zero-day DoS/DDoS flood attacks. Protects against connection flood attacks. Prevents SYN flood attacks using SYN cookies. Protects against known flood attacks and flood attack tools that cause a denial of service effect. Detects and prevents zero-day DNS-flood attacks. Detects out-of-state packets to provide additional protection for application-level attacks.
Note: The terms Network Protection Rule, DefensePro Rule, Network Protection Policy, and Network Policy may be used interchangeably in APSolute Vision and in the documentation. You can configure up to 50 Network Protection policies on a DefensePro device. Before you configure a policy, ensure that you have configured the following: The Classes that will be required to define the protected network segment. For more information, see Managing Classes, page 231. The Network Protection profiles. For more information see: Configuring Signature Protection for Network Protection, page 160 Configuring BDoS Profiles for Network Protection, page 175 Configuring Anti-Scanning Protection for Network Protection, page 178 Configuring Connection Limit Profiles for Network Protection, page 180 Configuring SYN Profiles for Network Protection, page 185 Configuring Connection PPS Limit Profiles for Network Protection, page 1 Configuring DNS Protection Profiles for Network Protection, page 192 Configuring Out of State Protection Profiles for Network Protection, page 195
156
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it does not download your configuration changes to the device. To apply changes onto the device, you must activate the configuration changes.
3. Configure the network-protection rule parameters; and then, click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Enabled Rule Name Instance ID
Classification
SRC Network The source of the packets that the rule uses. Values: DST Network A Network class displayed in the Classes tab An IP address any
The destination of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address any
157
Parameter
Port Group
Description
The Physical Port class or physical port that the rule uses. Values: A Physical Port class displayed in the Classes tab The physical ports on the device None
Direction
The direction of the traffic to which the rule relates. Values: One WayThe protection applies to sessions originating from sources to destinations that match the network definitions of the policy. Two WayThe protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One Way VLAN Tag Group The VLAN Tag class that the rule uses. Values: A VLAN Tag class displayed in the Classes tab None
Note: If you specify a VLAN group, you cannot specify an MPLS RD group. MPLS RD Group The MPLS route distinguisher (RD) class that the rule uses. The device dynamically associates the MPLS tag value with configured MPLS RD values installed between P and PE routers in the providers MPLS backbone. Values: An MPLS RD class displayed in the Classes tab None
Note: If you specify a MPLS RD group, you cannot specify an VLAN group.
Action
Protection Profile BDoS Profile (Displayed in the table) The profile to be applied to the network segment defined in this rule. The BDoS profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. DNS Profile The DNS Protection profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Anti Scanning Profile The Anti-Scanning profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles.
158
Parameter
Description
Signature Protection Profile The Signature Protection profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Connection Limit Profile The Connection Limit profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. SYN Flood Profile The SYN Flood profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Out of State Profile The Out of State profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Action The default action for all attacks under this policy. Values: Block and ReportThe malicious traffic is terminated and a security event is generated and logged. Report OnlyThe malicious traffic is forwarded to its destination and a security event is generated and logged.
Default: Block and Report Note: Signature-specific actions override the default action for the policy.
159
Parameter
Packet Trace
Description
Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Packet Trace Configuration Specifies whether the configuration of the Packet Trace feature here, on Policy Takes Precedence on this policy rule, takes precedence over the configuration of the Packet Trace feature in the associated profiles. Caution: A change to this parameter takes effect only after you update policies.
Worms and viruses Trojans and backdoors Client-side vulnerabilities IRC bots Spyware Phishing Anonymizers
160
DefensePro User Guide Security Configuration For implications of direction settings for rules and protections, see Table 81 - Implications of Policy Directions, page 161. Policies containing Signature Protection profiles can be configured with Direction set to either One Way or Two Way. Protections can be configured with the Direction values Inbound, Outbound, or In-Outbound. While most of the attacks (such as worm infections) are detected through their inbound pattern, some attacks require inspecting outbound patterns initiated by infected hosts. For example, trojans require inspecting outbound patterns initiated by infected hosts. Policies configured with Source = Any and Destination = Any inspect only In-Outbound attacks. Radware provides you with a set of predefined signature profiles for field installation, such as Corporate Gateway, DMZ and LAN protections, Carrier links protections, and so on. Radware profiles are continuously updated along with the weekly signature database maintained by the Radware SOC. You cannot edit Radware signature profiles.
Signature Direction
Inbound Outbound Ignore Inspect Ignore Inspect Ignore Inbound or Outbound Inspect Ignore Inspect Inspect Inspect
Ex to in In to ex Ex to in In to ex N/A
Note: Rules in the profile are implicit. That is, when you define a value, all signatures that match a specific selected attribute plus all the signatures that have no attribute at all. This logic ensures that signatures that may be relevant to the protected network are includedeven if they are not associated explicitly (by SOC) with the application in the network. To configure Signature Protection profiles, IPS protection must be enabled and global DoS Shield parameters must be configured. For more information, see Configuring Global Signature Protection, page 131 and Configuring DoS Shield Protection, page 131.
161
To edit a profile, double-click the entry in the table. To display the list of signatures associated with the configured protections for the profile, double-click the entry in the table; and then, click Show Matching Signatures. In the rules table, right-click and select, Add New Signature Profile. Enter a profile name, and select an attribute and its value. Click OK. The new rule is displayed in the rule table. You can now add more attributes to the rule, and add more values to existing rule attributes. In the rules table, right-click the rule, and select Add Attribute Type. Select an attribute and its value. Click OK. The new attribute is displayed in the rule. In the rules table, right-click the rule attribute, and select Add Attribute Value. Select a value for the attribute. Click OK. The new attribute value is displayed in the rule.
To add a rule: a. b. c.
4.
5.
6.
Parameter
Profile Name Show Matching Signatures
Description
The name of the signature profile. For a new profile, enter a profile name. This button appears only when editing a profile. Click to display the list of signatures associated with the configured protections for the profile.
Attribute Value
162
Note: You can edit and remove only user-defined signatures. For Radware-defined signatures, you can edit the general parameters only.
3. To view user-defined signatures, click Filter by Attribute, select User Signatures in the Display list, then click Go. 4. To filter the signatures for display: To filter by ID, click Filter by ID, enter the required ID number and click Go. To filter by attribute, click Filter by Attribute, configure the following parameters and click Go.
Parameter
Display
Description
Specifies which sets of signatures to display. Values: User SignaturesUser-defined signatures. You can edit and remove these signatures. Static SignaturesRadware-defined signatures. You can edit only the general parameters of these signatures. All SignaturesUser-defined and Radware-defined signatures.
Attribute Type
Select from the list of predefined attribute types, which are based on the various aspects taken into consideration when defining a new attack. Select the value for the defined attribute type.
Attribute Value
163
To edit a signature, display the required signature, then double-click the signature.
Parameter
Signature Name Signature ID Enabled Tracking Time
Description
The name of the signature, up to 29 characters. (Read-only) The ID assigned to the signature by the system. Specifies whether the signature can be used in protection profiles. The time, in milliseconds, for measuring the Active Threshold. When a number of packets exceeding the threshold passes through the device within the configured Tracking Time period, the device recognizes it as an attack. Default: 1000
164
Parameter
Tracking Type
Description
Specifies how the device determines which traffic to block or drop when under attack. Values: bobo2KDestination CountSelect this option when the defined attack is destination-basedthat is, the hacker is attacking a specific destination, such as a Web server, for example, Ping Floods or DDoS attacks. DHCP Drop AllSelect this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks. Caution: On devices without the SME, this option may have a negative impact on performance. Fragments FTP Bounce Land Attack ncpsdcan SamplingSelect this option when the defined attack is based on sampling, that is a DoS Shield attack. Source and Destination CountSelect this option when the attack type is a source and destination-based attackthat is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks. Source CountSelect this option when the defined attack is sourcebasedthat is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network. Drop AllOn devices without the SME. SamplingOn devices without the SME.
The action taken when an attack is detected. Values: DropThe packet is discarded. Report OnlyThe packet is forwarded to the defined destination. MM7If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. Contains Transaction ID, Content Length and Message ID. Reset Source Sends a TCP-Reset packet to the packet source IP address. Reset DestinationSends a TCP-Reset packet to the destination address. Reset BidirectionalSends a TCP-Reset packet to both the packet source IP and the packet destination IP address.
Default: Drop
165
Parameter
Suspend Action
Description
Specifies which session traffic the device suspends for the duration of the attack. Values: NoneThe suspend action is disabled for this attack. Source IPAll traffic from the IP address identified as the source of this attack, is suspended. Source IP and Destination IPTraffic from the IP address identified as the source of this attack to the destination IP under attack, is suspended. Source IP and Destination PortTraffic from the IP address identified as the source of this attack to the application (destination port) under attack, is suspended. Source IP, Destination IP and PortTraffic from the IP address identified as the source of this attack to the destination IP and port under attack, is suspended. Source IP and Port, Destination IP and PortTraffic from the IP address and port identified as the source of this attack to the destination IP and port under attack, is suspended. With this action, if Session Drop Mechanism is enabled, there will be no entry of the session in the Suspend Table.
Direction
The protection inspection path. The protections can inspect the incoming traffic only, the outgoing traffic only, or both. Values: Inbound, Outbound, Inbound & Outbound Default: Inbound & Outbound
Activation Threshold
The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. When the value for Tracking Type is Drop All, the DefensePro device ignores this parameter. Default: 50
Drop Threshold
After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS. When the value for Tracking Type is Drop All, the profile ignores this parameter. Default: 50
Termination Threshold
When the attack PPS rate drops below this threshold, the profile changes the attack from active mode to inactive mode. When the value for Tracking Type is Drop All, the DefensePro device ignores this parameter. Default: 50
Packet Report
Enables the sending of sampled attack packets to APSolute Vision for offline analysis. Default: Disabled The source IP address or network whose packets the profile does not inspect. Default: None
166
Parameter
Exclude Destination IP Address Packet Trace
Description
The destination IP address or network whose packets the profile does not inspect. Default: None Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
(This parameter is for future use.) (Read-only) A description of the static signature. You cannot configure a description for a user-defined signature. Filters are components of a protection, each containing one specific attack signature, that scan and classify predefined traffic. Filters match scanned packets with attack signatures in the Signatures database. For each custom protection, you define custom filters. You cannot use filters from other protections when customizing protection definitions. To add a filter, right-click and select Add New Filter. To edit a filter, right-click and select Edit Filter. Note: For more information, see Table 84 - Signature Filter Parameters, page 167.
Attributes Table
The attributes that you select for the signature determine the attack characteristics used in the rule creation process. To add an attribute value, right-click in the table; and then, select Add New Attribute Value.
Parameter
Each filter has a specified name and specified protocol-properties parameters. Filter Name Protocol The name of the signature filter. The protocol used. Values: ICMP ICMPv6 IP Non IP TCP UDP
Default: IP
167
Parameter
Description
Select from the list of predefined Application Port Groups.
Source Application Port For UDP and TCP traffic only. Destination Application Port For UDP and TCP traffic only. Select from the list of predefined Application Port Groups.
Packet Parameters
Packet parameters are used to match the correct packet length in different layers. Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3, Layer 4 or Layer 7 content. Values: Packet Size Length L2The complete packet length is measured, including Layer 2 headers. L3The Layer 2 data part of the packet is measured (excluding the Layer 2 headers). L4The Layer 3 data part of the packet is measured (excluding the Layer 2/Layer 3 headers). L7The L4 data part of the packet is measured (excluding the Layer 2/Layer 3/Layer 4 headers). None
Default: None The range of values for packet length. Notes: The size is measured per packet only. The size is not applied on reassembled packets. Fragmentation of Layer 4Layer 7 packets may result in tails that do not contain the Layer 4Layer 7 headers. The check is bypassed, as no match with Type = L4L7 is detected.
OMPC Parameters
Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define rules for pattern lookups. The OMPC rules look for a fixed size pattern of up to four bytes that uses fixed offset masking. This is useful for attack recognition, when the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. OMPC Condition The OMPC condition. Values: Equal Greater Than Not Applicable Less Than Not Equal
168
Parameter
OMPC Length
Description
The length of the OMPC (Offset Mask Pattern Condition) data: Values: Not Applicable 1 Byte 2 Bytes 3 Bytes 4 Bytes
Default: 1 Byte OMPC Offset The location in the packet from where data checking starts looking for specific bits in the IP/TCP header. Values: 01513 Default: 0 OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative. Values: OMPC Pattern None IP Header IP Data L4 Data L4 Header Ethernet
Default: None The fixed size pattern within the packet that OMPC rules attempt to find. Values: A combination of hexadecimal numbers (09, af). The value is defined by the OMPC Length parameter. The OMPC Pattern definition contain eight symbols. When the OMPC Length is less than four bytes, complete it with zeros. For example, when the OMPC Length is two bytes, the OMPC Pattern can be abcd0000. Default: 00000000 OMPC Mask The mask for the OMPC data. Values: A combination of hexadecimal numbers (09, af). The value is defined by the OMPC Length parameter. The OMPC Mask definition contains eight symbols. When the OMPC Length value is less than four bytes, complete it with zeros. For example, When the OMPC Length is two bytes, the OMPC Mask can be abcd0000. Default: 00000000
169
Parameter
The Content parameters define the rule for a text/content string lookup for attack recognition, when the attack signature is a text/content string within the packet payload. The Content parameters are available only for TCP, UDP and ICMP protocols. Content Type Enables you to search for a specific content type, which you select from a long list. For the list of valid values, see Table 85 - Content Types, page 171. Default: N/AThe device will not filter the content based on type. Content Encoding Application Security can search for content in languages other than English, for case-sensitive or case-insensitive text, and hexadecimal strings. Values: Not Applicable Case Insensitive Case Sensitive Hex International
Default: Not Applicable Note: The value of this field corresponds to the Content Type parameter. Content The value of the content search, except for HTTP headers, cookies, and FTP commands. Values: <space> ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd efghijklmnopqrstuvwxyz{|}~ Content Offset The location in the packet from which the content is checked. The offset location is measured from the beginning of the UDP or TCP header. Values: 065,535 Default: 0 Content Max Length The maximum length to be searched within the selected Content Type. Values: 065,535 Default: 0 Note: The Content Max Length value must be equal to or greater than the Offset value. Content Data Encoding Application Security can search for data in languages other than English, for case-sensitive or case-insensitive data, and hexadecimal strings. Values: Not Applicable Case Insensitive Case Sensitive HEX International
Default: Not Applicable Note: The value of this field corresponds to the Content Type parameter.
170
Parameter
Content Data
Description
The content type for the content search. Values: HTTP HeaderThe value of the HTTP Header. The header is defined by the Content field. CookieThe cookie value. The cookie is defined by the Content field. FTP CommandThe FTP command arguments. The FTP command is defined by the Content field.
Distance Range
A range that defines the allowable distance between two content characters. When the distance exceeds the specified range, it is recognized as an attack. Specifies whether the Content Data field value is formatted as a regular expression (and not as free text to search). You can set a regex search for all content types. Specifies whether the Content Data value is formatted as a regular expression (and not as free text to search).
The following table describes the Content types that you can configure the device to examine as part of the attack signature.
Content Type
Cookie DCE-RPC File Type FTP Command FTP Content Header Field Host Name HTTP Reply Data HTTP Reply Header Mail Domain Mail From Mail Subject Mail To MM7 File Attachment MM7 Request
Description
The HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value. Distributed Computing Environment/Remote Procedure Calls. The requested file type in the HTTP GET command (JPG, EXE, and so on). Parses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes. Scans data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes. The HTTP Header field. The Content field includes the header field name, and the Content Data field includes the field value. In the HTTP header. The data of the HTTP reply. This is available only in devices with an SME. The header of the HTTP reply. This is available only in devices with an SME. In the SMTP header. In the SMTP header. In the SMTP header. In the SMTP header. The file associated with the MM7 request. The request for an MM7 Error message.
171
Content Type
Normalized URL
Description
To avoid evasion techniques when classifying HTTP requests, the URL content is transformed into its canonical representation, interpreting the URL the same way the server would. The normalization procedure supports the following: Directory referencing by reducing /./ into / or A/B/../ to A/. Changing backslash (\) to slash (/). Changing HEX encoding to ASCII characters. For example, the hex value %20 is changed to a space. Unicode support, UTF-8 and IIS encoding.
The User field in the POP3 header. Reassembles RPC requests over several packets. RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). This feature is used to delimit several RPC requests sent on top of the transport protocol. For a stream-oriented protocol (like TCP), RPC uses a kind of fragmentation to delimit between records. In spite of its original purpose, fragmentation may also divide records in the middle, not only at their boundaries. This functionality is used to evade IPS systems.
Anywhere in the packet. The length, in bytes, of the URI packet. The HTTP Request URI. No normalization procedures are taken.
Note: You can view properties of attribute types, and for the attribute types Complexity, Confidence, and Risk you can also specify the Match Method (Minimum or Exact). For more information, see Viewing and Modifying Attribute Type Properties, page 174. Attributes are derived from the Signatures database and are added dynamically with any update. For information about attribute types and their system values, see Table 86 - Attribute Types, page 173.
172
3. To add a new attribute: a. b. c. Click the (Add) button. Select the attribute type, and enter the attribute name. Click OK.
Attribute Type
Applications
Description
The applications that are vulnerable to this exploit. Examples: Web servers, mail servers, browsers The parameter is optional; that is, the attribute may or may not contain a value. There can be multiple values.
Complexity
The level of analysis performed as part of the attack lookup mechanism. There can be only a single value for the parameter. Values: LowThis signature has negligible impact on device performance. HighThis signature has stronger impact on the device performance.
Confidence
The level of certainty to which an attack can be trusted. The confidence level is the opposite of the false-positive level associated with an attack. For example, if an attacks confidence level is set to high, its falsepositive level is low. The parameter is mandatory. There can be only a single value for the parameter. Values: Low, High, Medium
Groups Platforms
Enables you to create customized attack groups. The operating systems that are vulnerable to this exploit. Examples: Windows, Linux, Unix The parameter is optional; that is, the attribute may or may not contain a value. There can be multiple values.
Risk
The risk associated with the attack. For example, attacks that impact on the network are very severe and are defined as high-risk attacks. The parameter is mandatory. There can be only a single value for the parameter. Values: Info, Low, Medium, High
173
Attribute Type
Services
Description
The protocol that is vulnerable to this exploit. Examples: FTP, HTTP, DNS The parameter is optional; that is, the parameter may or may not contain a value. There can be only a single value for the parameter.
The target of the threatclient side or server side. The threats that best describe the signature. Examples: floods, worms There can be multiple values.
You can change the Match Method for the attribute types Complexity, Confidence, and Risk.
To change the Match Method for Complexity, Confidence, and Risk attribute types
1. 2. 3. 4. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Attributes > Attribute Type Properties. Double-click the attribute type. From the Match Method drop-down list, select Minimum or Exact. Click OK.
174
You can configure footprint bypass to bypass specified footprint types or values. For more information, see Configuring BDoS Footprint Bypass, page 136.
175
Parameter
Profile Name Enable Transparent Optimization
Description
The name of the BDoS profile. Specifies whether transparent optimization is enabled. Some network environments are more sensitive to dropping packets (for example, VoIP), therefore it is necessary to minimize the probability that legitimate traffic is dropped by the IPS device. This transparent optimization can occur during BDoSs closed-feedback iterations until a final footprint is generated. Note: When transparent optimization is enabled, the profile does not mitigate the attack until the final footprint is generated, which takes several seconds.
Bandwidth Settings
Inbound Traffic The maximum inbound traffic bandwidth, in Kbit/s, expected on your links. DefensePro derives the initial baselines from the bandwidth and quota settings. Minimum: 1 Values: 02,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection. Outbound Traffic The maximum outbound traffic bandwidth, in Kbit/s, expected on your links. DefensePro derives the initial baselines from the bandwidth and quota settings. Minimum: 1 Values: 02,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection.
176
Parameter
Radware recommends that you initially leave these fields empty so that the default values will automatically be used. To view default values after creating the profile, double-click the entry in the table. You can then adjust quota values based on your network performance. Caution: When you change the a bandwidth setting (Inbound Traffic or Outbound Traffic), the quota settings automatically change to the default values appropriate for the bandwidth. Note: The total quota values may exceed 100%, as each value represents the maximum volume per protocol. TCP UDP ICMP IGMP The maximum expected percentage of TCP traffic out of the total traffic. The maximum expected percentage of UDP traffic out of the total traffic. The maximum expected percentage of ICMP traffic out of the total traffic. The maximum expected percentage of IGMP traffic out of the total traffic.
Advanced Parameters
UDP Packet Rate Sensitivity (For certain versions, this parameter is labeled Level Of Regularization.) The packet-rate detection sensitivitythat is, to what extent the BDoS engine considers the UDP PPS-rate values (baseline and current). This parameter is relevant only for only for BDoS UDP protection. Values: Disable Low Medium High
Default: Low
177
Note: In some cases, you may find that network elements legally perform scanning as part of their normal operation. It is recommended to place such elements in the White List to avoid interruption or network operation. Before you configure anti-scanning profiles, ensure the following: The Session table Lookup Mode is Full Layer 4. Anti-Scanning is enabled and the global parameters are configured. Anti-Scanning global parameters are defined for all profiles on the device.
178
DefensePro User Guide Security Configuration Before you configure an Anti-Scanning profile, ensure the following: The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. Anti-scanning protection is enabled and the global parameters are configured. For more information, see Configuring Global Signature Protection, page 131.
Parameter
Rule Name Enable TCP Protection Enable UDP Protection Enable ICMP Protection Type
Description
The name of the profile. Specifies whether the profile protects against horizontal and vertical TCP scans, including worm propagation activity, over TCP. Specifies whether the profile protects against horizontal and vertical UDP scans, including worm propagation activity, over UDP. Specifies whether the profile protects against ping sweeps. The type of traffic protected using the Anti-Scanning profile. Values: GWDetects incoming or outgoing scanning attempts, such as scanning worms. CarrierDetects large scale scanning worms for carrier links. InternalPrevents the spreading of worm activity in corporate LANs.
The level of sensitivity to scanning activities before the profile activates Anti-Scanning protection. High means few scanning attempts trigger the Anti-Scanning protection, whereas Very Low means a high number of scanning attempts trigger the Anti-Scanning protection. Values: High, Medium, Low, Very Low Default: Low
Accuracy
The accuracy level that determines the minimum number of parameters used in the footprint. The higher the accuracy, the more parameters required to appear in the footprint. If DefensePro is unable to find a footprint with the minimum number of parameters for the specified accuracy level, DefensePro does not block the attack. Higher accuracy means that more parameters are required to appear in the footprint. Values: High, Medium, Low Default: Medium
179
Parameter
Single Port
Description
Specifies whether the DefensePro device only blocks scans that are done on a single L4 port. Scans on a single L4 port are usually network worms. When enabled, DefensePro does not block scans that are done from the same source on multiple L4 ports. Default: Disabled Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Packet Trace
Enter the Layer 4 trusted port on which scanning is allowed. Values: 165,535.
180
DefensePro User Guide Security Configuration Recommended settings for policies that include Connection Limit profiles: Configure policies containing Connection Limit profiles using Networks only with source = Any, the public network, and destination = Protected Network. You can define segments using VLAN tag, MPLS RDs, and physical ports. It is not recommended to define networks when the Source and Destination are set to Any. Policies containing Connection Limit profiles can be configured with Direction set to either One Way or Two Way.
Before you configure a Connection Limit profile, ensure the following: Connection Limit protection is enabled (under the Security Settings tab). The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. (Recommended) The required Connection Limit protections are configured. For more information, see Configuring Connection Limit Protections, page 182.
3. To add Connection Limit protections to the profile, in the Edit Connection Limit Profile dialog box protections table: a. b. Right-click and select Add New Connection Limit Protection. Select the protection name and click OK.
4. To define additional Connection Limit protections for the profile, click Go To Protection Table. For more information, see Connection Limit Protection Parameters, page 182.
Note: A Connection Limit profile should include all the Connection Limit attacks that you want to apply in a network-policy rule.
181
Parameter
Profile Name Connection Limit Protection Table
Description
(Read-only) The name of the Connection Limit profile. Lists the Connection Limit protection name and ID for each protection to be applied for the selected profile. To add a protection, in the table, right-click and select Add New Connection Limit Protection. Select the protection name and click OK. Note: In each rule, you can use only one Connection Limit profile. Therefore, ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule.
Go To Protection Table
Opens the Connection Limit Protection dialog box in which you can add and modify Connection Limit protections.
Note: Connection Limit protections are sometimes referred to as Connection Limit Attacks.
Parameter
Protection ID Protection Name Application Port Group Name Protocol
Description
(Read-only) The ID number assigned to the Connection Limit protection. A descriptive name for easy identification when configuring and reporting. The group of Layer 4 ports that represent the application you want to protect. The Layer 4 protocol of the application you want to protect. Values: TCP, UDP Default: TCP
182
Parameter
Number of Connections
Description
The maximum number of new TCP connections, or new UDP sessions, per second, allowed for each source, destination or source-anddestination pair. All additional sessions are dropped. When the threshold is reached, attacks are identified and a security event generated. Default: 50 The counting rule for tracking sessions. Values: Source and Target CountSessions are counted per source IP and destination IP address combination. Source CountSessions are counted per source IP address. Target CountSessions are counted per destination IP address.
Tracking Type
Default: Source Count Note: When Tracking Type is Target Count, the Suspend Action can only be None. Action Mode The action when an attack is detected. Values: DropThe packet is discarded. Report-onlyThe packet is forwarded to the destination IP address. Reset SourceSends a TCP-Reset packet to the packet source IP address.
Default: Drop Risk The risk assigned to this attack for reporting purposes. Values: High, Info, Low, Medium Default: Medium
183
Parameter
Suspend Action
Description
Specifies which session traffic the device suspends for the attack duration. Values: NoneSuspend action is disabled for this attack. Source IPAll traffic from the IP address identified as the source of this attack is suspended. Source IP + Destination IPTraffic from the IP address identified as the source of this attack to the destination IP address under attack is suspended. Source IP + Destination PortTraffic from the IP address identified as the source of this attack to the application (Destination port) under attack is suspended. Source IP + Destination IP and PortTraffic from the IP address identified as the source of this attack to the destination IP address and port under attack is suspended. Source IP and Port + Destination IP and PortTraffic from the IP address and port identified as the source of this attack to the destination IP address and port under attack is suspended.
Default: None Note: When Tracking Type is Target Count, the Suspend Action can only be None.
184
To edit a profile, double-click the entry in the table. Right-click in the table and select Add New SYN Flood Protection. From the Profile Name drop-down list, select the protection. Click OK.
4. To define additional SYN flood protections for the profile, click Go To Protection Table.
Note: A SYN profile should contain all the SYN flood protections that you want to apply in a network-policy rule.
Parameter
Profile Name SYN Protection Table
Description
(Read-only) The name of the profile. Contains the protections to be applied for the selected profile. To add a protection, in the table, right-click and select Add New SYN Flood Protection. Select the protection name and click OK. Note: In each rule, you can use only one SYN profile. Therefore, ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule.
Go To Protection Table
Opens the Syn Protections dialog box in which you can add and modify SYN protections.
185
Parameter
Protection Name
Description
A name for easy identification of the attack for configuration and reporting. Note: Predefined SYN Protections are available for the most common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are predefined by Radware. You can change the thresholds for these attacks.
Protection ID
Application Port Group The group of TCP ports that represent the application that you want to protect. Select from the list predefined port groups, or leave the field empty to select any port. Activation Threshold A number of SYN packets received per second at a certain destination above which DefensePro starts the mitigation actions.1 Values: 1150,000 Default: 2500 Termination Threshold A number of SYN packets received per second at a certain destination for specified Tracking Time2 below which DefensePro stops the mitigation actions.1 Values: 0150,000 Default: 1500 Risk The risk level assigned to this attack for reporting purposes. Values: Info, Low, Medium, High Default: Low Source Type (Read-only) Specifies whether the SYN protection is a predefined (static) or user-defined (user) protection.
1 The number that DefensePro uses depends on whether you use Transparent Proxy or Safe-Reset. 2 You can configure this value at Security Settings > SYN Flood Protection> Tracking Time.
186
Destination Port
21 80 443 143 110 135 554 25 23
Verification Type
ack request request ack ack ack request ack ack
Parameter
Profile Name
Description
(Read-only) The name of the profile.
187
Parameter
Authentication Method
Description
The Authentication Method that DefensePro uses at the transport layer. When DefensePro is installed in an ingress-only topology, select the Safe-Reset method. Values: Transparent ProxyWhen DefensePro receives a SYN packet, DefensePro replies with a SYN ACK packet with a cookie in the Sequence Number field. If the response is an ACK that contains the cookie, DefensePro considers the session to be legitimate. Then, DefensePro opens a connection with the destination and acts as transparent proxy between the source and the destination. Safe-ResetWhen DefensePro receives a SYN packet, DefensePro responds with an ACK packet with an invalid Sequence Number field as a cookie. If the client responds with RST and the cookie, DefensePro discards the RST packet, and adds the source IP address to the TCP Authentication Table. The next SYN packet from the same source (normally, a retransmit of the previous SYN packet) passes through DefensePro, and the session is approved for the server. DefensePro saves the source IP address for a specified time.
Default: Transparent Proxy Note: To configure Minimum Allowed SYN Retransmission Time and Maximum Allowed SYN Retransmission Time, in the Configuration perspective Security Settings tab navigation pane, and select SYN Flood Protection Settings.
HTTP Authentication
Use HTTP Authentication Specifies whether DefensePro authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method. Values: EnabledDefensePro authenticates the transport layer of HTTP traffic using SYN cookies, and then, authenticates the HTTP application layer using the specified HTTP Authentication Method. DisabledDefensePro handles HTTP traffic using the specified TCP Authentication Method.
Default: Disabled
188
Parameter
HTTP Authentication Method
Description
The method that the profile uses to authenticate HTTP traffic at the application layer. Values: 302-RedirectDefensePro authenticates HTTP traffic using a 302Redirect response code. JavaScriptDefensePro authenticates HTTP traffic using a JavaScript object, which DefensePro generates.
Default: 302-Redirect Notes: Some attack tools are capable of handling 302-redirect responses. The 302-Redirect HTTP Authentication Method is not effective against attacks that use those tools. The JavaScript HTTP Authentication Method requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios. Limitations when using the JavaScript HTTP Authentication Method: If the browser does not support JavaScript calls, the browser will not answer the challenge. When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DefensePro JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:
<script> setTimeout(function(){ var js=document.createElement(script); js.src=http://mysite.site.com.domain/service/appMy.jsp?dlid=12345; document.getElementsByTagName(head)[0].appendChild(js); },1000); </script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
189
Table 94: DefensePro Challenge Behavior for Various Configuration and Traffic Permutations
Authentication HTTP SSL Mitigation Method Authentication Is Enabled and Is Enabled Configured1
Safe-Reset Yes N/A
Traffic
HTTP
Safe-Reset
Yes
Yes
HTTPS
SYN
Yes No No
SYN minus first ACK SYN minus ACK SYN minus data
No
N/A
Yes
N/A
SYN
Transparent Proxy
Yes
Yes
HTTPS
SYN
Transparent Proxy
Yes
N/A
Non-HTTP SYN minus data with clientinitiated data2 Non-HTTP with serverinitiated data3 SYN minus ACK
Transparent Proxy
Yes
N/A
Transparent Proxy
1 That is, SSL Mitigation is enabled globally (Security Settings > Flood Protection Settings > Enable SSL Mitigation) and configured for the Network Protection policy. 2 Client-initiated data refers to protocols in which the client sends the first data (for example, HTTP, HTTPS, and RTSP). 3 Server-initiated data refers to protocols in which the server sends the first data.
190
Parameter
Name SSL VIP
Description
The name of the policy. The IPv4 VIP address on the Alteon device.
191
Parameter
VIP MAC Network Policy Name State
Description
The MAC address of the Alteon device. The name of the existing Network Protection Rule. Specifies whether the policy is active. Values: active, inactive Default: active
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon device.
Parameter
Name
Description
The name of the profile.
192
Parameter
Radware recommends that you initially leave these fields empty so that the default values will automatically be used. To view default values after creating the profile, double-click the entry in the table. You can then adjust quota values based on your network performance. Caution: DefensePro does not support DNS queries of type ANY. Note: The total quota values may exceed 100%, as each value represents the maximum volume per protocol. A Query MX Query PTR Query AAAA Query Text Query SOA Query NAPTR Query SRV Query Other Queries Get Default Quotas Expected DNS Query Rate Configures all the quotas with the hard-coded default values after you have specified the Expected DNS Query Rate. The expected rate, in queries per second, of DNS queries. For each DNS query type to protect, specify the quotathe maximum expected percentage of DNS traffic out of the total DNS trafficand select the checkbox in the row.
Manual Triggers
Use Manual Triggers Specifies whether the profile uses user-defined DNS QPS thresholds instead of the learned baselines. Default: Disabled Activation Threshold The minimum number of queries per secondafter the specified Activation Periodon a single connection that causes DefensePro to consider there to be an attack. When DefensePro detects an attack, it issues an appropriate alert and drops the DNS packets that exceed the threshold. Packets that do not exceed the threshold bypass the DefensePro device. Values: 04,000,000 Default: 0 Activation Period The number of consecutive seconds that the DNS traffic on a single connection exceeds the Activation Threshold that causes DefensePro to consider there to be an attack. Values: 130 Default: 3 Termination Threshold The maximum number of queries per secondafter the specified Termination Periodon a single connection that cause DefensePro to consider the attack to have ended. Values: 04,000,000 Default: 0 Note: The Termination Threshold must be less than or equal to the Activation Threshold.
193
Parameter
Termination Period
Description
The time, in seconds, that the DNS traffic on a single connection is continuously below the Termination Threshold, which causes DefensePro to consider the attack to have ended. Values: 130 Default: 3
Max QPS
The maximum allowed rate of DNS queries per second. Values: 04,000,000 Default: 0
Escalation Period
The time, in seconds, that DefensePro waits before escalating to the next specified mitigation action. Values: 030 Default: 3
194
Caution: In cases of overlapping network policies configured with Out-of-State profiles, attacks triggered on both policies are reported twice, once per policy. As a consequence, in traffic monitoring, there might be some inconsistencies in the value for discarded traffic value, because the value is the sum of all detected attacks.
Parameter
Profile Name Activation Threshold
Description
The name of the profile. The rate, in PPS, of out-of-state packets above which the profile considers the packets to be part of a flood attack. When DefensePro detects an attack, it issues an appropriate alert and drops the out-ofstate packets that exceed the threshold. Packets that do not exceed the threshold bypass the DefensePro device. Values: 1250,000 Default: 5000
Termination Threshold
The rate, in PPS, of out-of-state packets below which the profile considers the flood attack to have stopped; and DefensePro resumes normal operation. Values: 1250,000 Default: 4000
Profile Risk
The riskfor reporting purposesassigned to the attack that the profile detects. Values: Info, Low, Medium, High Default: Low
195
Parameter
Allow SYN-ACK
Description
Values: EnabledThe DefensePro device opens a session and processes a SYN-ACK packet even when the DefensePro has identified no SYN packet for the session. This option supports asymmetric environments, when the first packet that DefensePro receives is the SYN-ACK. DisabledWhen the DefensePro device receives a SYN-ACK packet and has identified no SYN packet for the session, DefensePro passes through the SYN-ACK packet (unprocessed) if the packet is below the specified activation threshold, and DefensePro drops the packet if it is above the specified activation threshold.
Default: Enabled Enable Packet Trace Specifies whether the profile sends out-of-state packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies. Enable Packet Reporting Specifies whether the profile reports out-of-state packets. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). In addition, a change to this parameter takes effect only after you update policies. Profile Action The action that the profile takes when it encounters out-of-state packets. Values: Block and Report, Report Only Default: Block and Report
196
DefensePro User Guide Security Configuration This section contains the following topics: Configuring the Server Protection Policy, page 197 Configuring Server Cracking Profiles for Server Protection, page 205 Configuring HTTP Flood Mitigation Profiles for Server Protection, page 209
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it does not download your configuration changes to the device. To apply changes onto the device, you must activate the configuration changes.
3. Configure the parameters; and then, click OK. 4. To activate your changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Server Name IP Range
Description
The name of the server. The IP address or IP-address range of the protected server. You can assign an HTTP profile to a server definition that contains one discrete IP address. You can assign a Server Cracking profile to ranges, networks, and discrete IP addresses. Specifies whether the protection is enabled. The HTTP Flood profile to be activated against an attack. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles.
197
Parameter
Server Cracking Profile
Description
The Server Cracking profile to be activated against an attack. Each DefensePro device supports up to 20 Server Cracking profiles. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles.
The VLAN Tag Group of the traffic. Note: You can click the adjacent button to open the dialog box in which you can add and modify VLAN Tag groups.
Policy
The name of the Network Protection policy to which this Server Protection policy belongs.
Packet Trace
Note: When a Server Cracking attack occurs, you can view it in the APSolute Vision Security Dashboard and the Current Attacks table view. From both locations, you can drill down and view attack details. For more information, see Real-Time Security Reporting, page 287.
198
DefensePro User Guide Security Configuration This section contains the following main topics: Server Cracking Protection Network Topography, page 199 Server Cracking Attack Types, page 199 Server Protection Policies/Rules, Profiles, and Protections, page 200 Server Cracking Threats and Server Cracking Protection Strategies, page 201 Server Cracking Mitigation with Server Cracking Protection, page 201 Server Cracking Protection Technology, page 201 Errors that Server Cracking Protection Monitors, page 204 Server Cracking Protection Limitations, page 205 Configuring Server Cracking Profiles for Server Protection, page 205 Viewing Radware-defined Server Cracking Protections, page 208
199
Application-Vulnerability Scanning
Scanning attacks try to find services that are known to be vulnerable or actual vulnerabilities at the application level. The attacker later exploits the vulnerable server or application vulnerability. The scanners, which can be automatic or manual, send a legitimate request to the server. The request is used to expose the existence of the vulnerability. As such, the scan will not trigger an IPS-based signature. In most cases, the server will not be vulnerable and will respond with an error message. Application scanning attempts are usually precursors to more serious exploitation attempts. Scanning attempts generate a higher than normal error-response rate from the application. Blocking such attempts helps prevent the vulnerabilities from being disclosed.
SIP Scanning
In Session Initiation Protocol (SIP) scanning, the attacker's aim is slightly different. While it is possible to find vulnerable SIP implementations, the actual advantage of SIP scanning is to obtain a list of SIP subscribers, which can be used to send SPIT (SPAM over Internet Telephony). An attacker can use scripts to send SPIT messages to a guessed list of subscribers and harvest the existing subscribers according to the received replies. SPIT can annoy subscribers and even disrupt service if carried out in high volumes.
200
DefensePro User Guide Security Configuration Brute Force SIP (UDP) Brute Force SIP DST (TCP) Brute Force SIP DST (UDP) Brute Force SMB Brute Force SMTP Brute Force Web SIP Scan (TCP) SIP Scan (UDP) SIP Scan DST (TCP) SIP Scan DST (UDP) SMTP Scan Web Scan
201
During the Attack state, the user is added to the Suspend table (a block list). When the user is released from block, the monitoring interval is set again.
Sensitivity Parameter
The Sensitivity parameter of each Server Cracking protection defines thresholds for the quantity and frequency of server-side error messages. DefensePro tracks server-side error messages to trigger attack detection. High sensitivity means that only a few cracking attempts trigger the protection, while Minor means that a very high number of attempts trigger the protection. The default is Medium. During the Attack state, the attacker is added to the Suspend table, which is the list of blocked sources. When the user is released from the Suspend table, the monitoring interval is set again.
State
Normal state Suspect state Attack state1
Medium
15 30 45
Low
10 15 20
Minor
5 10 15
1 In the Attack state, the user is added to the block list, and the monitoring interval is set when the user is released from block.
202
DefensePro User Guide Security Configuration There may be cases where you need to tune the value of the Sensitivity parameter. For example, if you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error replies at an abnormal rate, which the device will falsely identify as an attack. In such a case, set the sensitivity to Low.
Note: Application-scanning and brute-force attempts are usually generated through multiple L4 connections. If the attack attempts are using the same L4 connection (that is, a TCP or UDP connection), the detection sensitivity will be automatically set to a higher value than those that are specified in the above table. Thus, the quantity and frequency of attempts needed to trigger the protection action will be lower.
Sensitivity
High Medium Low Minor
Frequency (Requests/Second)
5 10 15 20
Table 101: Sensitivity Levels for Cracking Indications (Single Layer 4 Connections)
Sensitivity
High Medium Low Minor
Frequency (Requests/Second)
1 2 4 6
Sensitivity
High Medium Low Minor
Frequency (Requests/Second)
0.5 1 3 30
203
204
SMTP Scan Brute Force MySQL Brute Force DNS Brute Force MSSQL Brute Force POP3 Brute Force IMAP
205
DefensePro User Guide Security Configuration Each DefensePro device supports up to 20 Server Cracking profiles. Before you configure a Server Cracking profile, ensure the following: The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. IPS protection is enabled and the global parameters are configured. For more information, see Configuring Global Signature Protection, page 131.
To modify a profile:
Parameter
Profile Name Action
Description
(Read-only) The name of the Server Cracking profile. The action that the device takes when an attack that matches the configured protection occurs. Values: Block and Report, Report Only Default: Report Only
Packet Trace
Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Contains the protections to be applied if there is an attack on the server. To configure a protection, see Configuring Server Cracking Protections for a Server Cracking Profile, page 207. Note: In each Server Cracking policy/rule, you can use only one Server Cracking profile. Therefore, ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule.
206
To add a protection, right-click in the table and select Add New Server Cracking Protection. To modify the configuration of an already specified protection, double-click the entry.
Parameter
Profile Name Server Cracking Protection Name
Description
(Read-only) The name of the Server Cracking profile. (Read-only when modifying the configuration) The name of the Server Cracking protection. Notes: You can view the default configuration of each protection in Server Cracking Protections pane (see Viewing Radware-defined Server Cracking Protections, page 208). For more information on the Server Cracking protections, see Server Protection Policies/Rules, Profiles, and Protections, page 200 and Server Cracking Protection Technology, page 201.
Sensitivity
The detection sensitivity of module. The sensitivity level defines thresholds for the number and frequency of server-side error messages. Values: High, Medium, Low, Minor Default: Medium Note: For more information, see Sensitivity Parameter, page 202.
Risk
The risk assigned to this attack for reporting purposes. Values: Info, Low, Medium, High
207
Parameter
Protection ID Protection Name Risk Sensitivity
Description
The unique identifying number. The name for the Protection. The Protection Name is used when DoS Shield sends information about attack status changes. The risk assigned to this attack for reporting purposes. Values: Info, Low, Medium, High The detection sensitivity of module. The sensitivity level defines thresholds for the number and frequency of server-side error messages. These messages are tracked for attack detection. High sensitivity specifies that the protection needs few cracking attempts to trigger the protection. Minor sensitivity specifies that the device needs a very high number of attempts. Values: High, Medium, Low, Minor Default: Medium Note: If you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error replies at an abnormal rate, which the device will falsely identify as an attack. In such a case, set the sensitivity to Low.
Action Mode
208
Parameter
Direction
Description
The direction of the traffic to inspect. A protection may include attacks that should be searched only for traffic from client to server or only on traffic from server to client. Values: InboundThe Protection inspects traffic from policy Source to policy Destination. OutboundThe Protection inspects traffic from policy Destination to policy Source Inbound & OutboundThe Protection inspects all traffic between policy Source to policy Destination
Suspend Action
Specifies what traffic to suspend for a period of time. Values: NoneSuspend action is disabled for this attack. SrcIPAll traffic from the IP address identified as the source of the attack is suspended. SrcIP, DestIPTraffic from the IP address identified as the source of the attack to the destination IP address under attack is suspended. SrcIP, DestPortTraffic from the IP address identified as source of the attack to the application (destination port) under attack is suspended. SrcIP, DestIP, DestPortTraffic from the IP address identified as the source of the attack to the destination IP address and port under attack is suspended. SrcIP, DestIP, SrcPort, DestPortTraffic from the IP address and port identified as the source of the attack to the destination IP address and port under attack is suspended.
209
DefensePro User Guide Security Configuration Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and the global parameters are configured. For more information, see Configuring Global HTTP Flood Protection, page 142.
Parameter
Profile Name Sensitivity Level
Default: Medium Action The action that the profile takes when the profile detects suspicious traffic. Values: Block and ReportBlocks and reports on the suspicious traffic. Report OnlyReports the suspicious traffic.
210
Parameter
Other Request-Type Request Rate
Description
Specifies whether the profile identifies an HTTP flood attack when the rate of requests that are not GET or POST requests exceeds the learned baseline. Default: Enabled Caution: If Outbound HTTP Bandwidth is enabled and Other RequestType Request Rate is disabled, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP Bandwidth is enabled and Other Request-Type Request Rate is enabled too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP Bandwidth mechanism to consider the attack to be an anomaly, and the profile will not mitigate it.
Specifies whether the profile identifies an HTTP flood attack when the outbound HTTP bandwidth exceeds the learned baseline. Default: Enabled Specifies whether the profile identifies an HTTP flood attack when the rate of requests per source exceeds the learned baseline. Default: Enabled Specifies whether the profile identifies an HTTP flood attack when the rate of requests per connection exceeds the learned baseline. Default: Enabled
Default: 0
211
Parameter
Other Request-type Request-Rate Trigger
Description
The maximum number of requests that are not GET or POST (for example, HEAD, PUT, and so on) allowed, per server per second. Values: 0The profile ignores the threshold. 14,294,967,296
Default: 0 Caution: If Outbound HTTP BW Trigger is enabled and Other Requesttype Request-Rate Trigger is disabled, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP BW Trigger is enabled and Other Request-type Request-Rate Trigger is enabled too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP BW Trigger mechanism to consider the attack to be an anomaly, and the profile will not mitigate it. Outbound HTTP BW Trigger The maximum allowed bandwidth of HTTP responses in kilobits per second. Values: Requests-per-Source Trigger 0The profile ignores the threshold. 14,294,967,296
Default: 0 The maximum number of requests allowed per source IP per second. Values: Requests-perConnection Trigger 0The profile ignores the threshold. 14,294,967,296
Default: 5 The maximum number of requests allowed from the same connection. Value: 0The profile ignores the threshold. 14,294,967,296
Default: 5
212
Parameter
Packet Report
Description
Specifies whether the profile sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting).
Packet Trace
Specifies whether the profile sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings >Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Mitigation Settings
When the protection is enabled and the profile detects that a HTTP-flood attack has started, the device implements the mitigation actions in escalating orderin the order that they appear in the group box. If the first enabled mitigation action does not mitigate the attack satisfactorily, after a certain escalation period, the device implements the next more-severe enabled mitigation action and so on. Escalation periods are not configurable. Challenge Suspects Specifies whether the profile challenges HTTP sources that match the realtime signature. Default: Enabled Challenge All Specifies whether the profile challenges all HTTP traffic toward the protected server. Default: Enabled
213
Parameter
Block Suspects Challenge Mode
Description
Specifies whether the profile blocks all traffic from the suspect sources. Default: Enabled Specifies how the profile challenges suspect HTTP sources. Values: 302 RedirectThe device authenticates HTTP traffic using a 302Redirect response code. JavaScriptThe device authenticates HTTP traffic using a JavaScript object generated by the device.
Default: 302 Redirect Notes: Some attack tools are capable of handling 302-redirect responses. The 302-Redirect Challenge Mode is not effective against attacks that use those tools. The JavaScript Challenge Mode requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios. Limitations when using the JavaScript Challenge Mode: If the browser does not support JavaScript calls, the browser will not answer the challenge. When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DefensePro JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:
<script> setTimeout(function(){ var js=document.createElement(script); js.src=http://mysite.site.com.domain/service/appMy.jsp?dlid=12345; document.getElementsByTagName(head)[0].appendChild(js); },1000); </script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
214
Note: Since networks on the White List are not inspected, certain protections are not applied to sessions in the opposite direction. For example, with SYN protection, this can cause servers to not be added to known destinations due to ACK packets not being inspected.
3. Configure white list rule parameters. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Name Description Enable
Description Identification
The name of the rule up to 50 characters. The user-defined description of the rule. When selected, the rule is active.
215
Parameter
Bypass All Modules
Default: Enabled Note: Performance is better when Bypass All Modules is enabled (Bypass All Modules checkbox is selected) rather than having the having the modules enabled individually. Bypass SYN Protection When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses SYN Protection inspection. Default: Enabled Bypass Anti Scanning When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Anti-Scanning inspection. Default: Enabled Bypass Signature Protection When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Signature Protection inspection. Default: Enabled Bypass HTTP Flood When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses HTTP Flood inspection. Default: Enabled Bypass Server Cracking When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Server Cracking inspection. Default: Enabled
Classification
Source Network The source of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address any
216
Parameter
Source Port
Description
The source Application Port class or application-port number that the rule uses. Values: An Application Port class displayed in the Classes tab An application-port number None
Destination Network
The destination of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address any
Destination Port
The destination Application Port class or application-port number that the rule uses. Values: An Application Port class displayed in the Classes tab An application-port number None
Physical Ports
The Physical Port class or physical port that the rule uses. Values: A Physical Port class displayed in the Classes tab The physical ports on the device None
VLAN Tag
The VLAN Tag class that the rule uses. Values: A VLAN Tag class displayed in the Classes tab None
Protocol
The protocol of the traffic that the rule uses. Values: Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP L2TP GTP IP in IP
Default: Any
217
Parameter
Direction
Description
The direction of the traffic to which the rule relates. Values: One-directionalThe protection applies to sessions originating from sources to destinations that match the network definitions of the policy. Bi-directionalThe protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One-directional
Action
Action (Read-only) The action for a White List rule is always Bypass.
Enabling and Disabling the Packet Trace Feature for Black List Rules
You enable or disable the Packet Trace feature for all the Black List rules on the device. When the Packet Trace feature is enabled for Black Lists, the DefensePro device sends blacklisted packets to the specified physical port.
Notes When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for all the Black List rules on the device
1. 2. In the Configuration perspective ACL tab navigation pane, select Black List. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.
218
3. Configure the parameters; and then, click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Name
Description Identification
The name of the rule. Maximum characters: 29 Note: If a Security Group configured this Black List rule, the rule name is in the format <SecurityGroupName> hhmm $$$$, where hhmm is the time (hour and minutes) that Security Group configured the rule and $$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.
Description Enable
The user-defined description of the rule. When selected, the rule is active. Default: Enabled
219
Parameter
Source Network
Description Classification
The source of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address None any
Default: any Caution: If Traffic Exclusion is enabled, when you specify a Network class for Source Network, use the IP Mask Entry type. If Traffic Exclusion is enabled, when you specify a Network class for Source Network, DefensePro cannot block black list entries defined with the IP Range Entry type. Source Port The source Application Port class or application-port number that the rule uses. Values: Destination Network An Application Port class displayed in the Classes tab An application-port number None
The destination of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address None any
Default: any Caution: If Traffic Exclusion is enabled, when you specify a Network class for Destination Network, use the IP Mask Entry type. If Traffic Exclusion is enabled, when you specify a Network class for Source Destination Network, DefensePro cannot block black list entries defined with the IP Range Entry type. Destination Port The destination Application Port class or application-port number that the rule uses. Values: Physical Ports An Application Port class displayed in the Classes tab An application-port number None
The Physical Port class or physical port that the rule uses. Values: A Physical Port class displayed in the Classes tab The physical ports on the device None
220
Parameter
VLAN Tag
Description
The existing VLAN Tag class for the rule. Values: A VLAN Tag class displayed in the Classes tab None
Protocol
The protocol of the traffic that the policy inspects. Values: Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP IP in IP
Default: Any Direction The direction to which the rule relates. Values: One-directionalThe protection applies to sessions originating from sources to destinations that match the network definitions of the policy. Bi-directionalThe protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One-directional
221
Parameter
Detector Security Module
Description
A DefensePro security module that can identify the root cause of the black list rule. This parameter has no affect on the device operation. If a Security Group configured this Black List rule, the Detector Security Module value displays the DefensePro security module of the Security Group Sender. Values: AdminThe default value in the context of a user-defined, dynamic Black List rule. Server CrackingDisplays if a Security Group configured this Black List rule and it was the Server Cracking module of the Security Group Sender that detected the threat. Anti-ScanDisplays if a Security Group configured this Black List rule and it was the Anti-Scanning module of the Security Group Sender that detected the threat. Vision Reporter Connection Limit Application Security Syn Protection HTTP Flood Behavioral DoS DNS Flood
Default: Admin Note: For more information on Security Groups, see Managing DefensePro Security Groups, page 55. Detector An IP address that can identify the root cause of the black list rule identify. This parameter has no affect on the device operation. If a Security Group configured this Black List rule, the Detector value displays the IP address of the Security Group Sender. Note: For more information on Security Groups, see Managing DefensePro Security Groups, page 55.
Action
Action Report Packet Report (Read-only) The action for a Black List rule is always Drop. Specifies whether the device issues traps for the rule. Specifies whether the device sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting).
222
When ACL is enabled and activated, the device learns about the existing sessions for a specified amount of time (by default, 10 minutes). During this learning period, the device accepts all sessions regardless of any unknown direction. However, for the certain cases, ACL treats the session according to the configured policies. ACL treats the session according to the configured policies in the following cases: A new TCP session starts with a SYN packet. A new ICMP session starts with a request packet.
Configuring the ACL feature involves the following steps: 1. Configuring Global ACL Policy Settings, page 223. 2. Configuring ACL Policy Rules, page 226.
Caution: In a high-availability (HA) setup, when you enable ACL on the primary device, you must reboot the device immediately. If you do not reboot, the secondary device may synchronize its configuration and reboot automatically, causing traffic sent to the secondary device to be blocked in the event of a switchover.
Notes Enabling ACL requires a device reboot. When the ACL feature is disabled, you cannot view or configure ACL policies.
223
2.
Parameter
Enable ACL
The action of the Default ACL policy when the device reboots after selecting the Enable ACL checkbox. (This parameter is available only when the ACL feature Values: is disabled.) Accept When the device reboots after selecting the Enable ACL checkbox, the Default ACL policy accepts all traffic. DropWhen the device reboots after selecting the Enable ACL checkbox, the Default ACL policy drops all traffic. CurrentWhen the device reboots after selecting the Enable ACL checkbox, the Default ACL policy uses the Action option that is currently specified.
Default: Current Note: After clearing the Enable ACL checkbox and rebooting, the Default Policy Action option reverts to Current. Learning Period The time, in seconds, the device takes to learn existing sessions before starting the protection. During the learning period, the device accepts all sessions regardless of any unknown direction. However, for the following cases, ACL will treat the session according to the configured policies: TCP Handshake Timeout A new TCP session that starts with a SYN packet A new ICMP session that starts with a request packet 0The protection starts immediately 14,294,967,295
Values:
Default: 600 The time, in seconds, the device waits for the three-way handshake to complete before the device drops the session.
224
Parameter
TCP Timeout in Established State
Description
The time, in seconds, an idle session remains in the Session table. If the device receives packets for a timed-out, discarded session, the device considers the packets to be out-of-state and drops them. Values: 607200 Default: 3600
The time, in seconds, the session remains in the Session table after the device receives a FIN packet from both sides (from the client and from the server). Values: 1600 Default: 10
The time, in seconds, the session remains in the Session table after the device receives a TCP RST packet for the session. Values: 1600 Default: 30
Specifies what the device does with out-of-state packets. Values: Drop, Allow Default: Drop
Specifies the action that the device takes when RST packet validation fails (that is, the packet sequence number is not within the permitted range). Values: Drop, Allow, Report Only Default: Drop
UDP Timeout
The time, in seconds, that the device keeps an idle UDP session open. After the timeout, the session is removed from the Session table. Values: 13600 Default: 180
Specifies whether the ACL module permits unsolicited ICMP reply messages. The time, in seconds, that the device keeps an idle ICMP session open. After the timeout, the session is removed from the Session table. Values: 1300 Default: 60
GRE Timeout
The time, in seconds, that the device keeps an idle GRE session open. After the timeout, the session is removed from the Session table. Values: 17200 Default: 3600
SCTP Timeout
The time, in seconds, that the device keeps an idle SCTP session open. After the timeout, the session is removed from the Session table. Values: 17200 Default: 3600
225
Parameter
Other IP Protocols Timeout
Description
The time, in seconds, that the device keeps an idle session of other IP protocols (not UDP, not ICMP) open. After the timeout, the session is removed from the Session table. Values: 17200 Default: 600
226
3. Configure the parameters. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Rule Name Rule Index
Description Identification
The name of the rule. Maximum characters: The index number for the rule. DefensePro examines policy rules according to the ascending order of index numbers. Values: 14,294,967,295 When selected, the rule is active. The user-defined description of the rule. The predefined event schedule that activates the policy. Default: None The predefined event schedule that de-activates the policy. Default: None Specifies whether the device issues traps for the rule.
227
Parameter
Protocol
Description Classification
The protocol of the traffic that the policy inspects. Values: Any TCP UDP GRE L2TP GTP IPinIP SCTP ICMP Other
Default: Any Source The existing source Network class of the packets that the policy inspects. Values: Destination The Network classes displayed in the Classes tab any any_ipv4 any_ipv6 None
Default: any The existing destination Network class of the packets that the policy inspects. Values: Physical Port Group The Network classes displayed in the Classes tab any any_ipv4 any_ipv6 None
Default: any The Physical Port class or physical port that the rule uses. Values: A Physical Port class displayed in the Classes tab The physical ports on the device None
228
Parameter
VLAN Tag Group
Description
The existing VLAN Tag class for the rule. Values: The VLAN Tag classes displayed in the Classes tab None
Default: None Service (This parameter is available only when TCP or UDP is selected for the Protocol parameter.) Action The Service for the rule. Services characterize traffic based on Layer-37 criteria. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). You can choose from a long list of predefined basic filters. The action that the policy takes on packets that match the classification. Values: Accept Drop Drop + RST Source
Default: Accept
ICMP Flags
Source Quench TIME STAMP Information Address Mask Alternate Host Address Domain Router Advertisement Router Solicitation Destination Unreachable REDIRECT Time Exceeded Parameter Problem Echo Packet Too Big Home Agent The ICMP flags in the packets that the policy inspects. DefensePro inspects only the packets with the selected flags. You can specify ICMP flags only when ICMP is the specified protocol.
229
230
Classes define groups of elements of the same type of entity. You can configure classes based on the following: Networks to classify traffic in a Network Protection policy/rule. Services to classify traffic based on criteria for Layers 37. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). Application ports to define or modify applications based on Layer 4 destination ports. Physical device ports to classify traffic in a network-protection rule. VLAN tags to classify traffic in a Network Protection policy/rule. MAC addresses to classify traffic whose source or destination is a transparent network device. MPLS RDs to classify traffic in a Network Protection policy/rule.
After you create or modify a class, the configuration is saved in the APSolute Vision database. You must activate the configuration to download it to the device. You can also view the current class configurations on your device. After creation, you cannot modify the name of a class, or the configuration of application, MAC, or physical port classes.
231
DefensePro User Guide Managing Classes You can use network classes in the following: Black lists White lists Network-protection policies/rules to match source or destination traffic
Note: APSolute Vision often uses the term rule (or rules), whereas DefensePro uses the term policy (or policies).
Configure the network class parameters. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Network Name
Description
The name of the network class. The network name is case-sensitive. The network name cannot be an IP address.
Values: IPv4, IPv6 Specifies whether the network is defined by a subnet and mask, or by an IP range. Values: IP Mask, IP Range The network address. The mask of the subnet, which you can enter in either of the following ways: A subnet mask in dotted decimal notationfor example, 255.0.0.0 or 255.255.0.0. An IP prefix, that is, the number of mask bitsfor example, 8 or 16.
Network Address (For an IP Mask entry only) Mask (For an IP Mask entry only)
232
Parameter
From IP (For an IP Range entry only) To IP (For an IP Range entry only)
Description
The first IP address in the range. The last IP address in the range.
Offset Mask Pattern Condition (OMPC) The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) and the OMPC. Content Specifications When the protocol of a basic filter is TCP or UDP, you can search for any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.
233
DefensePro User Guide Managing Classes You can choose from the many types of configurable contentfor example, URL, hostname, HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so on. When the content type is URL, for example, the module assumes the session to be HTTP with a GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches the entire packet for the content text, starting at the configured offset. By allowing a filter to take actual content of a packet/session into account, the module can recognize and classify a wider array of packets and sessions. Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists) and the Content Rule.
Parameter
Name Protocol
Description
The name of the filter. Values: IP TCP UDP ICMP NonIP ICMPV6 SCTP
Default: IP
234
Parameter
Source App. Port
Description
The Layer-4 source port for TCP, UDP, or SCTP traffic. Values: dcerpc dns ftp h225 http https imap irc ldap ms-sql-m ms-sql-s msn my-sql oracle ntp pop3 priviledged-services radius rexec rshell rtsp sccp (skinny) sip smb smtp snmp ssh ssl sunrpc telnet tftp
The Layer-4 destination port for TCP, UDP, or SCTP traffic. Values: dcerpc dns ftp h225 http https imap irc ldap ms-sql-m ms-sql-s msn my-sql oracle ntp pop3 priviledged-services radius rexec rshell rtsp sccp (skinny) sip smb smtp snmp ssh ssl sunrpc telnet tftp
235
Parameter
Description
Values: None IPv4 Header IPv6 Header IP Data L4 Data ASN1 Ethernet L4 Header
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
OMPC Offset
The location in the packet where the data starts being checked for specific bits in the IP or TCP header. Values: 01513 The mask for OMPC data. The value must be defined according to the OMPC Length parameter. Values: Must comprise eight hexadecimal symbols Default: 00000000
OMPC Mask
OMPC Pattern
The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter. The OMPC Pattern must contain eight hexadecimal symbols. If the value for the OMPC Length parameter is smaller than Four Bytes, you need to pad the OMPC Pattern with zeros. For example, if OMPC Length is two bytes, the OMPC Pattern can be abcd0000. Values: Must comprise eight hexadecimal symbols Default: 00000000
OMPC Condition
Default: None OMPC Length Values: Content Offset None One Byte Two Bytes Three Bytes Four Bytes
Default: None The location in the packet at which the checking of content starts. Values: 01513
236
Parameter
Content
Description
The value of the content search. Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; <=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_` abcdefghijklmnopqrstuvwxyz{|}~.
Content Type
The specific content type to search for. Values: None URLA URL in the HTTP request URI. TextText anywhere in the packet. Normalized URLA normalized URL in the HTTP request URI. POP3 UserThe POP3 User field in the POP3 header. URI LengthFilters according to URI length. FTP CommandParses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes. FTP ContentScans the data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes. Generic UrlThe generic URL in the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic HeaderIn the HTTP Request URI. No normalization procedures are taken. GET/ HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic CookieIn the HTTP Request URI. No normalization procedures are taken. GET/ HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
HostnameA hostname in the HTTP header. The host names in the Hostname List of an L7 Policy are not algorithmically related to a host name configured for a basic filter. Header FieldA header field in the HTTP header. ExpressionText anywhere in the packet represented by a regular expression specified in the Content field. Mail DomainThe Mail Domain in the SMTP header. Mail ToThe Mail To SMTP header. Mail FromThe Mail From SMTP header. Mail SubjectThe Mail Subject SMTP header. File TypeThe type of the requested file in the HTTP GET command (for example, JPG, EXE, and so on). CookieThe HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value.
The location in the packet at which the checking of content ends. Refers to the search for the content within the packet.
237
Parameter
Content Coding
Description
The encoding type of the content to search for (as specified in the Content field). Values: None Case Insensitive Case Sensitive HEX International
Default: None Note: The value of this field corresponds to the Content Type parameter. Content Data Coding The encoding type of the content data to search for (as specified in the Content Data field). Values: None Case Insensitive Case Sensitive HEX International
Default: None Note: The value of this field corresponds to the Content Type parameter. Description Session Type A description of the filter. The specific session type to search for. Values: Session Type Direction None Ftp Control Ftp Data Ftp All Tftp Control Tftp Data Tftp All Rshell Control Rshell Data Rshell All Rexec Control Rexec Errors Rexec All H225 Control H245 session H225 All SIP Signal SIP Media Control SIP Audio SIP All
Default: None The specific direction of the specified session type to search for. Values: All, Request, Reply Default: None
238
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3).
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy, you need to activate the latest changes.
Parameter
AND Group Name Basic Filter Name AND Group Type
Description
The name of the AND Group. The basic filter for this AND Group. (Read-only) Values: StaticThe AND Group is predefined. RegularThe AND Group is user-defined.
239
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6. Use the Modify OR Groups Table pane to create, modify, and delete the OR Group filters.
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy, you need to activate the latest changes.
Parameter
OR Group Name Filter Name Filter Type OR Group Type
Description
The name of the OR Group. The filter for this OR Group, which can be a Basic filter or an AND Group. Value: Basic Filter, AND Group (Read-only) Values: StaticThe OR Group is predefined. RegularThe OR Group is user-defined.
240
3. Configure application class parameters. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
Ports Group Name
Description
The name of the Application Port Group. To associate a number of ranges with the same port group, use the same name for all the ranges that you want to include in the group. Each range appears as a separate row with the same name in the Application Port Group table.
(Read-only) Values: System Defined, User Defined The first port in the range. The last port in the range. To define a group with a single port, set the same value for the From L4 Port and To L4 Port parameters.
241
Enter a name for the physical port class, and select the inbound port to be associated with it. Click OK. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation.For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Configure VLAN tag group class parameters. To activate your configuration changes on the device, click Activate Latest Changes.
242
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Parameter
VLAN Tags Group Name Group Mode
Description
The name of the VLAN group. The VLAN mode. Values: DiscreteAn individual VLAN tag, as defined in the interface parameters of the device. RangeA group of sequential VLAN tag numbers, as defined in the interface parameters of the device.
VLAN Tag (Discrete mode only) VLAN Tag From (for Range mode only) VLAN Tag To (for Range mode only)
The VLAN tag number. The first VLAN tag in the range. You cannot modify this field after creating the VLAN group. The last VLAN tag in the range.
3. Enter a name for the MAC group and the MAC address associated with the group. Click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation.For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
243
2.
Note: For information about basic filters, see Configuring Basic Filters, page 233.
244
Note: For information about AND Groups, see Configuring AND Group Filters, page 239.
Note: For information about OR Groups, see Configuring OR Group Filters, page 239.
245
246
DefensePro User Guide Managing Classes You can define the segment that you want to protect using MPLS RDs. DefensePro detects the MPLS RD values when installed between P (provider) and PE (provider edge) routers in the providers MPLS backbone. Only the packets that match the MPLS RD value of this segment are inspected by the policy.
Note: To use MPLS RD, you must enable MPLS RD and configure the MPLS RD groups.
Parameter
Group Name MPLS RD Type
Description
A user-defined name for the MPLS RD group. The MPLS RD value manually based on the type. Describes the MPLS RD format. Values: 2 Bytes : 4 Bytes 4 Bytes : 2 Bytes IP Address : 2 Bytes
247
248
Note: You can schedule device reboots in the APSolute Vision scheduler. For more information, see Configuring Tasks in the Scheduler, page 259.
249
Note: The date and time display is a snapshot only. It does not change if the dialog box is left open.
250
DefensePro User Guide Managing Device Operations and Maintenance The software version file must be located on the APSolute Vision client system. APSolute Vision automatically transfers it to the APSolute Vision server and uploads it to the device. New software versions require a password, which can be obtained from the Radware corporate Web site. For a maintenance-only upgrade, the password is not required. After the device upgrade is complete, you must reboot the device.
Caution: Before upgrading to a newer software version, do the following: Back up the existing configuration file. For more information, see Downloading a Devices Configuration File, page 255. Ensure that you have configured on the device the authentication details for the protocol used to upload the file.
Parameter
Upload Via
Description
(Read-only in APSolute Vision 2.10 and later) The protocol used to upload the software file from APSolute Vision to the device. Value: HTTPS The name of the file to upload. The software version number as specified in the new software documentation. Enter the password received with the new software version, and verify. The password is case sensitive.
251
Parameter
Download Via
Description
(Read-only in APSolute Vision 2.10 and later) The protocol used to download the log file. Value: HTTPS Save the downloaded log file as a text file on the client system. Enter or browse to the location of the saved log file, and select or enter a file name.
Save As
MAC-ADDRESS.sig.
Note: You can schedule Signature File updates in the APSolute Vision scheduler. For more information, see Configuring Tasks in the Scheduler, page 259.
252
Parameter
Signature Type
Description
The type of the signature file to upload to the device. Values: Radware Signatures RSA Signatures
Update From
The location of the signature file to upload. Values: Radware.comAPSolute Vision uploads the signature file directly from Radware.com or from the proxy server that is configured in the Vision Server Connection configuration. ClientAPSolute Vision uploads the signature file from the APSolute Vision client system. This option is only available for Radware signatures.
Upload Via File Name (This parameter is displayed only when Update From Client is selected)
The protocol used to upload the signature file. Values: HTTP, HTTPS, TFTP Name of the signature file on the client system.
Note: If you encounter problem with APSolute Vision server or APSolute Vision client (as opposed to the DefensePro device), see the APSolute Vision User Guide.
253
Parameter
Download Via
Description
(Read-only in APSolute Vision 2.10 and later) The protocol used to download the technical support file. Value: HTTPS Save the downloaded technical support file as a text file on the client system. Enter or browse to the location of the saved file, and select or enter a file name.
Save As
following commands will take effect only once the device has been rebooted!
Commands that do not require rebooting the device Copying and pasting a command from this section takes effect immediately after pasting. The commands in the section are not bound to SNMP. The section has the heading: The following commands take effect
254
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more information, see Configuring Tasks in the Scheduler, page 259.
Parameter
Download to Download Via Save As
Description
Where to back up the device configuration file. Values: Client, Server (Read-only) The protocol used to download the configuration file. Values: HTTPS Save the downloaded configuration file as a text file on the client system. On the server, the default name is a combination of the device name and backup date and time. You can change the default name.
When enabled, the certificate private key information is included in the downloaded file. You must include the private key information to restore the private keys; otherwise, the device reverts to default keys.
255
Parameter
Upload from Upload Via
Description
The location of the backup device configuration file to send. Values: Client, Server (Read-only in APSolute Vision 2.10 and later) The protocol used to upload the configuration file. Value: HTTPS When uploading from the client system, enter or browse to the name of the configuration file to upload. When uploading from the server, select the configuration to upload.
File Name
256
257
Note: For information on how to schedule operations in the APSolute Vision server, see the APSolute Vision User Guide or APSolute Vision online help.
Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled operations are called tasks. The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be performed next. When you configure a task for multiple devices, the task runs on each device sequentially. After the task completes on one device, it begins on the next. If the task fails to complete on a device, the Scheduler will activate the task on the next listed device. Scheduled tasks run according to the time as configured on the APSolute Vision client.
Caution: If the APSolute Vision client time zone differs from the time zone of the APSolute Vision server or the managed device, take the time offset into consideration. When you define a task, you can choose whether to enable or disable the task. All configured tasks are stored in the APSolute Vision database. You can define the following types of DefensePro-related scheduled tasks: Back up APSolute Vision Reporter data Back up a device configuration Reboot a device Update RSA signature file onto a DefensePro device from Radware.com or the proxy server Update the Radware signature file onto a DefensePro device from Radware.com or the proxy server Update the APSolute Vision Attack Description file from Radware.com or the proxy server
Note: You can perform the operations manually, from the Monitoring perspective. For more information see: Updating the Attack Description File, page 54 Rebooting a DefensePro Device, page 249 Updating a Radware Signature File or RSA Signature File, page 252 Downloading a Devices Configuration File, page 255
258
Parameter
Name Task Type Enabled Schedule Current Status Last Execution Status Last Execution Time Next Execution Time Description
Description
The name of the configured task. The type of task to be performed. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task is saved in the database. The frequency at which the task runs; for example, daily or weekly. The schedule start date is displayed, if it has been defined. The current status of the task. Values: Waiting, In progress Whether the last task run was successful. When the task is disabled or has not yet started, the status is Never Executed. The date and time of the last task run. When the task is disabled or has not yet started, this field is empty. The date and time of the next task run. When the task is disabled, this field is empty. The user-defined description of the task.
3. Configure task parameters, and click OK. All task configurations include basic parameters and scheduling parameters. Other parameters depend on the type of task selected. For more information, see the description of the relevant Task Parameters.
259
Task Parameters
Set the following parameters to configure tasks in the Scheduler: APSolute Vision Reporter Backup Task, page 260 Device Configuration Backup Parameters, page 262 Device Reboot Parameters, page 264 Update RSA Signature Files for a Device, page 265 Update Radware Security Signature Files for a Device, page 267 Update APSolute Vision Attack Description File Parameters, page 268
Notes For information on managing the backups using CLI, see the APSolute Vision User Guide. APSolute Vision stores up to three iterations of the APSolute Vision Reporter data in the storage location. After the third reporter-backup, the system deletes the oldest one. The storage location is, by default, a hard-coded location in the APSolute Vision server. The backup filenames in the storage location are the first five characters of the specified filename plus a 10-character timestamp. When the task exports the backup file, the filename is as specified in the task configuration. The backup file in the storage location includes the hard-coded description Scheduler-
Parameter
Name
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
260
Parameter
Frequency
Description Schedule
The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 End Date5 End Time5 1 2 3 4 This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared. The date and time after which the task no longer runs. The date and time at which the task is activated.
261
Parameters
Protocol The protocol that APSolute Vision uses for this task. Values: FTP SCP SFTP SSH
Default: FTP
Destination
IP Address Directory Backup File Name User Password Verify Password The IP address of the server. The path to the export directory with no spaces. Only alphanumeric characters and underscores (_) are allowed. The name of the backup, up to 15 characters, with no spaces. Only alphanumeric characters and underscores (_) are allowed. The username. The user password. The user password.
Note: By default you can save up to five (5) configuration files per device on the APSolute Vision server. You can change this parameter in the APSolute Vision Setup tab. For more information, see the APSolute Vision User Guide.
Parameter
Name
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
262
Parameter
Frequency
Description Schedule
The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 End Date5 End Time5 1 2 3 4 This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared. The date and time after which the task no longer runs. The date and time at which the task is activated.
Devices
The configurations of devices in the Selected Devices list will be backed up.
263
Parameter
Name
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
Schedule
Frequency The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 The date and time at which the task is activated.
264
Parameter
End Date5 End Time5 1 2 3 4
Description
The date and time after which the task no longer runs.
This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared.
Devices
The devices in the Selected Devices list will be rebooted.
Note: The frequency range for the Update RSA Security Signature task is 1060 minutes. The default interval is 60 minutes.
Parameter
Name
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
265
Parameter
Frequency
Description Schedule
The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 End Date5 End Time5 1 2 3 4 This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared. The date and time after which the task no longer runs. The date and time at which the task is activated.
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the DefensePro devices with Fraud Protection enabled. The Selected Devices list displays the DefensePro devices whose RSA signature files this task update.
266
Parameter
Name
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
Schedule
Frequency The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 The date and time at which the task is activated.
267
Parameter
End Date5 End Time5 1 2 3 4
Description
The date and time after which the task no longer runs.
This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared.
Communication Parameters
Upload Protocol The protocol used to upload the updated signature file from APSolute Vision to the device. Values: HTTPS, HTTP, TFTP Default: HTTPS
Devices
The signature files for DefensePro devices in the Selected Devices list will be updated.
Parameter
Name
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
268
Parameter
Frequency
Description Schedule
The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 End Date5 End Time5 1 2 3 4 This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared. The date and time after which the task no longer runs. The date and time at which the task is activated.
269
270
To view monitoring information for a physical device or interface, you must first select the device or interface in the Monitoring perspective navigation pane System tab.
Select the DefensePro device to monitor in the Monitoring perspective system pane.
271
Parameter
Operational Status Device is Monitored Management IP Hardware Platform Uptime Base MAC Address
Signature Update
Radware Signature File Version RSA Signatures Last Update The version of the Radware Signature File installed on the device. When RSA is enabled, this parameter can display the timestamp of the last update of RSA signatures, received from Radware.com and downloaded to the DefensePro device. Values: The timestamp, in DDD MMM DD hh:mm:ss yyyy z format displayed according to the timezone of your APSolute Vision client No Feeds Received Since Device Boot
Software
Software Version APSolute OS Version Build Version Status The version of the product software installed on the device. Version of the APSolute OS installed on the devicefor example, 10.3103.01:2.06.08. The build number of the current software version. State of this software version. Values: OpenNot yet released FinalReleased version
Hardware
Hardware Version RAM Size Flash Size The hardware version; for example, B.5. Amount of RAM, in megabytes. Size of flash (permanent) memory, in megabytes.
Note: When you issue the Switch Over command on the cluster node in the Monitoring perspective, the active device switches over. To switch modes, in the Monitoring perspective system pane, rightclick the cluster node; and then select Switch Over.)
272
To view the parameters related to the high availability of a selected DefensePro device
In the Monitoring perspective, select the High Availability tab in the content pane.
Parameter
Device Role
Description
Values: Stand AloneThe device is not configured as a member of a highavailability cluster. PrimaryThe device is configured as the primary member of a highavailability cluster. SecondaryThis device is configured as the secondary member of a high-availability cluster. ActiveThe device is in the active state. The device may be a standalone device (not part of a high-availability cluster) or the active member of a high-availability cluster. PassiveThe device is the passive member of a high-availability cluster. Base-Line still not synched on this deviceEither high availability is not enabled on the device or high availability is enabled on the device but the baselines for security protections are still not synchronized. The timestamp, in DDD MMM DD hh:mm:ss yyyy format, of the last synchronization of the baseline between the active and passive device. Pair not definedThe device is not configured as a member of a highavailability cluster. DisconnectedThe device is disconnected from the other member of the high-availability cluster. NegotiateThe device is negotiating with the other member of the high-availability cluster. SynchronizingThe device is synchronizing with the other member of the high-availability cluster. In SyncThe members of the high-availability cluster are synchronized. Hold onThe device is waiting for information from the other member of the high-availability cluster.
Device State
Values:
Values:
Cluster State
Values:
Peer Clustered Node in The IP address of the other cluster member. Use
273
Parameter
Source IP Destination IP Destination Port Protocol Module Expiration Type Expiration Time
Description
The IP address from which traffic was suspended. The IP address to which traffic was suspended (0.0.0.0 means traffic to all destinations was suspended). The application port to which traffic was suspended (0 means all ports). The Network protocol of the suspended traffic. The security module that activated the traffic suspension: Signature Protection, Anti Scanning, SYN Protection. The method of determining the expiration: On Request, Fixed Timeout, Dynamic Timeout. The number of seconds until the entry is removed from the Suspend table.
Parameter
Resource Utilization Instance 0 Resource Utilization Instance 1 RS Resource Utilization Instance 0 RS Resource Utilization Instance 1
274
Parameter
RE Resource Utilization Instance 0 RE Resource Utilization Instance 1 Last 5 sec. Average Utilization Instance 0 Last 5 sec. Average Utilization Instance 1
Description
The percentage of the devices instance-0 routing engine (RE) resource currently utilized. The percentage of the devices instance-1 routing engine (RE) resource currently utilized. The average utilization of instance-0 resources in the last 5 seconds. The average utilization of instance-1 resources in the last 5 seconds.
Last 60 sec. Average Utilization The average utilization of instance-0 resources in the last 60 Instance 0 seconds. Last 60 sec. Average Utilization The average utilization of instance-1 resources in the last 60 Instance 1 seconds.
Accelerator Utilization
Instance Accelerator Type The internal hardware instance of the device. The name of the accelerator. The accelerator named Flow_Accelerator_0 is one logical accelerator that uses several CPU cores. The accelerator named HW Classifier is the stringmatching engine (SME). The CPU number for the accelerator. The percentage of CPU cycles used for traffic processing. The percentage of CPU resources used for other tasks such as aging and so on. The percentage of free CPU resources.
Parameter
Table Size Table Utilization Aging Time
275
Parameter
Table Size
Parameter
Number of SNMP Received Packets Number of SNMP Sent Packets Number of SNMP Successful 'GET' Requests
Description
The total number of messages delivered to the SNMP entity from the transport service. The total number of SNMP messages passed from the SNMP protocol entity to the transport service. The total number of MIB objects retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP GET-Request and GET-Next PDUs.
276
Parameter
Number of SNMP Successful 'SET' Requests Number of SNMP 'GET' Requests Number of SNMP 'GET-Next' Requests Number of SNMP 'SET' Requests Number of SNMP Error Too Big Received Number of SNMP Error No Such Name Received Number of SNMP Error Bad Value Received Number of SNMP Error Generic Error Received Number of SNMP 'GET' Responses Sent Number of SNMP Traps Sent
Description
The total number of MIB objects modified successfully by the SNMP protocol entity as the result of receiving valid SNMP SET-Request PDUs. The total number of SNMP GET-Request PDUs accepted and processed by the SNMP protocol entity. The total number of SNMP GET-Next Request PDUs accepted and processed by the SNMP protocol entity. The total number of SNMP SET-Request PDUs accepted and processed by the SNMP protocol entity. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status field is tooBig. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status is noSuchName. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status field is badValue. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status field is genErr. The total number of SNMP Get-Response PDUs generated by the SNMP protocol entity. The total number of SNMP Trap PDUs generated by the SNMP protocol entity.
Note: If the device is not equipped with the DME, 0 (zero) values are displayed.
277
Parameter
If any of the values in this group box is close to the maximum, the resources for the device are exhausted. Total Policies The total number of policies in the context of the DME, which is double the number of network policies configured in the device. x420 supports 50 configured network policies. The percentage of resource utilization from the HW entries in the context of the DME. The percentage of DME resource utilization from the entries of subpolicies. In the context of the DME, a sub-policy is a combination of the following: Source-IP-address range Destination-IP-address range VLAN-tag range
Policies Table
Policy Name Direction The name of the policy. The direction of the policy. Values: HW Entries Sub-Policies Inbound Outbound
The number of DME hardware entries that the policy uses. The number of DME sub-policy entries that the policy uses.
278
Parameter
Syslog Server Status
Description
The name of the syslog server. The status of the syslog server. Values: ReachableThe server is reachable. UnreachableThe server is unreachable. N/RSpecifies not relevant, because traffic towards the Syslog server is over UDPas specified (Configuration perspective Setup tab > Syslog Server > Protocol > UDP).
Messages in Backlog
Notes The filtered Session table is not automatically refreshed periodically. The information is loaded when you select to display the Session Table pane and when you manually refresh the display. DefensePro issues alerts for high utilization alerts of the Session table. DefensePro sends alerts to APSolute Vision when table utilization reaches 90% and 100%.
Parameter
Source IP Destination IP Source L4 Port Destination L4 Port Protocol Physical Interface
Description
The source IP address within the defined subnet. The destination IP address within the defined subnet. The session source port. The session destination port. The session protocol. The physical port on the device at which the request arrives from the client.
279
Parameter
Lifetime (Sec.) Aging Type SYN Flood Status
Description
The time, in seconds, following the arrival of the last packet, that the entry will remain in the table before it is deleted. The reason for the Lifetime value (for example, application or session end). Whether the entry is currently protected against SYN attacks.
Parameter
Filter Name Physical Interface
Description
The unique name of the filter. The physical port on the device at which the request arrives from the client. Default: Any The source IP address within the defined subnet. Select IPv4 or IPv6; and then, enter the address. The source IP address used to define the subnet that you want to present in the Session Table. Select IPv4 or IPv6; and then, enter the mask. The destination IP address within the defined subnet. Select IPv4 or IPv6; and then, enter the address. The destination IP address used to define the subnet that you want to present in the Session Table. Select IPv4 or IPv6; and then, enter the mask. The session source Layer 4 port. The session destination Layer 4 port.
280
Parameter
Number of IP Packets Received Number of IP Header Errors
Description IP Statistics
The total number of input datagrams received from interfaces, including those received in error. The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format errors, time-to-live exceeded, errors discovered in processing their IP options, and so on. Total number of input datagrams discarded. This counter does not include any datagrams discarded while awaiting re-assembly. The total number of input datagrams successfully delivered to IP user-protocols (including ICMP). The total number of IP datagrams which local IP user-protocols, including ICMP supplied to IP in requests for transmission. This counter does not include any datagrams counted in the Number of IP Packets Forwarded.
Number of Discarded IP Packets Number of Valid IP Packets Received Number of Transmitted Packets (Inc. Discards)
Number of Discarded Packets The number of output IP datagrams for which no problem was on TX encountered to prevent their transmission to their destination, but which were discarded, for example, the lack of buffer space. This counter includes any datagrams counted in the Number of IP Packets Forwarded if those packets meet this (discretionary) discard criterion.
Router Statistics
Number of IP Packets Forwarded The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities that do not act as IP Gateways, this counter includes only those packets which were Source - Routed via this entity, and the Source - Route option processing was successful. The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.
281
Parameter
Number of IP Packets Discarded Due to No Route
Description
The number of IP datagrams discarded because no route could be found to transmit them to their destination. Note: This counter includes any packets counted in the Number of IP Packets Forwarded that meet the no-route criterion. This includes any datagrams which a host cannot route because all of its default gateways are down.
Number of IP Fragments Received Number of IP Fragments Successfully Reassembled Number of IP Fragments Failed Reassembly
The number of IP fragments received which needed to be reassembled at this entity. The number of IP datagrams successfully re-assembled. The number of failures detected by the IP re-assembly algorithm, such as timed out, errors, and so on. Note: This is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. The number of IP datagrams that have been successfully reassembled at this entity. The number of IP datagrams that have been discarded because they needed to be fragmented at this entity but could not be, for example, because their Dont Fragment flag was set. The number of IP datagram fragments that have been generated as a result of fragmentation at this entity. Number of valid routing entries discarded.
Number of IP Datagrams Successfully Reassembled Number of IP Datagrams Discarded Due to Fragmentation Failure Number of IP Datagrams Fragments Generated Valid Routing Entries Discarded
Note: The Routing table is not automatically refreshed periodically. The information is loaded when you select to display the Routing Table pane, and when you manually refresh the display.
Parameter
Destination Network Netmask
Description
The destination network to which the route is defined. The network mask of the destination subnet.
282
Parameter
Next Hop Via Interface Type
Description
The IP address of the next hop toward the Destination subnet. (The next hop always resides on the subnet local to the device.) The local interface or VLAN through which the next hop of this route is reached. This can be the port name, trunk name, or VLAN ID. This field is displayed only in the Static Routes table. The type of routing. Values: LocalThe subnet is directly reachable from the device. RemoteThe subnet is not directly reachable from the device.
Metric
Note: The ARP table is not automatically refreshed periodically. The information is loaded when you select to display the ARP Table pane, and when you manually refresh the display.
Parameter
Port IP Address MAC Address Type
Heading
The interface number where the station resides. The stations IP address. The stations MAC address. The entry type. Values: OtherNot Dynamic or Static DynamicEntry is learned from ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table. StaticEntry has been configured by the network management station and is permanent.
283
Parameter
MPLS RD Type
Description
The MPLS RD name. Describes the MPLS RD format. Values: 2 Bytes : 4 BytesAS (16 bit): Number (32 bit) 4 Bytes : 2 BytesAS (32 bit): Number (16 bit) IP Address : 2 BytesIP: Number (16 bit)
The upper tag for the link on which the device is installed. The lower tag for the link on which the device is installed.
284
Parameter
Port Name Port Description Type Port Speed MAC Address Admin Status Operational Status Last Change Time
Statistics
Incoming Bytes Incoming Unicast Packets The number of incoming octets (bytes) through the interface including framing characters. The number of packets delivered by this sub-layer to a higher sublayer, which were not addressed to a multicast or broadcast address at this sub-layer. The number of packets delivered by this sub-layer to a higher sublayer, which were addressed to a multicast or broadcast address at this sub-layer. The number of inbound packets chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.
285
Parameter
Incoming Errors
Description
For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higherlayer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. The total number of octets (bytes) transmitted out of the interface, including framing characters. The total number of packets that higher-level protocols requested be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast or broadcast address at this sub-layer, including those discarded or not sent. The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. For character-oriented or fixed-length interfaces, the number of outbound transmission units that could not be transmitted because of errors.
Outgoing Errors
286
Note: When calculating the real-time network traffic and statistical parameters, the DefensePro device does not include traffic that exceeded the throughput license. The following topics describe monitoring traffic and attacks in APSolute Vision: Risk Levels, page 287 Viewing the Security Dashboard, page 288 Viewing and Managing Current Attack Information, page 290 Viewing Real-Time Traffic Statistics, page 306 Monitoring Attack SourcesGeographical Map, page 311 Protection Monitoring, page 313 HTTP Reports, page 319
Risk Levels
The following table describes the risk levels that DefensePro supports to classify security events.
Note: For some protections, the user can specify the risk level for an event. For these protections, the descriptions in the following table are recommendations, and the risk level is the user's responsibility.
Risk Level
Info Low Medium
Description
The risk does not pose a threat to normal service operation. The risk does not pose a threat to normal service operation, but may be part of a preliminary action for malicious behavior. The risk may pose a threat to normal service operation, but is not likely to cause complete service outage, remote code execution, or unauthorized access. The risk is very likely to pose a threat to normal service availability, and may cause complete service outage, remote code execution, or unauthorized access.
High
287
Use the Security Dashboard to analyze activity and security events in the network, identify security trends, and analyze risks. You can view Security Dashboard information for individual devices, all devices in a site, or all devices in the network. The dashboard monitoring display automatically refreshes providing ongoing real-time analysis of the system. You can configure the following Security Dashboard parameters: Scope Whether the Security Dashboard shows information according to: Devices/Physical Ports The selected physical ports. Devices/Policies The selected Network Protection Policies/Rules.
Display Last How long, in minutes, an attack continues to be displayed after the attack has ended. Statistics Refresh Interval for Real-Time Security Monitoring Perspective The display refresh rate. The default is 15 seconds.
288
DefensePro User Guide Real-Time Security Reporting The Security Dashboard displays an attacks radar, and Drop Intensity indicator. The attacks radar displays current and recent attacks: Each arrowhead in the radar represents a separate attack. A flashing arrowhead represents an ongoing attack. The color of the arrowhead indicates the attack category. The category represents the type of protection that the attack violates. When you double-click an arrowhead, the corresponding attack-characteristics-and-information dialog box is displayed. The categories in the Security Dashboard are as follows: DDoSRepresents attacks identified by the following protection types: Behavioral DoS, SYN Flood, and DoS Shield. Server CrackingRepresents attacks identified by Server Cracking Protection. IntrusionRepresents attacks identified by Intrusion Protection. Application DDoSRepresents attacks identified by HTTP Flood Protection. Stateful ACLRepresents attacks identified by Stateful ACL Protection. Packet AnomaliesRepresents attacks identified by Packet Anomaly Protection. Network ScansRepresents attacks identified by Anti-Scanning Protection. Black ListRepresents traffic identified by Black List Protection.
The position of the attack in the radar indicates the attack risk. Each band in the radar, moving inwards from the outer edge, represents increasing riskinfo, low, medium, and high (see Risk Levels, page 287). You can display summary information for an attack by clicking on the corresponding arrowhead, and you can view additional attack details by double-clicking the arrowhead.
Note: The summary information displayed in the attacks radar is also presented in the Current Attacks table. The Drop Intensity counter provides an indication of the level of discarded traffic during attacks, relative to the maximum bandwidth of the device (per license).
4. If you selected Devices/Physical Ports from the Scope drop-down list, select the ports for which to display data as follows: a. b. Click Select Ports. Data is displayed for ports in the Selected Ports list. Move ports to and from the Selected Ports list, as required.
289
DefensePro User Guide Real-Time Security Reporting 5. If you selected Devices/Policies from the Scope drop-down list, select the Network Protection Policies/Rules for which to display data as follows: a. b. 6. 7. Click Select Policy. Data is displayed for Network Protection Policies/Rules in the Selected Policies list. Move policies to and from the Selected Policies list, as required.
To control the amount of data displayed, change the number of minutes in the Display Last list. To view additional information for a displayed attack: Right-click the corresponding arrowhead in the radar to display summary information for the attack. Double-click the corresponding arrowhead in the radar to display detailed information for the attack. For more information, see Attack Details, page 294.
Note: The attack details contained in the table columns that are hidden by default are displayed in the Attack Details window for individual attacks.
290
(CSV).
4. Specify the save location and file name; and then, click Save.
Parameter
Risk Category
Description
The risk of the attack (see Risk Levels, page 287). The threat type to which the attack belongsfor example, Intrusions, DoS, Anti-Scanning, and so on. Values: All ACL Anti-Scanning Behavioral DoS DoS HTTP Flood Intrusions Server Cracking SYN Flood Anomalies Stateful ACL DNS Flood Bandwidth Management
Default: All Select Ports Source Address Destination Address Add the ports for which to display attack data to the Selected Ports list. The source address of the attack. The string can be any legal IPv4 or IPv6 address, and can include a wildcard (*). The destination address of the attack. The string can be any legal IPv4 or IPv6 address, and can include a wildcard (*).
Parameter
Start Time Category Status
Description
The date and time of the attack start. The threat type to which this attack belongs. The last-reported status of the attack. Values: StartedAn attack containing more than one security event has been detected (some attacks contain multiple security events, such as DoS, Scans, and so on). Occurred (Signature-based attacks)Each packet matched with signatures was reported as an attack and dropped. OngoingThe attack is currently taking place, the time between Started and Terminated (for attacks that contain multiple security events, such as DoS, Scans, and so on). TerminatedThere are no more packets matching the characteristics of the attack, and the device reports that the attack has ended.
291
Parameter
Risk
Description
The predefined attack severity level (see Risk Levels, page 287). Values: High Medium Low Info
The name of the detected attack. The source IP address of the attack. If there are multiple IP sources for an attack, this field displays Multiple. The multiple IP addresses are displayed in the Attack Details window. The destination IP address of the attack. The destination port of the attack. The name of the configured network-protection policy rule or serverprotection policy rule that was violated by this attack. To view or edit the rule for a specific attack, right-click the attack entry and select Go to Rule.
The unique attack identifier issued by device. The direction of the attack, inbound or outbound. The reported action against the attack. Values: ForwardThe packet is forwarded to its destination. DropThe packet is discarded. Reset SourceA TCP Reset packet is sent to the attackers source IP address. Reset DestinationA TCP Reset packet is sent to the attackers destination IP address.
Device IP Protocol
1
The IP address of the attacked device. The transmission protocol used to send the attack.: Values: TCP UDP ICMP IP
The Layer 4 source port of the attack. The port on the device to which the attacks packets arrived. The number of identified attack packets from the beginning of the attack. For most protections, this value is the volume of the attack, in kilobits, from when the attack started. For SYN protection (SYN cookies), this value is the number of SYN packets dropped, multiplied by 60 bytes (the SYN packet size).
292
Parameter
VLAN1 MPLS RD1
Description
A VLAN tag value is used to generate reports for each customer. The value of N/A or 0 in this field indicates that the VLAN tag is not available. The Multiprotocol Label Switching Route Distinguisher. This value is used to generate reports for each customer. The value of N/A or 0 in this field indicates that the MPLS RD is not available.
1 This column is not displayed by default in the Current Attacks tab. To display the column, right-click on any column heading, and select the column name from the pop-up menu.
Note: For more information about attack details, see Attack Details, page 294.
Note: For more information about attack details, see Attack Details, page 294.
(CSV).
5. Specify the save location and file name; and then, click Save.
293
DefensePro User Guide Real-Time Security Reporting 3. 4. In the Current Attacks table, right-click the attack entry and select Export Packets To Ethereal Format. Enter a file name in the file selection dialog box.
Notes You can send the CAP file to a packet analyzer. Up to 255 bytes of packet information is saved in the CAP file. That is, DefensePro exports full packets but APSolute Vision trims them to 255 bytes. The file is available only as long as it is displayed in the Current Attacks table. The file is created only if packet reporting is enabled in the protection configuration for the profile that was violated. DefensePro exports only the last packet in a sequence that matches the filter. Furthermore, if traffic matches a signature that consists of more than one packet, the reported packet will not include the whole expression in the filter.
Attack Details
An Attack Information window is displayed when you double-click an attack in the Security Dashboard or in the Current Attacks table.
Tip: To export the information in the in the Attack Information window to a CSV file, at the top left of the window, click (CSV).
The Attack Description displays the information from the Attack Descriptions file. An attack description is displayed only if the Attacks Description file has been uploaded on the APSolute Vision server. For information about uploading the Attacks Description file, see Updating the Attack Description File, page 54. The following attack details are also displayed for the following attacks: BDoS Attack Details, page 295 DoS Attack Details, page 297 Anti-Scan Attack Details, page 297 Server Cracking Attack Details, page 299 SYN Flood Attack Details, page 300
294
DefensePro User Guide Real-Time Security Reporting HTTP Flood Attack Details, page 301 DNS Flood Attack Details, page 304
Note: The Attack Characteristics information that are displayed in these windows is also available in the hidden columns of the Current Attack Summary table.
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count Bandwidth [Kbits] VLAN MPLS RD Device IP TTL L4 Checksum TCP Sequence Number IP ID Number Fragmentation Offset Fragmentation FlagA value of 0 indicates that fragmentation is allowed, 1 indicates that fragmentation is not allowed. Flow Label (IPv6 only) ToS Packet Size ICMP Message Type Displayed only if the protocol is ICMP. Source IP Destination IP Source Ports Destination Ports DNS ID DNS Query DNS Query Count
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values.
295
Parameter
Attack Info
Description
The attack information comprises the following parameters: Packet Size Anomaly RegionDisplays the statistical region of the attack packets. The formula for the packet-size baseline for a policy is
{(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/NormalPPS)}
Values: Large PacketsThe attack packets are approximately 15% larger than the normal packet-size baseline for the policy. Normal PacketsThe attack packets are within approximately 15% either side of the normal packet-size baseline for the policy. Small PacketsThe attack packets are approximately 15% smaller than the normal packet-size baseline for the policy. Footprints AnalysisBehavioral DoS Protection has detected an attack and is currently determining an attack footprint. BlockingBehavioral DoS Protection is blocking the attack based on the attack footprint created. Through a closed feedback loop operation, the Behavioral DoS Protection optimizes the footprint rule, achieving the narrowest effective mitigation rule. Non-attackNothing was blocked because the traffic was not an attackno footprint was detected or the blocking strictness level was not met.
Sampled Data
Opens the Sampled Data dialog box, which contains a data on sampled attack packets.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the Behavioral DoS Protection, which provides the narrowest effective blocking rule against the flood attack.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
296
Description Global
The attack characteristics comprise the following parameters: Protocol Physical Port Packet Count VLAN MPLS RD Device IP
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values. Attack Info The attack information comprises the following parameters: Sampled Data ActionThe protection Action taken. Attacker IPThe IP address of the attacker. Protected HostThe protected host. Protected PortThe protected port. Attack DurationThe duration of the attack. Current Packet RateThe current packet rate. Average Packet RateThe average packet rate.
Opens the Sampled Data dialog box, which contains a data on sampled attack packets.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits]
297
Parameter
Attack Info
Description
Protection-action information, blocking details, and scan statistics. The attack information comprises the following parameters: ActionThe protection Action taken. Action ReasonDescribes the difference between the configured action and the actual action. Blocking DurationThe blocking duration, in seconds, of the attacker source IP address. Estimated Release Time (Local)The estimated release time of attacker in local time. Avg. Time Between ProbesThe average time between scan events in seconds. Number of ProbesThe number of scan events from the time the attack started.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the antiscanning attack protection, which provides the narrowest effective blocking rule against the scanning attack.
Scan Details
DST IP DST L4 Port TCP Flag (This is displayed only for TCP traffic.) ICMP Message Type (This is displayed only for ICMP traffic.) The ICMP message type. The destination IP address of the scan. The destination port of the scan. The TCP packet type.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
298
Description Global
The attack characteristics comprise the following parameters: Protocol Source L4 Port Physical Port Packet Count Bandwidth [Kbits] VLAN MPLS RD Device IP
Attack Info
Displays protection action information, blocking details and attack statistics. The attack information comprises the following parameters: Blocking DurationThe blocking duration, in seconds, of the attacker source IP address. Estimated Release TimeThe estimated release time of attacker in local time. Avg. Time Between ProbesThe average time between scan events in seconds. Number of ProbesThe number of scan events from the time the attack started.
Sampled Data
Opens the Sampled Data dialog box, which contains a data on sampled attack packets.
Application Requests
When a server-cracking attack is detected, DefensePro sends, to the management system, sample suspicious attacker requests in order to provide more information on the nature of the attack. The sample requests are sent for the protocols or attacks. Values: Web ScanSample HTTP requests. Web CrackingUsername and Password. SIPSIP user (SIP URI). FTPUsername (if sent in the same request) and Password. POP3Username (if sent in the same request) and Password.
299
Description Global
The attack characteristics comprise the following parameters: Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits]
Attack Info
The information is displayed when the protection action is blocking mode. The attack information comprises the following parameters: Average Attack RateThe average rate of spoofed SYNs and data connection attempts per second, calculated every 10 seconds. Attack ThresholdThe configured attack trigger threshold, in half connections per second. Attack VolumeThe number of packets from spoofed TCP connections during the attack life cycle (aggregated). These packets are from the sessions that were established through the SYN-cookies mechanism or were passed through the SYN protection trusted list. Attack DurationThe duration, in hh:mm:ss format, of the attack on the protected port. TCP ChallengeThe Authentication Method that identified the attack: Transparent Proxy or Safe-Reset. HTTP ChallengeThe HTTP Authentication Method that identified the attack: 302-Redirect or JavaScript.
The Authentication Lists Utilization group comprises the following parameters: TCP Auth. ListThe current utilization, in percent, of the TCP Authentication table. HTTP Auth. ListThe current utilization, in percent, of the Table Authentication table.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
300
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits]
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values.
301
Parameter
Attack Info
Description
The attack information comprises the following parameters: Protection StateThe state of the protection process: CharacterizationThe protection module is analyzing the attack footprint. MitigationThe protection module is mitigating the attack according to the profile configuration. Suspicious ActivitiesThe protection module identified the attack but cannot mitigate it. Mitigation FlowThe configuration of the mitigation flow for the profile: DefaultThe mitigation flow for the profile is configured to use all three mitigation actions, which are selected by default: 1-Challenge Suspects, 2-Challenge All, 3-Block Suspects. CustomizedThe mitigation flow for the profile is not configured to use all three mitigation actions. ActionThe current action that protection module is using to mitigate the attack: Challenge Suspected AttackersThe protection module is challenging HTTP sources that match the real-time signature. Challenge All SourcesThe protection module is challenging all HTTP traffic toward the protected server. Block Suspected AttackersThe protection module is blocking all HTTP traffic from the suspect sources (that is, sources that match the signature). No MitigationThe protection module is in the Suspicious Activities state and is not mitigating the attack. Challenge MethodThe user-specified Challenge Method, 302 Redirect or JavaScript. Suspicious SourcesThe number of sources that the protection module suspects as being malicious. Challenged SourcesThe number of sources that the protection module has identified as being attackers and is now challenging them. Blocked SourcesThe number of sources that the protection module has identified as being attackers and is now blocking them. HTTP Authentication Table Utilization [%]The percentage of HTTP Authentication Table that is full.
Sampled Data
Opens the Sampled Data dialog box, which contains a data on sampled attack packets.
302
Parameter
Source IP address
The HTTP request URIs that took part in the HTTP flood attack and were mitigated. Usually the value that is displayed is Blocked. Only when one of HTTP request URIs was configured to be bypassed, is the value Bypassed.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
303
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits] TTL IP ID Number Destination IP DNS ID DNS Query Count L4 Checksum Packet Size Destination Ports DNS Query DNS An Query Count
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values. Attack Info The attack information comprises the State parameter and the Mitigation Action parameter. The State parameter indicates the state of the protection process. The Mitigation Action parameter indicates the mitigation action. Values for State: Footprints AnalysisBehavioral DoS Protection has detected an attack and is currently determining an attack footprint. BlockingBehavioral DoS Protection is blocking the attack based on the attack footprint created. Through a closed feedback loop operation, the Behavioral DoS Protection optimizes the footprint rule, achieving the narrowest effective mitigation rule. Non-attackNothing was blocked because the traffic was not an attackno footprint was detected or the blocking strictness level was not met. signature-challenge signature-rate-limit collective-challenge collective-rate-limit
Opens the Sampled Data dialog box, which contains a data on sampled attack packets.
Footprint
Footprint Blocking Rule The footprint blocking rule that the Behavioral DoS Protection generated. The footprint blocking rule provides the narrowest effective blocking rule against the flood attack.
304
Parameter
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black indicates the learned normal traffic baselines. Table columns are displayed according to the DNS query types: A, MX, PTR, AAAA, Text, SOA, NAPTR, SRV, Other. Caution: DefensePro does not support DNS queries of type ANY.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
305
DefensePro User Guide Real-Time Security Reporting You can export some rows of the table in the Sampled Data dialog box to a CSV file.
Specify the location and file name; and then, click Save.
306
The graph displays excluded inbound traffic and excluded outbound traffic only when the Traffic Exclusion option is enabled. When the Traffic Exclusion option is enabled, the device passes through all traffic that matches no network policy configured on the deviceregardless of any other protection configured. For more information, see Configuring the Basic Network Parameters, page 124.
Caution: When the value of the Scope parameter is Devices/Policies (see Table 149 - Traffic Utilization Display Settings for Graph and Table, page 308), during the Update Policies process, the Statistics Graph momentarily displays Traffic Utilization as 0 (zero). Last Sample Statistics Displays the last reading for each protocol and provides totals for all protocols. Traffic Authentication Statistics (Challenge/Response) Displays statistics for the Challenge-Response mechanism when the relevant option is enabled in the protection modules that support the Challenge-Response mechanism. For more information, see Configuring Global DNS Flood Protection, page 149 and Configuring HTTP Flood Mitigation Profiles for Server Protection, page 209.
Tip: To get the current traffic rate in packets or bytes per second (calculated as the average rate in 15 seconds), you can use the following CLI command on the DefensePro device:
307
Table 149: Traffic Utilization Display Settings for Graph and Table
Parameter
Scope
Description
The scope of the graph view. Values: Devices/Physical PortsThe graph shows traffic according to physical ports on the specified device. Devices/PoliciesThe graph shows traffic according to Network Protection policies/rules on the specified device. Default: Devices/Physical Ports
Units
The units for the traffic rate. Values: KbpsKilobits per second Packet/SecPackets per second
Select Port Pair (This button is displayed only when the Scope is Devices/Physical Ports.)
Opens the Select Port Pairs dialog box. Select the port pairs relevant for the network topology by moving the required port pairs to the Selected Port Pairs list. All other port pairs should be in the Available Port Pairs list. Note: You can select port pairs for each direction; however, Radware recommends that you select a port pair in one direction only, and display traffic for both directions, if required. If you select port pairs in both directions, and traffic for both directions, the graph will display the same traffic twice. Opens the Select Policies dialog box. Select the Network Protection Policies/ Rules relevant for the network topology by moving the required policies the Selected Policies list.
Select Policies (This button is displayed only when the Scope is Devices/Policies.)
Parameter
Show Traffic
Description
The traffic that the graph shows. Values: InboundShow inbound traffic. OutboundShow outbound traffic. BothShow inbound and outbound traffic. Data for inbound and outbound are displayed as separate lines, not as totals.
Note: The direction of traffic between a pair of ports is defined by the In Port setting in the port pair configuration.
308
Parameter
Protocol
Description
The traffic protocol to display. Values: TCPShow the statistics of the TCP traffic. UDPShow the statistics of the UDP traffic. ICMPShow the statistics of the ICMP traffic. IGMPShow the statistics of the IGMP traffic. SCTPShow the statistics of the SCTP traffic. OtherShow the statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or SCTP. AllShow total traffic statistics.
Parameter
Protocol
Description
The traffic protocol. Values: TCP UDP ICMP IGMP SCTP OtherThe statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or SCTP. AllTotal traffic statistics.
Inbound Outbound Discarded Inbound Discarded Outbound Discards % Excluded Inbound Excluded Outbound
The amount of inbound traffic for the protocol identified in the row. The amount of outbound traffic for the protocol identified in the row. The amount of discarded inbound traffic for the protocol identified in the row. The amount of discarded outbound traffic for the protocol identified in the row. The percentage of discarded traffic for the protocol identified in the row. The amount of excluded inbound traffic for the protocol identified in the row. The amount of excluded outbound traffic for the protocol identified in the row.
Parameter
Protocol Current Attacks Challenges Rate
Description
The protocol for the statistics displayed in the row. Values: TCP, HTTP, DNS The number of attacks currently in the device. The rate, in PPS, that the device is sending challenges.
Authentication Table Utilization % The percentage of the Authentication Table that is full.
309
DefensePro User Guide Real-Time Security Reporting You can export some rows of the Last Sample Statistics table to a CSV file.
Specify the location and file name; and then, click Save.
Parameter
Scope
Description
The scope of the graph view. Values: Devices/Physical PortsThe graph shows traffic according to physical ports on the specified device. Devices/Network PoliciesThe graph shows traffic according to Network Protection policies/rules on the specified device.
Default: Devices/Physical Ports Show Traffic Select inbound traffic, outbound traffic, or both. When you select both, data for inbound and outbound are displayed as separate lines, not as totals. Note: The direction of traffic between a pair of ports is defined by the In Port setting in the port pair configuration. Protocol Select the traffic protocol to display. When you select All, total traffic statistics are displayed.
310
Parameter
Select Port Pair (This button is displayed only when the Scope is Devices/Physical Ports.)
Description
Opens the Select Port Pairs dialog box. Select the port pairs relevant for the network topology by moving the required port pairs to the Selected Port Pairs list. All other port pairs should be in the Available Port Pairs list. Note: You can select port pairs for each direction; however, Radware recommends that you select a port pair in one direction only, and display traffic for both directions, if required. If you select port pairs in both directions, and traffic for both directions, the graph will display the same traffic twice. Opens the Select Policies dialog box. Select the Network Protection Policies/ Rules relevant for the network topology by moving the required policies the Selected Policies list.
Select Policies (This button is displayed only when the Scope is Devices/Policies.)
311
Parameter
Display Last
Description
The last number of hours for which the map displays information. Values: 1, 2, 3, 6, 12, 24 Default: 1 hour
The map displays the locations that have the highest number of attacks in the database. You can set the number locations to display up to a maximum of 20. Default: 5
Total Plotted Attacks (Read-only) The number of attack source locations that are displayed. All attacks that cannot be associated with any known location are considered as originating from a single (unknown) location. You can export some rows of the Attack Distribution tables, the Attack Summary and Location Attacks List tables, to a CSV file.
Specify the location and file name; and then, click Save.
312
(CSV).
5. Specify the location and file name; and then, click Save.
Protection Monitoring
Protection Monitoring provides the real-time traffic monitoring per network rule policy, either for the network as a whole, if BDoS is configured, or for DNS traffic, if DNS is configured. The statistical traffic information that Protection Monitoring provides can help you better understand the traffic that flows through the protected network, how the configured protection is working, and, most importantly, how anomalous traffic is detected. For information about displaying protection information for a selected device, see the following: Displaying Attack Status Information, page 313 Monitoring Network Rule Traffic, page 314 Monitoring DNS Flood Attack Traffic, page 316
3. When an attack icon is displayed in the table, click the icon to display the corresponding attack traffic information. You can export some rows of the Attack Status per Rule table to a CSV file.
313
Specify the location and file name; and then, click Save.
Caution: When traffic matches multiple Network Protection policy/rules with Out of State protection, the value that APSolute Vision displays for the total dropped traffic represents the sum of all dropped traffic for all relevant Network Protection policy/rules. This is because when traffic matches multiple Network Protection policy/rules with Out of State protection, all those Network Protection policy/rules count the same dropped traffic.
To display traffic information for a network policy rule that includes BDoS protection
1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the device to monitor. Select the Protection Monitoring tab, and select Network Rule Traffic. In the content pane Filter group box, configure the filter for the display of the Statistics Graph and Last Sample Statistics table; and then, click Go. Configure the settings for the display of the Statistics Graph.
Statistics Graph
The graph displays the traffic rates for the selected network policy rule according to the specified parameters over the last 30 minutes.
Table 155: Filter Parameters for the Statistics Graph and Last Sample Statistics Table
Parameter
Rule Direction
Description
The network policy rule. The list only displays rules configured with a BDoS profile. The direction of the traffic that the Statistics Graph and Last Sample Statistics table display. Values: Inbound, Outbound
314
Table 155: Filter Parameters for the Statistics Graph and Last Sample Statistics Table
Parameter
Units
Description
The unit according to which the Statistics Graph and Last Sample Statistics table display the traffic. Values: KbpsKilobits per second Packets/SecPackets per second
Parameter
IP Version Protection Type
Description
The IP version of the traffic that the graph displays. Values: IPv4, IPv6 The protection type to monitor. Values: TCP ACK FIN TCP FRAG TCP RST TCP SYN TCP SYN ACK UDP ICMP IGMP
The scale for the presentation of the information along the Y-axis. Values: Linear, Logarithmic (Read-only) The status of the attack.
Line
Total Traffic ( ( dark blue) light blue) Legitimate Traffic
Description
The total traffic that the device sees for the specific protection type and direction. The actual forwarded traffic rate, after DefensePro blocked the attack. When there is no attack, the Total Traffic and Legitimate Traffic are equal. The statistically calculated baseline traffic rate.
Normal Edge ( ( ( dashed green) Suspected Edge Attack Edge dashed red)
The traffic rate that indicates a change in traffic that might be an dashed orange) attack. The traffic rate that indicates an attack.
315
Parameter
Traffic Type Baseline Total Traffic Baseline Portion % RT Portion % Legitimate Traffic
Description
The protection type. Each specific traffic type and direction has a baseline that the device learns automatically. The normal traffic rate expected by the device. The total traffic rate that the DefensePro device sees for the specific traffic type and direction. An indication for the rate invariant baselinethat is, the normal percentage of the specific traffic type to all other traffic in the same direction. The actual percentage of the specific traffic type relative to all other traffic in the same direction. The actual forwarded traffic rate, after the device blocked the attack. When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type relative to other types of traffic, after the device blocked the attack. Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or greater signifies an attack.
You can export rows of the Last Sample Statistics table to a CSV file.
Specify the location and file name; and then, click Save.
To display traffic information for a network policy rule that includes DNS protection
1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the device to monitor. Select the Protection Monitoring tab, and select Network Rule DNS Traffic. In the content pane Filter group box, configure the filter for the display of the Statistics Graph and Last Sample Statistics table; and then, click Go. Configure the settings for the display of the Statistics Graph.
316
Statistics Graph
The graph displays the traffic rates for the selected network policy rule according to the specified parameters over the last 30 minutes.
Table 159: Filter Parameters for the Statistics Graph and Last Sample Statistics Table
Parameter
Rule Direction
Description
The network policy rule. The list only displays rules configured with a DNS profile. The direction of the traffic that the Statistics Graph and Last Sample Statistics table display. Values: Inbound, Outbound (Read-only) The unit according to which the Statistics Graph and Last Sample Statistics table display the traffic. Value: QPSQueries per second
Units
Parameter
IP Version Protection Type
Description
The IP version of the traffic that the graph displays. Values: IPv4, IPv6 The DNS query type to monitor. Values: Other Text A AAAA MX NAPTR PTR SOA SRV
Caution: DefensePro does not support DNS queries of type ANY. Scale Attack Status The scale for the presentation of the information along the Y-axis. Values: Linear, Logarithmic (Read-only) The status of the attack.
317
Line
Total Traffic ( ( dark blue) light blue) Legitimate Traffic
Description
The total traffic that the device sees for the specific protection type and direction. The actual forwarded traffic rate, after DefensePro blocked the attack. When there is no attack, the Total Traffic and Legitimate Traffic are equal. The statistically calculated baseline traffic rate. The traffic rate that indicates a change in traffic that might be an attack. The traffic rate that indicates an attack.
Normal Edge1 ( ( ( dashed green) dashed orange) dashed red) Suspected Edge1 Attack Edge1
1 This line is not displayed if the protection is configured to use a footprint bypass or manual triggers.
Parameter
Traffic Type Baseline Total Traffic Baseline Portion % RT Portion % Legitimate Traffic
Description
The protection type. Each specific traffic type and direction has a baseline that the device learns automatically. The normal traffic rate expected by the device. The total traffic rate that the DefensePro device sees for the specific traffic type and direction. An indication for the rate invariant baselinethat is, the normal percentage of the specific traffic type to all other traffic in the same direction. The actual percentage of the specific traffic type relative to all other traffic in the same direction. The actual forwarded traffic rate, after the device blocked the attack. When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type relative to other types of traffic, after the device blocked the attack. Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or greater signifies an attack.
You can export rows of the Last Sample Statistics table to a CSV file.
318
(CSV).
5. Specify the location and file name; and then, click Save.
HTTP Reports
HTTP Mitigator protection monitors rate-based and rate-invariant HTTP traffic parameters, learns them, and generates normal behavior baselines accordingly.
Note: DefensePro examines the number and rate of HTTP requests. Thus, when HTTP pipelining is used, the detection mechanism remains accurate. You can monitor real-time and historical (normal baseline) values, and analyze HTTP traffic anomalies using the following reports: Monitoring Continuous Learning Statistics, page 319 Monitoring Hour-Specific Learning Statistics, page 320 HTTP Request Size Distribution, page 321 MIB Support for Real-Time HTTP Monitoring Data, page 322
Channel
GET &POST Requests Rate Other Requests Rate
Description
The rate of HTTP GET and POST requests sent per second to the protected server. The rate of HTTP requests that are not POST or GET sent per second to the protected server. Other HTTP request methods can be used, but are used less frequently. The maximum rate of HTTP GET and POST requests per second per source IP address. This parameter characterizes the site users behavior, enabling you to recognize abnormal activities, such as scanning or bots. Legitimate users may generate many requests per second, but automatic devices such as bots or scanners generate many more.
319
Channel
Requests per Connection
Description
The maximum number of HTTP GET and POST requests per TCP connection. This parameter characterizes the site users behavior, enabling you to recognize abnormal activities, such as scanning or bots. Many requests over a single TCP connection may indicate bot or scanner activity.
Outbound Bandwidth
The bandwidth, in megabits per second, of the HTTP servers sending the responses.
Note: Normal Requests per Source and Requests per Connection baseline parameters show the highest number of HTTP requests generated by a single source IP address and TCP connection respectively. This number fades out, unless a higher value is observed, within about 30 seconds.
Parameter
Server Display Last
Description
The name of the protected Web server for which to display HTTP traffic statistics. The last number of hours for which the graph displays information. Values: 1, 2, 3, 6, 12, 24 Default: 1 hour
320
Channel
GET & POST Requests Rate Other Requests Rate
Description
The rate of HTTP GET and POST requests sent per second to the protected server. The rate of HTTP requests that are not POST or GET sent per second to the protected server. Other HTTP request methods can be used, but are used less frequently. The bandwidth, in megabits per second, of the HTTP pages sent as responses.
Outbound Bandwidth
Parameter
Server Scale
Description
The protected server for which to display information. The scale for the presentation of the information along the Y-axis. Values: Linear, Logarithmic
321
OID
1.3.6.1.4.1.89.35.1.65.115.83 1.3.6.1.4.1.89.35.1.65.115.83.1 1.3.6.1.4.1.89.35.1.65.115.83.1.1 1.3.6.1.4.1.89.35.1.65.115.83.1.2 1.3.6.1.4.1.89.35.1.65.115.83.1.3 1.3.6.1.4.1.89.35.1.65.115.83.1.4 1.3.6.1.4.1.89.35.1.65.115.83.1.5 1.3.6.1.4.1.89.35.1.65.115.83.1.6
MIB
rsHTTPFReportsContinuousLearningStatisticsTable rsHTTPFReportsContinuousLearningStatisticsEntry rsHTTPFReportsContinuousLearningStatisticsServerName rsHTTPFReportsContinuousLearningStatisticsGETAndPOST RequestsRate rsHTTPFReportsContinuousLearningStatisticsOtherRequest sRate rsHTTPFReportsContinuousLearningStatisticsRequestsRate PerSource rsHTTPFReportsContinuousLearningStatisticsRequestsRate PerConnection rsHTTPFReportsContinuousLearningStatisticsOutboundBan dwidthKbps
322
Note: DefensePro supports up to five simultaneous Telnet or SSH sessions. When you log on to CLI through Telnet or SSH, there is a predefined time-out for completing the authentication procedure. After establishing a CLI session with the device, the user name and password must be inserted within the period defined by the Authentication Time-out parameter. After three incorrect login attempts, the terminal is locked for 10 minutes and no further login attempts are accepted from that IP address. For Telnet or SSH sessions, you define the period of time the connection with the device is maintained despite session inactivity with the Session Time-out parameter. If the session is still inactive when the predefined period ends, the session automatically terminates.
Command
acl classes device dp help login logout manage net ping reboot security services shutdown ssh
Description
Access control list. Configures traffic attributes used for classification. Device settings. DefensePro security settings. Displays help for the specified command. Log in the device. Log out of the device. Device management configuration. Network configuration. Pings a remote host. Reboot the device. Device security. General networking services. Shut down. Connect via SSH to a remote host.
323
Command
statistics system telnet trace-route
Description
Device statistics configuration. Sets system parameters. Connects to a remote host via Telnet. Measures hops and latency to a given destination.
CLI Capabilities
You can use DefensePro CLI through console access, Telnet, or SSH. The CLI provides the following capabilities: Consistent, logically structured and intuitive command syntax. A system config command to view the current configuration of the device, formatted as CLI command lines. Pasting the output of system config, or part of it, to the CLI of another device, using the system config set command. This option can be used for easy configuration replication. Help and command completion keys. Command line editing keys. Command history. Configurable prompt. Configurable banner for Telnet and SSH. PingPing other hosts on the network to test availability of the other hosts.
324
Telnet clientTo initiate a Telnet session to remote hosts, use the following CLI command:
CLI Traps
When connected to a physical DefensePro platform via a serial cable, the device generates traps when events occur. To send traps by CLI, Telnet, and SSH, the command is:
Note: In Web Based Management, the online help is available by clicking on the ? Help icon that is displayed in every screen.
325
Note: SSL Keys and certificates are not exported as part of the configuration.
Web Services
DefensePro devices can be managed through SNMP, serial port, Telnet, SSH, HTTP (via internal Web application), and HTTPS. To provide customers with the capability to develop enhanced application monitoring, customized application delivery network management applications and advanced automation tools, Radware provides Web Service interfaces on DefensePro with APSolute API, an open standards-based SOAP (XML) API. Integration with APSolute API allows customers a comprehensive view of device performance, including historical data analysis and trending, performance diagnostics, availability reports and the automation of maintenance operations and fine-tuning of DefensePro for optimal application delivery based on external parameters. Key features: Control of Radware product features and functions from any external application. API enabled network devices appear as software for applications, resulting in true, softwarenative integration. Comprehensive SDK for multiple development platforms and languages. Extensive sample application code, documentation, and configuration guidance. Over 1,700 methods available through a Web Services-based API. Support for SOAP/XML over HTTPS ensures flexible and secure communications.
API Structure
The APSolute API is a SOAP/XML interface that provides full access to DefensePro devices for thirdparty applications utilizing common development languages, including Java, Visual Basic/C#, and Perl. This interface enables both device configuration and monitoring status and performance statistics. APSolute API offers two approaches to interacting with DefensePro devices: 1. Issuing CLI commands: This interface does not provide support for: Commands that are not configuration commands or monitoring, such as ping, telnet and trace-route. Commands that have asynchronous output (such as accelerator related CLI commands). The response to a CLI command is limited to the first 1000 rows.
326
DefensePro User Guide Administering DefensePro 2. Configuring and monitoring the devices via SOAP commands that mirror Radware's SNMP MIB: The following type of commands are available: For scalar MIB parameter, retrieve (get) the value and change (set) the value. For a MIB table entry, create an entry, delete an entry, update one or more parameters of an entry, retrieve (get) an entry, retrieve (get) the entire table, walk through the table (get first entry and get next).
The DefensePro Web services operate via HTTP or HTTPS requests, like a regular Web browser. Web Services are by default disabled on DefensePro. You can enable DefensePro Web services by means of the following: CLImanage Web-services status WBMWeb Services window (Services > Web > Web Services window) APSolute Vision Access tab of Setup window
You can enable Web Services only if either the Web or secure Web management interface is enabled on the device.
To start working with the APSolute API SDK, install a SOAP client tool kit (supporting SOAP version 1.1 and later) and a development environment for the tool kit on the workstation.
327
328
Table 169: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers
Controller
UDP ICMP IGMP UDP ICMP IGMP UDP ICMP IGMP UDP ICMP IGMP UDP UDP UDP UDP ICMP IGMP UDP ICMP
Field
checksum
Default Status
Accept
Remark
The checksum value in the For ICMP and IGMP: N/A UDP header of the packet. For UDP: 0 The ID number from the IP For ICMP and IGMP: N/A packet header. The ID number from the For ICMP and IGMP: N/A IPv6 packet head. For UDP: 0 The ID number of a DNS For ICMP and IGMP: N/A query. N/A 1 N/A 0,185 The domain name requested by a DNS query. The number of DNS queries in a single DNS session. The source port of the attack. Indicates where this fragment belongs in the datagram. The fragment offset is measured in units of 8 bytes (64 bits). Indicates where this IPv6 fragment belongs in the datagram. The IPv6 fragment offset is measured in units of 8 bytes (64 bits). For UDP: 0
id-num
Accept
id-num-ipv62
Accept
dns-id-num
Accept
frag-offset-ipv62
Accept
0,181
329
Table 169: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers
Controller
UDP ICMP
Field
flow-label2
Default Status
Accept
Remark
Used by a source to label those products for which it requests special handling by the IPv6 router. The flow is uniquely identified by the combination of a Source address and a non-zero flow label. The source IP address of the attack.
UDP ICMP IGMP UDP ICMP UDP ICMP IGMP UDP ICMP IGMP UDP ICMP UDP UDP ICMP IGMP UDP ICMP UDP ICMP IGMP UDP ICMP IGMP UDP ICMP IGMP ICMP IGMP ICMP
source-ip
Accept
N/A
source-ip-ipv62 tos
Accept Accept
N/A N/A
The source IPv6 address of the attack. The type of Service value from the IP packet header.
packet-size
Accept
The size of the packet in bytes, including data-link header. The size of the IPv6 packet in bytes, including data-link header. The destination port from the packet header. The destination IP address.
packet-size-ipv62 Accept
destination-port destination-ip
Accept Accept
N/A N/A
destination-ipipv62 fragment
Accept Accept
N/A N/A
ttl
Accept
N/A
vlan-tag
Accept
N/A
icmp-igmpmessage-type icmp-messagetype-ipv62
Accept Accept
N/A N/A
The protocol Message Type value. The ICMP IPv6 Message Type value.
330
DefensePro User Guide Footprint Bypass Fields and Values 1 N/A (that is, not applicable) means that no specific values can be used with the field; only the general status, Accept or Bypass, applies. 2 This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Networking > Basic).
Table 170: BDoS Footprint Bypass Fields and Values for All TCP Controllers
Controllers
TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag
Field
sequencenum
Default Status
Accept
Remark
The sequence number value from the relevant TCP packet header.
id-num
Accept
N/A
source-port
Accept
N/A
source-ip
Bypass
source-ipipv62
Bypass
tos
Accept
331
Table 170: BDoS Footprint Bypass Fields and Values for All TCP Controllers
Controllers
TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-FRAG
Field
packet-size
Default Status
Accept
Remark
The size of the packet in bytes, including the data-link header.
packet-sizeipv62
Accept
For TCP-SYN, TCPSYN-ACK: 80, 82, 86, 94 For TCP-RST, TCPACK-FIN: 74 For TCP-Frag: N/A
destinationport
Accept
destination-ip Accept
destinationip-ipv62
Accept
ttl
Accept
vlan-tag
Accept
frag-offset
Accept
0, 185
Indicates where this fragment belongs in the datagram. The fragment offset is measured in units of 8 bytes (64 bits).
332
Table 170: BDoS Footprint Bypass Fields and Values for All TCP Controllers
Controllers
TCP-FRAG
Field
frag-offsetipv62
Default Status
Accept
Remark
Indicates where this IPv6 fragment belongs in the datagram. The IPv6 fragment offset is measured in units of 8 bytes (64 bits). Used by a source to label those products for which it requests special handling by the IPv6 router. The flow is uniquely identified by the combination of a Source address and a non-zero flow label.
flow-label2
Accept
1 N/A (that is, not applicable) means that no specific values can be used with the field; only the general status, Accept or Bypass, applies. 2 This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Networking > Basic).
Field
checksum id-num id-num-ipv62 dns-id-num
Default Status
Accept Accept Accept Accept
Remark
The checksum value in the UDP header of the packet. The ID number from the IP packet header. The ID number from the IPv6 packet head. The ID number of a DNS query.
333
Field
dns-qname dns-qcount source-port flow-label2
Default Status
Accept Accept Accept Accept
Remark
The domain name requested by a DNS query. The number of DNS queries in a single DNS session. The source port of the attack. Used by a source to label those products for which it requests special handling by the IPv6 router. The flow is uniquely identified by the combination of a Source address and a non-zero flow label. The source IP address of the attack. The source IPv6 address of the attack. The type of Service value from the IP packet header. The size of the packet in bytes, including data-link header. The size of the IPv6 packet in bytes, including data-link header. The destination IP address. The destination IPv6 address. The protocol fragmented packet. The Time-To-Live value in the IP packet header. The VLAN tag value (external). The number of DNS answers in a single DNS session. The DNS header flags field (AA, TC, RD, and so on).
source-ip source-ip-ipv62 tos packet-size packet-size-ipv6 destination-ip destination-ipipv62 fragment ttl vlan-tag dns-ancount flags
2
Accept Accept Accept Accept Accept Accept Accept Accept Accept Accept Accept Accept
N/A N/A N/A For UDP and IGMP: N/A For ICMP: 74 For UDP: N/A For ICMP: 118 N/A N/A N/A N/A N/A 0 N/A
1 N/A (that is, not applicable) means that no specific values can be used with the field; only the general status, Accept or Bypass, applies. 2 This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Networking > Basic).
334
1. 2. 3. 4.
A client initiates an HTTPS session with the server. When DefensePro forwards the traffic to the server, it replicates the HTTPS session to a preconfigured port, where an AppXcel unit is connected. AppXcel operates in passive SSL mode, decrypts the HTTPS session and returns it as an HTTP session. DefensePro inspects the HTTP traffic received from AppXcel based on its policies. If an attack is detected, DefensePro sends a Reset packet to the source and/or destination.
Note: DoS, SYN protection and other policies can also be applied to the original SSL streams. Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by setting the operating mode to Process. When you assign the same Destination Port to more than one Source Port, you must set the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the Destination Port must be defined (1 or 2).
335
Configure SSL inspection physical port settings and click OK. Configure SSL inspection Layer 4 port settings.
Parameter
Incoming Port
Description
The scanning port that was configured for one of the traffic directions. This port must be dedicated to the SSL acceleration and cannot be used for other purposes, such as static forwarding or network interface.
Port towards AppXcel The port that is used for SSL acceleration.
Parameter
TCP Incoming Port TCP Port towards AppXcel
Description
The SSL service port of the original traffic. This TCP port is used for forwarding SSL sessions. The corresponding service port that AppXcel uses for decrypted sessions. This HTTP port is used after decryption.
336
337
Name
000 001 010 011 100 101 110 111 aim-aol-any aol-msg ares_ft_udp_0 ares_ft_udp_1 bearshare_download_tcp_0 bearshare_download_tcp_1 bearshare_request_file_udp_0 bearshare_request_file_udp_1 bittorrent_command_1_0 bittorrent_command_1_1 bittorrent_command_1_2 bittorrent_command_1_3 bittorrent_command_1_4 bittorrent_command_2_0 bittorrent_command_2_1 bittorrent_command_2_2 bittorrent_command_2_3
Description
Routine Priority Immediate Flash ToS Flash Override CRITIC/ECP Internetwork Control Network Control AIM/AOL Instant Messenger AOL Instant Ares_FT_udp Ares_FT_udp BearShare_Download_tcp BearShare_Download_tcp BearShare_Request_File_udp BearShare_Request_File_udp BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent
Protocol
IP IP IP IP IP IP IP IP TCP TCP UDP UDP TCP TCP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP
OMPC Offset
1 1 1 1 1 1 1 1 0 0 36 40 0 4 0 4 0 4 8 12 16 0 4 8 12
OMPC Mask
e0000000 e0000000 e0000000 e0000000 e0000000 e0000000 e0000000 e0000000 ffff0000 0 ffffffff ff000000 ffffffff ffffffff ffffffff 00ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
338
Name
bittorrent_command_2_4 bittorrent_command_2_5 bittorrent_command_3_0 bittorrent_command_3_1 bittorrent_command_3_2 bittorrent_command_3_3 bittorrent_command_3_4 bittorrent_command_3_5 bittorrent_command_4_0 bittorrent_command_4_1 bittorrent_command_4_2 bittorrent_udp_1_0 bittorrent_udp_1_1 citrix-admin citrix-ica citrix-ima citrix-ma-client citrix-rtmp diameter directconnect_file_transfer_0 directconnect_file_transfer_1 directconnect_file_transfer_2 dns emule_tcp_file_request_0 emule_tcp_file_request_1 emule_tcp_hello_message_0
Description
BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent_UDP_1 BitTorrent_UDP_1 Citrix Admin Citrix ICA Citrix IMA Citrix MA client Citrix RTMP Diameter DirectConnect_File_transfer DirectConnect_File_transfer DirectConnect_File_transfer Session for DNS eMule eMule eMule
Protocol
TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP TCP TCP TCP
OMPC Offset
16 20 0 4 8 12 16 20 8 11 11 8 12 0 0 0 0 0 0 0 21 25 0 0 4 0
OMPC Mask
ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffff0000 ffffff00 ff000000 ff000000 ffffff00 ffff0000 0 0 0 0 0 0 ff000000 ffffffff ffffffff 0 ff000000 ffff0000 ff000000
339
Name
emule_tcp_hello_message_1 emule_tcp_secure_handshake_0 emule_tcp_secure_handshake_1 ftp-session gnutella_tcp_1_0 gnutella_tcp_2_0 gnutella_tcp_2_1 gnutella_tcp_3_0 googletalk_ft_1_0 googletalk_ft_1_1 googletalk_ft_1_2 googletalk_ft_1_3 googletalk_ft_2_0 googletalk_ft_2_1 googletalk_ft_4_0 googletalk_ft_4_1 groove_command_1_0 groove_command_1_1 groove_command_1_2 groove_command_2_0 groove_command_2_1 groove_command_3_0 groove_command_3_1 groove_command_3_2 groove_command_3_3 h.225-session
Description
eMule eMule eMule Session for FTP Gnutella_TCP_1 Gnutella_TCP_2 Gnutella_TCP_2 Gnutella_TCP_3 GoogleTalk_FT_1 GoogleTalk_FT_1 GoogleTalk_FT_1 GoogleTalk_FT_1 GoogleTalk_FT_2 GoogleTalk_FT_2 GoogleTalk_FT_4 GoogleTalk_FT_4 Groove Groove Groove Groove Groove Groove Groove Groove Groove Session Of H225
Protocol
TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
OMPC Offset
4 0 4 0 0 0 4 0 24 28 32 36 24 28 67 71 6 10 14 6 10 7 11 15 19 0
OMPC Mask
ffff0000 ff000000 ffff0000 0 ffffff00 ffffffff ffffffff ffffff00 ffffffff ffffffff ffffffff ffff0000 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffff0000 ffffffff ffffffff ffffffff ffffffff 0
340
Name
hdc1 hdc2 hdc3 hdc4 http http-alt https icecast_1 icecast_2 icecast_3 icmp icq icq_aol_ft_0 icq_aol_ft_1 icq_aol_ft_2 imap imesh_download_tcp_0 imesh_download_tcp_1 imesh_request_file_udp_0 imesh_request_file_udp_1 ip itunesdaap_ft_0 itunesdaap_ft_1 itunesdaap_ft_2 itunesdaap_ft_3 kazaa_request_file_0
Description
High Drop Class 1 High Drop Class 2 High Drop Class 3 High Drop Class 4 World Wide Web HTTP HTTP alternate HTTP over SSL IceCast_Stream IceCast_Stream IceCast_Stream ICMP ICQ ICQ_AOL_FT ICQ_AOL_FT ICQ_AOL_FT Internet Message Access iMesh_Download_tcp iMesh_Download_tcp iMesh_Request_File_udp iMesh_Request_File_udp IP Traffic iTunesDaap_FT iTunesDaap_FT iTunesDaap_FT iTunesDaap_FT Kazaa_Request_File
Protocol
IP IP IP IP TCP TCP TCP TCP TCP TCP ICMP TCP TCP TCP TCP TCP TCP TCP UDP UDP IP TCP TCP TCP TCP TCP
OMPC Offset
1 1 1 1 0 0 0 0 4 8 0 0 0 0 2 0 0 4 0 4 0 0 4 8 2 0
OMPC Mask
fc000000 fc000000 fc000000 fc000000 0 0 0 ffffffff ffffffff ffff0000 0 0 ffffffff ffffffff ffff0000 0 ffffffff ffffffff ffffffff 00ffffff 0 ffffffff ffffffff ffffff00 ffff0000 ffffffff
341
Name
kazaa_request_file_1 kazaa_request_file_2 kazaa_udp_packet_0 kazaa_udp_packet_1 ldap ldaps ldc1 ldc2 ldc3 ldc4 lrp manolito_file_transfer_0_0 manolito_file_transfer_0_1 manolito_file_transfer_0_2 manolito_file_transfer_1_0 manolito_file_transfer_1_1 manolito_file_transfer_2_0 manolito_file_transfer_2_1 mdc1 mdc2 mdc3 mdc4 meebo_get_0 meebo_get_1 meebo_get_2 meebo_get_3
Description
Kazaa_Request_File Kazaa_Request_File Kazaa_UDP_Packet Kazaa_UDP_Packet LDAP LDAPS Low Drop Class 1 Low Drop Class 2 Low Drop Class 3 Low Drop Class 4 Load Report Protocol Manolito Manolito Manolito Manolito Manolito Manolito Manolito Medium Drop Class 1 Medium Drop Class 2 Medium Drop Class 3 Medium Drop Class 4 MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_GET
Protocol
TCP TCP UDP UDP TCP TCP IP IP IP IP UDP TCP TCP TCP TCP TCP TCP TCP IP IP IP IP TCP TCP TCP TCP
OMPC Offset
4 8 6 4 0 0 1 1 1 1 0 0 0 0 4 4 4 4 1 1 1 1 0 4 8 12
OMPC Mask
ffffffff ffff0000 ffffffff ffff0000 0 0 fc000000 fc000000 fc000000 fc000000 0 ffffffff ffffffff ffffffff ff000000 ff000000 ff000000 ff000000 fc000000 fc000000 fc000000 fc000000 ffffffff ffffffff ffffffff ffffffff
342
Name
meebo_get_4 meebo_get_5 meebo_get_6 meebo_get_7 meebo_get_8 meebo_post_0 meebo_post_1 meebo_post_2 meebo_post_3 meebo_post_4 meebo_post_5 meebo_post_6 meebo_post_7 msn-any msn-msg msn_msgr_ft_0 msn_msgr_ft_1 mssql-monitor mssql-server nntp nonip oracle-server1 oracle-server2 oracle-server3 oracle-v1 oracle-v2
Description
MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MSN Messenger Chat MSN Messenger Chat MSN_MSGR_FT MSN_MSGR_FT Microsoft SQL traffic-monitor Microsoft SQL server traffic Network News Non IP Traffic Oracle server Oracle server Oracle server Oracle SQL *Net version 1 Oracle SQL *Net version 2
Protocol
TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP NonIP TCP TCP TCP TCP TCP
OMPC Offset
16 20 24 28 32 0 4 8 12 16 20 24 28 0 0 0 48 0 0 0 0 0 0 0 0 0
OMPC Mask
ffffffff ffffffff ffffffff ffffffff ff000000 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff00 ffffffff 0 ffffffff ffffffff 0 0 0 0 0 0 0 0 0
343
Name
pop3 prp radius rexec rshell rtp_ft_0 rtp_ft_1 rtp_ft_2 rtsp sap sctp skype-443-handshake skype-443-s-hello skype-80-l-56 skype-80-proxy skype-80-pshack skype-ext-l-54 skype-ext-pshack smtp snmp snmp-trap softethervpn443 softethervpn8888 soulseek_pierce_fw_0 soulseek_pierce_fw_1 soulseek_pierce_fw_2
Description
Post Office Protocol 3 PRP RADIUS protocol Remote Process Execution Remote Shell RTP_FT RTP_FT RTP_FT RTSP SAP SCTP Traffic Skype signature for port 443 Skype signature for port 443 Skype signature for port 80 Skype signature for port 80 Skype signature for port 80 Skype signature Skype signature Simple Mail Transfer SNMP SNMP Trap SoftEther Ethernet System SoftEther Ethernet System SoulSeek_Pierce_FW SoulSeek_Pierce_FW SoulSeek_Pierce_FW
Protocol
TCP UDP TCP TCP TCP UDP UDP UDP TCP TCP SCTP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP TCP TCP TCP TCP TCP
OMPC Offset
0 0 0 0 0 0 0 16 0 0 0 0 11 2 0 13 2 13 0 0 0 0 0 0 4 2
OMPC Mask
0 0 0 0 0 ffff0000 ffff0000 ffff0000 0 0 0 ff000000 ffffffff ffff0000 ffffffff ff000000 ffff0000 ff000000 0 0 0 ffffff00 ffffff00 ffffffff ff000000 ffff0000
344
Name
ssh tcp telnet tftp udp voip_sign_1 voip_sign_10 voip_sign_11 voip_sign_12 voip_sign_13 voip_sign_2 voip_sign_3 voip_sign_4 voip_sign_5 voip_sign_6 voip_sign_7 voip_sign_8 voip_sign_9 yahoo_ft_0 yahoo_ft_1 yahoo_get_0 yahoo_get_1 yahoo_get_2 yahoo_get_3 yahoo_get_4 yahoo_post_0
Description
Secure Shell TCP Traffic Telnet Trivial File Transfer UDP Traffic VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature YAHOO_FT YAHOO_FT YAHOO_GET YAHOO_GET YAHOO_GET YAHOO_GET YAHOO_GET YAHOO_POST
Protocol
TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP
OMPC Offset
0 0 0 0 0 28 28 28 28 28 28 28 28 28 28 28 28 28 0 10 0 4 8 12 16 0
OMPC Mask
0 0 0 0 0 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 ffffffff ffff0000 ffffffff ffffffff ffffffff ffffffff ff000000 ffffffff
345
Name
yahoo_post_1 yahoo_post_2 yahoo_post_3 yahoo_post_4
Description
YAHOO_POST YAHOO_POST YAHOO_POST YAHOO_POST
Protocol
TCP TCP TCP TCP
OMPC Offset
4 8 12 16
OMPC Mask
ffffffff ffffffff ffffffff ffff0000
346
347
Description
White-list encounters are not reported as security events. Black-list access violation. Network flood IPv4 UDP. Network flood IPv4 ICMP. Network flood IPv4 IGMP. Network flood IPv4 TCP with SYN flag. Network flood IPv4 TCP with RST flag. Network flood IPv4 TCP with ACK flag. Network flood IPv4 TCP with PSH flag. Network flood IPv4 TCP with FIN flag. Network flood IPv4 TCP with SYN and ACK flags Network flood IPv4 TCP with FRAG flag. Network flood IPv6 UDP. Network flood IPv6 ICMP. Network flood IPv6 IGMP. Network flood IPv6 TCP with SYN flag. Network flood IPv6 TCP with RST flag. Network flood IPv6 TCP with ACK flag. Network flood IPv6 TCP with PSH flag. Network flood IPv6 TCP with FIN flag. Network flood IPv6 TCP with SYN and ACK flags. Network flood IPv6 TCP with FRAG flag. Unrecognized L2 format.
348
Description
Incorrect IPv4 checksum. Invalid IPv4 header or total length. TTL less than or equal to 1. Inconsistent IPv6 headers. IPv6 hop limit reached. Unsupported L4 protocol. Invalid TCP header length. Invalid TCP flags. Invalid UDP header length. Source or destination IP address same as local host. Source IP address same as destination IP address (Land Attack). The common vulnerability enumerator (CVE) for this signature is CVE-1999-0016.
L4 Source or Dest Port Zero HTTP Page Flood Attack TCP Out-of-State SCAN_TCP_SCAN SCAN_UDP_SCAN SCAN_ICMP_SCAN Brute Force Web
Layer 4 source or destination port are zero. HTTP page flood attack. TCP Out-of-State floods. TCP scanning attempt. UDP scanning attempt. ICMP scanning attempt. A Brute Force Web attack is an attempt to break into a restricted area on a site that is protected by native HTTP authentication.
349
Description
A Web-vulnerability scan is an informationgathering attack that is usually launched as a prequel to an intrusion attack on the scanned Web server. The attacker is trying to gather the information on the Web server by sending different types of HTTP requests and analyzing the server responses. Automatic tools are often used in this case. A Brute Force SMTP attack is an attempt to break into restricted accounts on the SMTP mail server that is protected by user name and password authentication. A Brute Force FTP attack is an attempt to break into a restricted account on the FTP server that is protected by user name and password authentication. A Brute Force POP3 attack is an attempt to break into restricted accounts on the POP3 mail server that is protected by user name and password authentication. A Brute Force SIP (UDP) attack is an attempt to break into restricted accounts on the SIP server, over UDP, which is protected by user name and password authentication. This type of attack can also cause a Register flood on the SIP server. A Brute Force SIP (TCP) attack is an attempt to break into restricted accounts on the SIP server, over TCP, which is protected by user name and password authentication. This type of attack can also cause a Register flood on the SIP server.
402
403
404
405
406
350
Description
A Brute Force MySQL attack is an attempt to break into restricted Database accounts on the MySQL database server that is protected by user name and password authentication. A Brute Force MSSQL attack is an attempt to break into a restricted database accounts on the MSSQL database server that is protected by user name and password authentication. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack.
408
409
410
414
351
Description
A Brute Force SIP DST (TCP) attack is an attempt to break into restricted accounts on the SIP server, over TCP, which is protected by user name and password authentication. The specific attack was detected from error responses that were found on sessions that originated from the server. This type of attack can also cause a Register flood on the SIP server. A Brute Force SMB attack is an attempt to break into restricted accounts on the SMB (file share) server that is protected by user name and password authentication. A Brute Force SIP DST (UDP) attack is an attempt to break into restricted accounts on the SIP server, over UDP, which is protected by user name and password authentication. The specific attack was detected from error responses that were found on sessions that originated from the server. This type of attack can also cause a Register flood on the SIP server. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack. DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS A query flood over IPv4. DNS MX query flood over IPv4. DNS PTR query flood over IPv4. DNS AAAA query flood over IPv4. DNS Text query flood over IPv4.
417
418
419
DNS flood IPv4 DNS-A DNS flood IPv4 DNS-MX DNS flood IPv4 DNS-PTR DNS flood IPv4 DNS-AAAA DNS flood IPv4 DNS-Text
352
Description
DNS SOA query flood over IPv4. DNS NAPTR query flood over IPv4. DNS SRV query flood over IPv4. DNS Other queries flood over IPv4. DNS query flood over IPv4. DNS A query flood over IPv6. DNS MX query flood over IPv6. DNS PTR query flood over IPv6. DNS AAAA query flood over IPv6. DNS Text query flood over IPv6. DNS SOA query flood over IPv6. DNS NAPTR query flood over IPv6. DNS SRV query flood over IPv6. DNS Other queries flood over IPv6. DNS query flood over IPv6. Start, ongoing, and termination of attacks per protection policy. Ongoing message when the SYN rate relative to the first ACK/Data packet rate is above 1000 packets per second. (This event is not generated in version 5.10 and later.) Used for DefensePro's session table protection. (This event is not generated in version 5.10 and later.) Used for SARP (SYN ACK Reflection Protection).
722
723
353
Description
Used when a fragmented packet arrives during the authentication process. The packet will be discarded. Used when a RESET packet that does not match an existing session arrives during the authentication process. The packet will be discarded. Used when a packet that does not match an existing session arrives during the authentication process. The packet will be deleted and a RESET will be sent to the source. Used when the SYN Protection table is full and the module cannot handle more concurrent authentication processes. New verified ACK (or data) packets will be discarded as long as the table is full. Used when a packet that does not match an existing session arrives during the authentication process. The packet will be deleted and a RESET will be sent to the source. Used a packet with illegal cookie arrives during the authentication process. The packet will be discarded. (This event is not relevant before version 5.1x.) Used when a new session is aged during the authentication process before the first data packet has arrived. Used when an unexpected packet or one with illegal TCP flags arrives during the authentication process. The packet will be discarded. Stateful-ACL High Drop Reports on traffic that matched an ACL rule.
725
726
727
729
730
731
732
740
354
Description
Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on IP traffic that matched an ACL rule that is not supported explicitly in the ACL (that is, traffic that is not, for example, TCP, UDP, ICMP, IGMP, SCTP, or supported tunneling protocols). Reports on IP traffic that matched an ACL rule that is not supported explicitly in the ACL (that is, traffic that is not, for example, TCP, UDP, ICMP, IGMP, SCTP, or supported tunneling protocols). Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Range for signatures, from the Security Operations Center (SOC) Signature file. Odd ID numbers are DoS shield signatures. Even ID numbers are Intrusion signature. Pre-defined HTTP-SYN-flood attack protection.
747
IP session allowed
Stateful-ACL
Info
Forward
748 749 750 751 752 753 754 755 756 1,000 100,000
TCP Mid Flow packet TCP Invalid reset TCP handshake violation ICMP Smurf packet ICMP packet anomaly GRE session dropped GRE session allowed SCTP session dropped SCTP session allowed DoS Shield signatures or intrusion-protection signatures
Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL DoS
200,000
HTTP
SynFlood
355
Description
Pre-defined HTTPS-SYN-flood attack protection. Pre-defined RTSP-SYN-flood attack protection. Pre-defined FTP_CTRL-SYN-flood attack protection. Pre-defined POP3-SYN-flood attack protection. Pre-defined IMAP-SYN-flood attack protection. Pre-defined SMTP-SYN-flood attack protection. Pre-defined TELNET-SYN-flood attack protection. Pre-defined RPC-SYN-flood attack protection. Range for user-defined protections. The device generates the ID number sequentially when the user creates the signature. Range for user-defined Connection Limit protections. The device generates the ID number sequentially when the user creates the protection. Range for user-defined SYN-flood protections. he device generates the ID number sequentially when the user creates the protection. Range for user-defined Connection PPS Limit protections. he device generates the ID number sequentially when the user creates the protection.
300,000 User-defined custom signatures 449,999 450,000 User-defined Connection Limit 475,000 protections 500,000 User-defined SYN-flood 599,999 protections 600,000 User-defined Connection PPS 675,000 Limit protections
DoS
SYNFlood
DoS
356
DefensePro signatures can protect the following operating systems: 3COM Cisco Juniper Linux MAC OS MS Windows MS Windows Server Unix
357
358
Appendix F Troubleshooting
If the device does not operate as expected, you can diagnose the system or provide Radware Technical Support with relevant information. For troubleshooting hardware-related issues, see the DefensePro Installation and Maintenance Guide. This appendix contains the following sections: Diagnostic Tools, page 359 Technical Support File, page 366
Diagnostic Tools
DefensePro supports the following diagnostic tools: Traffic Capture Trace-Log
Diagnostic tools are only available using CLI or Web Based Management. Diagnostic tools start working only after there is a diagnostic policy configured on the device (see Diagnostics Policies, page 364) and the relevant options are enabled. Diagnostic tools stop in the following cases: You stop the relevant task. You reboot the device. That is, when the device reboots, the status of the Capture Tool reverts to Disabled.
This section contains the following topics: Traffic Capture Tool, page 359 Trace-Log, page 361 Diagnostic Tools Files Management, page 363 Diagnostics Policies, page 364
Caution: Enabling this feature may cause severe performance degradation. The Traffic Capture tool uses the following format for packet capture files:
359
Note: The Traffic Capture tool truncates packets longer than 1619 bytes (regardless of the configuration for jumbo frames).
Parameter
Status
Description
Specifies whether the Capture Tool is enabled. Values: Enabled, Disabled Default: Disabled Note: When the device reboots, the status of the Capture Tool reverts to Disabled.
Output To File
Specifies the location of the stored captured data. Values: RAM Drive and FlashThe device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DefensePro uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on. RAM DriveThe device stores the data in RAM. NoneThe device does not store the data in RAM or flash, but you can view the data using a terminal.
Output To Terminal
Specifies whether the device sends captured data to the terminal. Values: Enabled, Disabled Default: Disabled
Capture Point
Specifies where the device captures the data. Values: On Packet ArriveThe device captures packets when they enter the device. On Packet SendThe device captures packets when they leave the device. BothThe device captures packets when they enter the device and when they leave the device.
360
Trace-Log
The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for debugging purposes only.
Caution: Enabling this feature may cause severe performance degradation. DefensePro uses the following format for Trace-Log files:
Parameter
Status
Description
Specifies whether the Trace-Log tool is enabled. Values: Enabled, Disabled Default: Disabled
Output To File
Specifies the location of the stored data. Values: RAM Drive and FlashThe device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DefensePro uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on. RAM DriveThe device stores the data in RAM. NoneThe device does not store the data in RAM or flash, but you can view the data using a terminal.
Output To Terminal
Specifies whether the device sends Trace-Log data to the terminal. Values: Enabled, Disabled Default: Disabled
Specifies whether the device sends Trace-Log data to a syslog server. Values: Enabled, Disabled Default: Disabled
361
To configure the diagnostics Trace-Log message format using Web Based Management
1. 2. Select Services > Diagnostics > Trace-Log > Message Format. The Diagnostics Trace-Log Message Format pane is displayed. Configure the parameters; and then, click Set.
Parameter
Date Time Platform Name File Name Line Number Packet Id Module Name Task Name
Description
Specifies whether the date that the message was generated is included in the Trace-Log message. Specifies whether the time that the message was generated is included in the Trace-Log message. Specifies whether the platform MIB name is included in the Trace-Log message. Specifies whether the output file name is included in the Trace-Log message. Specifies whether the line number in the source code is included in the TraceLog message. Specifies whether an ID assigned by the device to each packet is included in the Trace-Log message. This enables you see the order of the packets. Specifies whether the name of the traced module is included in the Trace-Log message is included in the Trace-Log message. Specifies whether the name of the specific task of the d module is included in the Trace-Log message.
Trace-Log Modules
To help pinpoint the source of a problem, you can specify which DefensePro modules the Trace-Log feature works on and the log severity per module.
To configure the parameters of the Trace-Log modules using Web Based Management
1. Select Services > Diagnostics > Trace-Log > Modules. The Trace-Log Modules pane is displayed. The table in the pane comprises the following columns: NameThe name of the module. Values: ACL CDE GENERIC VSDR StatusThe current status of the traced module.
362
DefensePro User Guide Troubleshooting SeverityThe lowest severity of the events that the Trace-Log includes for this module. Values: Emergency Alert Critical Error Warning Notice Info Debug 2. Click the relevant link. The Trace-Log Modules Update pane is displayed. 3. Configure the parameters; and then, click Set.
Parameter
Status Severity
Description
Specifies whether the Trace-Log feature is enabled for the module. The lowest severity of the events that the Trace-Log includes for this module. Values: Emergency Alert Critical Error Warning Notice Info Debug
363
Parameter
File Name File Size Action
Description
The name of the file. The file size, in bytes. The action that you can take on the data stored. Values: downloadStarts the download process of the selected data. Follow the on-screen instructions. deleteDeletes the selected file.
2.
From the Action column, select the action, Download or Delete, and follow the instructions.
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic policies, the device can classify the traffic and store only the required information.
Note: To reuse the policy, edit the policy and set it again.
Parameter
Name Index
Description
The user-defined name of the policy up to 20 characters. The number of the policy in the order in which the diagnostics tools classifies (that is, captures) the packets. Default: 1 The user-defined description of the policy. The VLAN Tag group whose packets the policy classifies (that is, captures).
364
Parameter
Destination
Description
The destination IP address or predefined class object whose packets the policy classifies (that is, captures). Default: anyThe diagnostics tool classifies (that is, captures) packets with any destination address.
Source
The source IP address or predefined class object whose packets the policy classifies (that is, captures). Default: anyThe diagnostics tool classifies (that is, captures) packets with any source address.
The port group whose outbound packets the policy classifies (that is, captures). Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.
The port group whose inbound packets the policy classifies (that is, captures). The service type whose packets the policy classifies (that is, captures). The service whose packets the policy classifies (that is, captures). Values: None Basic Filter AND Group OR Group
Default: None Destination MAC Group Source MAC Group The Destination MAC group whose packets the policy classifies (that is, captures). The Source MAC group whose packets the policy classifies (that is, captures).
Maximal Number of Packets The maximal number of packets the policy captures. Once the policy captures the specified number of packets, it stops capturing traffic. In some cases, the policy captures fewer packets than the configured value. This happens when the device is configured to drop packets. Maximal Packet Length Capture Status The maximal length for a packet the policy captures. Specifies whether the packet-capture feature is enabled in the policy. Values: Enabled, Disabled Default: Disabled Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy. Values: Enabled, Disabled Default: Disabled Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.
365
dp_support.txt Contains the data that Radware Technical Support typically needs to
diagnose a problem with a DefensePro device. The data comprises the collected output from various CLI commands.
auditLog.log Contains record of each configuration change to the device (by any
management interface). A device begins storing these records when the device receives its first command. The records are sorted by date in ascending order. When the size of the data exceeds the maximum allowed size (2 MB), the oldest record is overwritten. The entire data is never cleared unless you erase the device configuration The structure of each record in the auditLog.log file is as follows:
HTTPFLD.tar Contains data on HTTP floods. NTFLD.tar Contains data on network floods.
To generate and display the output of the technical-support file on the terminal using CLI
Enter the following command:
manage support tftp put <file name> <TFTP server IP address> [-v]
where:
366
To generate and download the technical-support file using Web Based Management
1. Select File > Support. The Download Tech Support Info File pane is displayed. 2. Click Set. A File Download dialog box opens. 3. Click Open or Save and specify the required information.
367
368
Appendix G Glossary
This glossary is a list of terms and definitions used in the Radware technical environment. Some of the words belong to the public domain, and some are Radware-specific, but all are used in the Radware documentation. A Radware glossary is intended to be a list of specialized words with their definitions that are used in the Radware technical environment. Some of the words belong to the public domain, and some are Radware-specific, but all are used in the Radware documentation, whether hardcopy or online.
Term
Anomaly Attack Attack List Attack Signature Database
Definition
An anomaly is unusual or unexpected behavior of traffic patterns or a protocol. An Attack, with an upper-case letter A is a realization of a threat, a malicious action taken against a network, host or service. An Attack List is a database of known attackers as defined in the Signatures Database. Radwares Attack signature database contains signatures of known attacks. These signatures are included in the predefined groups and profiles supplied by Radware to create protection policies in the Connect and Protect Table. Each attack group consists of attack signatures with common characteristics intended to protect a specific application or range of IPs.
Behavioral DoS (Behavioral Denial of Service) protection defends networks from zero day network-flood attacks that jam available network bandwidth with spurious traffic, denying use of network resources for legitimate users. BDoS profiles do this by identifying the footprint of the anomalous traffic. Network-flood protection types include: SYN Flood TCP Flood, including TCP Fin + Ack Flood, TCP Reset Flood TCP Syn + Ack Flood, TCP Fragmentation Flood UDP Flood ICMP Flood IGMP Flood
Black List
A Black List defines the IP addresses that are always blocked without inspection. Black lists are used as exceptions for security policies/rules, blocking all traffic generated by IP addresses in the Black List.
369
Term
DDoS
Definition
Distributed Denial of Server attack on a DNS server. A typical attack involves numerous compromised zombie systems (botnets) sending spoofed domain-name requests to DNS servers, which process the legitimate request and send replies to the spoofed victims. When the DNS server is configured to provide recursion, the DNS server, if the requested domain name isnt available locally, will query the root name servers for the IP address. The traffic then traverses the internet backbone, affecting the Internet Service Provider and any upstream provider to reach the intended target. Radwares adaptive behavior-based DoS Protection learns the characteristics of DNS traffic and re-establishes normal traffic behavior baselines. An embedded decision engine, based on fuzzy logic, constantly analyzes DNS traffic and detects when deviations from the normal baselines occur. Upon detection, the system performs an in-depth analysis of the suspicious DNS packets in order to identify abnormal appearances of parameters in the packet headers and payload.
Inspection of the packet's payload as opposed to only its header. This enables the security device to perform inspection at the application level. Denial of Service is an attack intended to consume system resources and create a temporary loss of service. An exploit is a program or technique that takes advantage of a software vulnerability. The program can be used for breaking security, or otherwise attacking a host over the network.
Heuristic analysis
Heuristic analysis is behavior-based analysis, targeted to provide a filter blocking the abnormal phenomena. Heuristic analysis is the ability of a virus scanner to identify a potential virus by analyzing the behavior of the program, rather than looking for a known virus signature.
An intrusion is an attempted or successful access to system resources in any unauthorized manner. Radwares Intrusion Detection System (IDS) applies the latest security or attack expertise to filter out potentially destructive/malicious events from a much larger amount of legitimate activity. There are two system-monitoring approaches: NIDSnetwork-based IDSmonitors all network traffic passing on the segment where the agent is installed, acting upon suspicious anomalies or signature-based activity. HIDShost-based IDSis confined to the local host and monitor activity in detail, such as, command execution, file access, or system calls.
Organizations generally choose a combination of these approaches, based on known vulnerabilities. Intrusion Prevention Intrusion prevention A security service that scans, detects and prevents real-time attempts to compromise system security. Intrusion prevention is a security service that scans, detects and prevents real-time attempts aimed at compromising system security.
370
Term
IP interface
Definition
An IP interface in DefensePro is comprised of two components: an IP address and an associated interface. The associated interface can be a physical interface or a virtual interface (VLAN). IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP interface that contains an IP address associated with a VLAN. DefensePro is designed to intercept HTTP requests and to redirect them to a content inspection server farm. The first assumption in designing a DefensePro network is that the DefensePro device resides on the path between the clients and both the Internet and the content inspection servers. This is required since DefensePro needs to intercept the clients' requests going to the Internet and to manipulate the packets returning from the content inspection servers to the clients. Except when using local triangulation or transparent proxy, all traffic must physically travel through the DefensePro device. This includes traffic from the users to the Internet and from the content inspection server farm back to the users. If there are users statically configured to use a content inspection server, they should be configured to the DefensePro virtual address. This address is the access IP address for the content inspection servers. This address is used only for statically configured users.
A Next-Hop Router (NHR) is a network element with an IP address through which traffic is routed. Radwares Server Cracking Protection is a behavioral server-based technology that detects and prevents both known and unknown application scans and brute-force attacks. This behavioral protection is part of Radwares DefensePro Full Spectrum Protection Technology. The technology includes: An adaptive behavioral network-based protection that mitigates network DoS and DDoS attacks Adaptive behavioral user-based protections that mitigate network pre-attack probes and zero-day worm propagation activities Stateful signature-based protections against exploitation attempts of known application vulnerabilities.
See also Server Cracking Protection Profiles. Server Cracking Protection Profile A Server Cracking Protection profile provides application level protection that identifies excessive frequencies of error responses from various applications. The profile initiates blocking of hacking sources, while allowing legitimate traffic to pass through. Application scanning and authentication brute force attempts are usually precursors to more serious exploitation attempts. An attacker tries to gain access to a restricted section, or to find a known vulnerability by sending a list of legitimate-looking requests and analyzing the responses. Both cracks and scanning attempts are characterized by a higher than usual error responses from the application to a few specific users. Server Protection Profile Server Protection Profiles are designed to defend from network and application attacks targeting network servers or services, such as: SYN Flood protection using SYN Cookies Connection limit Server Cracking HTTP Page floods
371
Term
Server, Reporting
Definition
A reporting server is the component responsible for running the required services to display reports to the end user. It may contain a Web server and provide services for both Eclipse and Web interfaces. A feature that provides protection against a set of attacks. A Signature is a pattern-based analysis, used to search for packets generated by known attack tools. A spoof is when one system entity poses as or assumes the identity of another entity. SYN cookies are particular choices of initial TCP sequence numbers by TCP servers. The difference between the server's initial sequence number and the client's initial sequence number is: Top 5 bits: t mod 32, where t is a 32-bit time counter that increases every 64 seconds. Next 3 bits: an encoding of an MSS selected by the server in response to the client's MSS. Bottom 24 bits: a server-selected secret function of the client IP address and port number, the server IP address and port number, and t.
This choice of sequence number complies with the basic TCP requirement that sequence numbers increase slowly; the server's initial sequence number increases slightly faster than the client's initial sequence number. A server that uses SYN cookies does not have to drop connections when its SYN queue fills up. Instead it sends back a SYN+ACK, exactly as if the SYN queue had been larger. (Exceptions: the server must reject TCP options such as large windows, and it must use one of the eight MSS values that it can encode.) When the server receives an ACK, it checks that the secret function works for a recent value of t, and then rebuilds the SYN queue entry from the encoded MSS. A SYN flood is simply a series of SYN packets from forged IP addresses. The IP addresses are chosen randomly and don't provide any hint of where the attacker is. The SYN flood keeps the server's SYN queue full. Normally this would force the server to drop connections. A server that uses SYN cookies, however, will continue operating normally. The biggest effect of the SYN flood is to disable large windows.
372
Term
SYN flood
Definition
A SYN attack/flood is a type of DoS (Denial of Service) attack. SYN flood attacks are performed by sending a SYN packet without completing the TCP three-way handshake, referred as single packet attack. Alternatively, the TCP three-way handshake can be completed, but no data packets are sent afterwards. Such attacks are known as connection flood attacks. A SYN packet notifies a server of a new connection. The server then allocates some memory in order to handle the incoming connection, sends back an acknowledgement, then waits for the client to complete the connection and start sending data. By spoofing large numbers of SYN requests, an attacker can fill up memory on the server, which waits for more data that never arrives. Once memory has filled up, the server is unable to accept connections from legitimate clients. This effectively disables the server. Key point: SYN floods exploit a flaw in the core of the TCP/IP technology itself. There is no complete defense against this attack. There are, however, partial defenses. Servers can be configured to reserve more memory and decrease the amount of time they wait for connections to complete. Likewise, routers and firewalls can filter out some of the spoofed SYN packets. Finally, there are techniques (such as SYN cookies) that can play tricks with the protocol in order to help distinguish good SYNs from bad ones.
SYN-ACK Reflection Attack Prevention is intended to prevent reflection of SYN attacks and reduce SYN-ACK packet storms that are created as a response to DoS attacks. When a device is under SYN attack, it sends a SYN-ACK packet with an embedded Cookie, in order to prompt the client to continue the session.
Threat
A threat, in Internet security terms, is a person, thing, event, or idea, that poses a danger to an asset. A fundamental threat can be any of the following: information leakage, Denial of Service, integrity violation, and illegitimate use.
Trojan Horse
A Trojan horse (also known as a trojan) is a computer program that appears benign, but is actually designed to harm or compromise the system. It is usually designed to provide unrestricted access into internal systems, bypassing security monitoring and auditing policies.
A virus is a malicious program code written with the intention to damage computer systems and to replicate itself to extend the possible damage. A worm is a type of computer virus that uses the Internet or local networks to spread itself by sending copies of itself to other hosts. A Zero Day attack (0day) is an attack on a vulnerability no one knows about except those who discovered it. A zero day exploit is an attack against a non-public, unknown vulnerability. Since there are no known signatures, it penetrates any signature-based security defenses. If the exploit passes through a common port, and there are no other defenses, such as behavioral-based or impact-based techniques, it is hard or impossible to stop.
373
374
375
DefensePro User Guide Radware Ltd. End User License Agreement nonexclusive, nontransferable license to copy and modify the Code Samples and create derivative works based thereon solely for the SDK Purpose and solely on computers within your organization. The SDK shall be considered part of the term Software for all purposes of this License Agreement. You agree that you will not assign, sublicense, transfer, pledge, lease, rent or share your rights under this License Agreement nor will you distribute copies of the Software or any parts thereof. Rights not specifically granted herein, are specifically prohibited. 2. Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the Software is provided to you for evaluation purposes, as indicated in your purchase order or sales receipt, on the website from which you download the Software, as inferred from any timelimited evaluation license keys that you are provided with to activate the Software, or otherwise, then You may use the Software only for internal evaluation purposes (Evaluation Use) for a maximum of 30 days or such other duration as may specified by Radware in writing at its sole discretion (the Evaluation Period). The evaluation copy of the Software contains a feature that will automatically disable it after expiration of the Evaluation Period. You agree not to disable, destroy, or remove this feature of the Software, and any attempt to do so will be a material breach of this License Agreement. During or at the end of the evaluation period, you may contact Radware sales team to purchase a Commercial License to continue using the Software pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial License, you agree to stop using the Software and to delete the evaluation copy received hereunder from all computers under your possession or control at the end of the Evaluation Period. In any event, your continued use of the Software beyond the Evaluation Period (if possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to the terms of this License Agreement, and you agree to pay Radware any amounts due for any applicable license fees at Radware's then-current list prices. Subscription Software. If you licensed the Software on a subscription basis, your rights to use the Software are limited to the subscription period. You have the option to extend your subscription. If you extend your subscription, you may continue using the Software until the end of your extended subscription period. If you do not extend your subscription, after the expiration of your subscription, you are legally obligated to discontinue your use of the Software and completely remove the Software from your system. Feedback. Any feedback concerning the Software including, without limitation, identifying potential errors and improvements, recommended changes or suggestions (Feedback), provided by you to Radware will be owned exclusively by Radware and considered Radware's confidential information. By providing Feedback to Radware, you hereby assign to Radware all of your right, title and interest in any such Feedback, including all intellectual property rights therein. With regard to any rights in such Feedback that cannot, under applicable law, be assigned to Radware, you hereby irrevocably waives such rights in favor of Radware and grants Radware under such rights in the Feedback, a worldwide, perpetual royalty-free, irrevocable, sublicensable and non-exclusive license, to use, reproduce, disclose, sublicense, modify, make, have made, distribute, sell, offer for sale, display, perform, create derivative works of and otherwise exploit the Feedback without restriction. The provisions of this Section 4 will survive the termination or expiration of this Agreement. Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt or create any derivative works based on the Software; or (b) sublicense or transfer the Software, or include the Software or any portion thereof in any product; or (b) reverse assemble, decompile, reverse engineer or otherwise attempt to derive source code (or the underlying ideas, algorithms, structure or organization) from the Software; or (c) remove any copyright notices, identification or any other proprietary notices from the Software (including any notices of Third Party Software (as defined below); or (d) copy the Software onto any public or distributed network or use the Software to operate in or as a time-sharing, outsourcing, service bureau, application service provider, or managed service provider environment. Notwithstanding Section 5(d), if you provide hosting or cloud computing services to your customers, you are entitled to use and include the Software in your IT infrastructure on which you provide your services. It is hereby clarified that the prohibitions on modifying, or creating derivative works based on, any Software provided by Radware, apply whether the Software is provided in a machine or in a human readable form. Human readable Software to which this prohibition applies includes (without limitation) Radware AppShape++ Script Files that contain Special License Terms. It is acknowledged that examples provided in a human readable form may be modified by a user.
3.
4.
5.
376
DefensePro User Guide Radware Ltd. End User License Agreement 6. Intellectual Property Rights. You acknowledge and agree that this License Agreement does not convey to you any interest in the Software except for the limited right to use the Software, and that all right, title, and interest in and to the Software, including any and all associated intellectual property rights, are and shall remain with Radware or its third party licensors. You further acknowledge and agree that the Software is a proprietary product of Radware and/or its licensors and is protected under applicable copyright law. 7. No Warranty. The Software, and any and all accompanying software, files, libraries, data and materials, are distributed and provided AS IS by Radware or by its third party licensors (as applicable) and with no warranty of any kind, whether express or implied, including, without limitation, any non-infringement warranty or warranty of merchantability or fitness for a particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or makes any representation regarding the title in the Software, the use of, or the results of the use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the operation of the Software will be uninterrupted or error-free, or that the use of any passwords, license keys and/or encryption features will be effective in preventing the unintentional disclosure of information contained in any file. You acknowledge that good data processing procedure dictates that any program, including the Software, must be thoroughly tested with non-critical data before there is any reliance on it, and you hereby assume the entire risk of all use of the copies of the Software covered by this License. Radware does not make any representation or warranty, nor does Radware assume any responsibility or liability or provide any license or technical maintenance and support for any operating systems, databases, migration tools or any other software component provided by a third party supplier and with which the Software is meant to interoperate. This disclaimer of warranty constitutes an essential and material part of this License. In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable under any warranty provision, Radware shall be released from all such obligations in the event that the Software shall have been subject to misuse, neglect, accident or improper installation, or if repairs or modifications were made by persons other than by Radware's authorized service personnel. 8. Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors, contractors, subsidiaries, or parent organizations (together, the Radware Parties), be liable for any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating to the use of, or the inability to use, the Software, or to your relationship with, Radware or any of the Radware Parties (including, without limitation, loss or disclosure of data or information, and/or loss of profit, revenue, business opportunity or business advantage, and/or business interruption), whether based upon a claim or action of contract, warranty, negligence, strict liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of the possibility of such damages. If any Radware Party is found to be liable to You or to any thirdparty under any applicable law despite the explicit disclaimers and limitations under these terms, then any liability of such Radware Party, will be limited exclusively to refund of any license or registration or subscription fees paid by you to Radware. 9. Third Party Software. The Software includes software portions developed and owned by third parties (the Third Party Software). Third Party Software shall be deemed part of the Software for all intents and purposes of this License Agreement; provided, however, that in the event that a Third Party Software is a software for which the source code is made available under an open source software license agreement, then, to the extent there is any discrepancy or inconsistency between the terms of this License Agreement and the terms of any such open source license agreement (including, for example, license rights in the open source license agreement that are broader than the license rights set forth in Section 1 above and/or no limitation in the open source license agreement on the actions set forth in Section 5 above), the terms of any such open source license agreement will govern and prevail. The terms of open source license agreements and copyright notices under which Third Party Software is being licensed to Radware or a link thereto, are included with the Software documentation or in the header or readme files of the Software. Third Party licensors and suppliers retain all right, title and interest in and to the Third Party Software and all copies thereof, including all copyright and other
377
DefensePro User Guide Radware Ltd. End User License Agreement intellectual property associated therewith. In addition to the use limitations applicable to Third Party Software pursuant to Section 5 above, you agree and undertake not to use the Third Party Software as a general SQL server, as a stand-alone application or with applications other than the Software under this License Agreement. 10. Term and Termination. This License Agreement is effective upon the first to occur of your opening the package of the Product, purchasing, downloading, installing, copying or using the Software or any portion thereof, and shall continue until terminated. However, sections 4-13 shall survive any termination of this License Agreement. The License under this License Agreement is not transferable and will terminate upon transfer of the Software. If the Software is licensed on subscription basis, this Agreement will automatically terminate upon the termination of your subscription period if it is not extended. 11. Export. The Software or any part thereof may be subject to export or import controls under the laws and regulations of the United States and/or Israel. You agree to comply with such laws and regulations, and, agree not to knowingly export, re-export, import or re-import, or transfer products without first obtaining all required Government authorizations or licenses therefor. 12. Governing Law. This License Agreement shall be construed and governed in accordance with the laws of the State of Israel. 13. Miscellaneous. If a judicial determination is made that any of the provisions contained in this License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or provisions shall be rendered void or invalid only to the extent that such judicial determination finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder of this License Agreement shall remain operative and in full force and effect. In any event a party breaches or threatens to commit a breach of this License Agreement, the other party will, in addition to any other remedies available to, be entitled to injunction relief. This License Agreement constitutes the entire agreement between the parties hereto and supersedes all prior agreements between the parties hereto with respect to the subject matter hereof. The failure of any party hereto to require the performance of any provisions of this License Agreement shall in no manner affect the right to enforce the same. No waiver by any party hereto of any provisions or of any breach of any provisions of this License Agreement shall be deemed or construed either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of any other provision or breach of any other provision of this License Agreement. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE YOU MUST REMOVE THE SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMIDIATELY CEASE USING THE SOFTWARE. COPYRIGHT 2013, Radware Ltd. All Rights Reserved.
378