DefensePro AdminGuide SW7

DefensePro User Guide
Software Version 7.20

Document ID: RDWR-DP-V072000_UG1307
July, 2013
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions: The AppShape++ Script Files provided by Radware Ltd. are subject to the Special License Terms included in each of the electronic AppShape++ Script Files and are also subject to Radware's End User License Agreement, a copy of which (as may be amended from time to time) can be found at the end of this document or at http://www.radware.com/Resources/eula.html. Please note that if you create your own scripts using any AppShape++ Scripts provided by Radware, such self-created scripts are not controlled by Radware and therefore Radware will not be liable for any malfunctions resulting from such self-created scripts. Copyright Radware Ltd. 2013. All rights reserved. The copyright and all other intellectual property rights and trade secrets included in this guide are owned by Radware Ltd. The guide is provided to Radware customers for the sole purpose of obtaining information with respect to the installation and use of the Radware products described in this document, and may not be used for any other purpose. The information contained in this guide is proprietary to Radware and must be kept in strict confidence. It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes: Les applications AppShape++ Script Files fournies par Radware Ltd. sont soumises aux termes de la Licence Spciale (Special License Terms) incluse dans chaque fichier lectronique AppShape++ Script Files mais aussi au Contrat de Licence d'Utilisateur Final de Radware qui peut tre modifi de temps en temps et dont une copie est disponible la fin du prsent document ou l'adresse suivante: http://www.radware.com/Resources/eula.html. Nous attirons votre attention sur le fait que si vous crez vos propres fichiers de commande (fichiers script) en utilisant l'application AppShape++ Script Files fournie par Radware, ces fichiers script ne sont pas contrls par Radware et Radware ne pourra en aucun cas tre tenue responsable des dysfonctionnements rsultant des fichiers script ainsi crs. Copyright Radware Ltd. 2013. Tous droits rservs. Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels contenus dans ce guide sont la proprit de Radware Ltd. Ce guide dinformations est fourni nos clients dans le cadre de linstallation et de lusage des produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui pour lequel il a t conu. Les informations rpertories dans ce document restent la proprit de Radware et doivent tre conserves de manire confidentielle. Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce manuel sans avoir obtenu le consentement pralable crit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert: Die von Radware Ltd bereitgestellten AppShape++ Scriptdateien unterliegen den in jeder elektronischen AppShape++ Scriptdatei enthalten besonderen Lizenzbedingungen sowie Radware's Endbenutzer-Lizenzvertrag (von welchem eine Kopie in der jeweils geltenden Fassung am Ende dieses Dokuments oder unter http://www.radware.com/Resources/eula.html erhltlich ist). Bitte beachten Sie, dass wenn Sie Ihre eigenen Skripte mit Hilfe eines von Radware bereitgestellten AppShape++ Skripts erstellen, diese selbsterstellten Skripte nicht von Radware kontrolliert werden und Radware daher keine Haftung fr Funktionsfehler bernimmt, welche von diesen selbsterstellten Skripten verursacht werden. Copyright Radware Ltd. 2013. Alle Rechte vorbehalten. Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und Geschftsgeheimnisse sind Eigentum von Radware Ltd. Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt, Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden. Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng vertraulich behandelt werden. Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
The programs included in this product are subject to a restricted use license and can only be used in conjunction with this application. This product contains code developed by the OpenSSL Project. This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit. (http://www.openssl.org/). Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved. This product contains the Rijndael cipher The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public domain and distributed with the following license: @version 3.0 (December 2000) Optimized ANSI C code for the Rijndael cipher (now AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @author Paulo Barreto <paulo.barreto@terra.com.br> The OnDemand Switch may use software components licensed under the GNU General Public License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html This code is hereby placed in the public domain. This product contains code developed by the OpenBSD Project Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 3. Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. This product includes software developed by Markus Friedl This product includes software developed by Theo de Raadt This product includes software developed by Niels Provos This product includes software developed by Dug Song This product includes software developed by Aaron Campbell This product includes software developed by Damien Miller This product includes software developed by Kevin Steves This product includes software developed by Daniel Kouril This product includes software developed by Wesley Griffin This product includes software developed by Per Allansson This product includes software developed by Nils Nordman This product includes software developed by Simon Wilkinson Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. This product contains work derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm. RSA Data Security, Inc. makes no representations concerning either the merchantability of the MD5 Message - Digest Algorithm or the suitability of the MD5 Message - Digest Algorithm for any particular purpose. It is provided as is without express or implied warranty of any kind.
Notice traitant du copyright

Les programmes intgrs dans ce produit sont soumis une licence d'utilisation limite et ne peuvent tre utiliss qu'en lien avec cette application. Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL. Ce produit inclut un logiciel dvelopp dans le cadre du projet OpenSSL. Pour un usage dans la bote outils OpenSSL (http://www.openssl.org/). Copyright (c) 1998-2005 Le projet OpenSSL. Tous droits rservs. Ce produit inclut la catgorie de chiffre Rijndael. Limplmentation de Rijindael par Vincent Rijmen, Antoon Bosselaers et Paulo Barreto est du domaine public et distribue sous les termes de la licence suivante: @version 3.0 (Dcembre 2000) Code ANSI C code pour Rijndael (actuellement AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>. Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande auprs de Radware. Une copie de la licence est rpertorie sur: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html Ce code est galement plac dans le domaine public. Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL. Copyright (c) 1983, 1990, 1992, 1993, 1995 Les membres du conseil de lUniversit de Californie. Tous droits rservs. La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise pour autant que les conditions suivantes soient remplies: 1. 2. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant. Le nom de luniversit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour approuver ou promouvoir un produit driv de ce programme sans lobtention pralable dune autorisation crite.
3.
Ce produit inclut un logiciel dvelopp par Markus Friedl Ce produit inclut un logiciel dvelopp par Theo de Raadt Ce produit inclut un logiciel dvelopp par Niels Provos Ce produit inclut un logiciel dvelopp par Dug Song Ce produit inclut un logiciel dvelopp par Aaron Campbell Ce produit inclut un logiciel dvelopp par Damien Miller Ce produit inclut un logiciel dvelopp par Kevin Steves Ce produit inclut un logiciel dvelopp par Daniel Kouril Ce produit inclut un logiciel dvelopp par Wesley Griffin Ce produit inclut un logiciel dvelopp par Per Allansson Ce produit inclut un logiciel dvelopp par Nils Nordman Ce produit inclut un logiciel dvelopp par Simon Wilkinson. La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise pour autant que les conditions suivantes soient remplies: 1. 2. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et lavis de non-responsabilit suivant.
LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS SY LIMITER, TOUTE GARANTIE IMPLICITE DE QUALIT MARCHANDE ET DADQUATION UN USAGE PARTICULIER EST EXCLUE. EN AUCUN CAS LAUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS, INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS SY LIMITER, LACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE DUSAGE, DE DONNES OU DE PROFITS OU LINTERRUPTION DES AFFAIRES), QUELLE QUEN SOIT LA CAUSE ET LA THORIE DE RESPONSABILIT, QUIL SAGISSE DUN CONTRAT, DE RESPONSABILIT STRICTE OU DUN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE QUELLE QUE FAON QUE CE SOIT DE LUSAGE DE CE LOGICIEL, MME SIL A T AVERTI DE LA POSSIBILIT DUN TEL DOMMAGE.
Copyrightvermerke
Die in diesem Produkt enthalten Programme unterliegen einer eingeschrnkten Nutzungslizenz und knnen nur in Verbindung mit dieser Anwendung benutzt werden. Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code. Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL Toolkit. (http://www.openssl.org/). Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die Rijndael cipher Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist ffentlich zugnglich und wird unter folgender Lizenz vertrieben: @version 3.0 (December 2000) Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES) @author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be> @author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be> @author Paulo Barreto <paulo.barreto@terra.com.br> Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich. Eine Kopie dieser Lizenz kann eingesehen werden unter: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html Dieser Code wird hiermit allgemein zugnglich gemacht. Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code Copyright (c) 1983, 1990, 1992, 1993, 1995 The Regents of the University of California. Alle Rechte vorbehalten. Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind unter folgenden Bedingungen erlaubt: 1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss beibehalten. 2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere Materialien, die mit verteilt werden, reproduzieren. 3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete Produkte zu empfehlen oder zu bewerben. Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses Produkt enthlt von Dug Song entwickelte Software Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt enthlt von Nils Nordman entwickelte Software Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind unter folgenden Bedingungen erlaubt: 1. 2. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss beibehalten. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND (AS IS) BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH, DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN. UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE, GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.
Standard Warranty
The following standard warranty is presented in English, French, and German.
Standard Warranty
Radware offers a limited warranty for all its products (Products). Radware hardware products are warranted against defects in material and workmanship for a period of one year from date of shipment. Radware software carries a standard warranty that provides bug fixes for up to 90 days after date of purchase. Should a Product unit fail anytime during the said period(s), Radware will, at its discretion, repair or replace the Product. For hardware warranty service or repair, the product must be returned to a service facility designated by Radware. Customer shall pay the shipping charges to Radware and Radware shall pay the shipping charges in returning the product to the customer. Please see specific details outlined in the Standard Warranty section of the customer's purchase order. Radware shall be released from all obligations under its Standard Warranty in the event that the Product and/or the defective component has been subjected to misuse, neglect, accident or improper installation, or if repairs or modifications were made by persons other than Radware authorized service personnel, unless such repairs by others were made with the written consent of Radware. EXCEPT AS SET FORTH ABOVE, ALL RADWARE PRODUCTS (HARDWARE AND SOFTWARE) ARE PROVIDED BY AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
Garantie standard
Radware octroie une garantie limite pour l'ensemble de ses produits (" Produits "). Le matriel informatique (hardware) Radware est garanti contre tout dfaut matriel et de fabrication pendant une dure d'un an compter de la date d'expdition. Les logiciels (software) Radware sont fournis avec une garantie standard consistant en la fourniture de correctifs des dysfonctionnements du
logiciels (bugs) pendant une dure maximum de 90 jours compter de la date d'achat. Dans l'hypothse o un Produit prsenterait un dfaut pendant ladite(lesdites) priode(s), Radware procdera, sa discrtion, la rparation ou l'change du Produit. S'agissant de la garantie d'change ou de rparation du matriel informatique, le Produit doit tre retourn chez un rparateur dsign par Radware. Le Client aura sa charge les frais d'envoi du Produit Radware et Radware supportera les frais de retour du Produit au client. Veuillez consulter les conditions spcifiques dcrites dans la partie " Garantie Standard " du bon de commande client. Radware est libre de toutes obligations lies la Garantie Standard dans l'hypothse o le Produit et/ou le composant dfectueux a fait l'objet d'un mauvais usage, d'une ngligence, d'un accident ou d'une installation non conforme, ou si les rparations ou les modifications qu'il a subi ont t effectues par d'autres personnes que le personnel de maintenance autoris par Radware, sauf si Radware a donn son consentement crit ce que de telles rparations soient effectues par ces personnes. SAUF DANS LES CAS PREVUS CI-DESSUS, L'ENSEMBLE DES PRODUITS RADWARE (MATERIELS ET LOGICIELS) SONT FOURNIS " TELS QUELS " ET TOUTES GARANTIES EXPRESSES OU IMPLICITES SONT EXCLUES, EN CE COMPRIS, MAIS SANS S'Y RESTREINDRE, LES GARANTIES IMPLICITES DE QUALITE MARCHANDE ET D'ADEQUATION A UNE UTILISATION PARTICULIERE.
Standard Garantie
Radware bietet eine begrenzte Garantie fr alle seine Produkte ("Produkte") an. Hardware Produkte von Radware haben eine Garantie gegen Material- und Verarbeitungsfehler fr einen Zeitraum von einem Jahr ab Lieferdatum. Radware Software verfgt ber eine Standard Garantie zur Fehlerbereinigung fr einen Zeitraum von bis zu 90 Tagen nach Erwerbsdatum. Sollte ein Produkt innerhalb des angegebenen Garantiezeitraumes einen Defekt aufweisen, wird Radware das Produkt nach eigenem Ermessen entweder reparieren oder ersetzen. Fr den Hardware Garantieservice oder die Reparatur ist das Produkt an eine von Radware bezeichnete Serviceeinrichtung zurckzugeben. Der Kunde hat die Versandkosten fr den Transport des Produktes zu Radware zu tragen, Radware bernimmt die Kosten der Rckversendung des Produktes an den Kunden. Genauere Angaben entnehmen Sie bitte dem Abschnitt zur Standard Garantie im Bestellformular fr Kunden. Radware ist von smtlichen Verpflichtungen unter seiner Standard Garantie befreit, sofern das Produkt oder der fehlerhafte Teil zweckentfremdet genutzt, in der Pflege vernachlssigt, einem Unfall ausgesetzt oder unsachgem installiert wurde oder sofern Reparaturen oder Modifikationen von anderen Personen als durch Radware autorisierten Kundendienstmitarbeitern vorgenommen wurden, es sei denn, diese Reparatur durch besagte andere Personen wurden mit schriftlicher Genehmigung seitens Radware durchgefhrt. MIT AUSNAHME DES OBEN DARGESTELLTEN, SIND ALLE RADWARE PRODUKTE (HARDWARE UND SOFTWARE) GELIEFERT "WIE GESEHEN" UND JEGLICHE AUSDRCKLICHEN ODER STILLSCHWEIGENDEN GARANTIEN, EINSCHLIESSLICH ABER NICHT BEGRENZT AUF STILLSCHWEIGENDE GEWHRLEISTUNG DER MARKTFHIGKEIT UND EIGNUNG FR EINEN BESTIMMTEN ZWECK AUSGESCHLOSSEN.
Limitations on Warranty and Liability

The following limitations on warranty and liability are presented in English, French, and German.
Limitations on Warranty and Liability

IN NO EVENT SHALL RADWARE LTD. OR ANY OF ITS AFFILIATED ENTITIES BE LIABLE FOR ANY DAMAGES INCURRED BY THE USE OF THE PRODUCTS (INCLUDING BOTH HARDWARE AND SOFTWARE) DESCRIBED IN THIS USER GUIDE, OR BY ANY DEFECT OR INACCURACY IN THIS USER GUIDE ITSELF. THIS INCLUDES BUT IS NOT LIMITED TO ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION). THE ABOVE LIMITATIONS WILL APPLY EVEN IF RADWARE HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF IMPLIED WARRANTIES OR LIABILITY FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES, SO THE ABOVE LIMITATION OR EXCLUSION MAY NOT APPLY TO YOU.
Limitations de la Garantie et Responsabilit

RADWARE LTD. OU SES ENTITIES AFFILIES NE POURRONT EN AUCUN CAS ETRE TENUES RESPONSABLES DES DOMMAGES SUBIS DU FAIT DE L'UTILISATION DES PRODUITS (EN CE COMPRIS LES MATERIELS ET LES LOGICIELS) DECRITS DANS CE MANUEL D'UTILISATION, OU DU FAIT DE DEFAUT OU D'IMPRECISIONS DANS CE MANUEL D'UTILISATION, EN CE COMPRIS, SANS TOUTEFOIS QUE CETTE ENUMERATION SOIT CONSIDEREE COMME LIMITATIVE, TOUS DOMMAGES DIRECTS, INDIRECTS, ACCIDENTELS, SPECIAUX, EXEMPLAIRES, OU ACCESSOIRES (INCLUANT, MAIS SANS S'Y RESTREINDRE, LA FOURNITURE DE PRODUITS OU DE SERVICES DE REMPLACEMENT; LA PERTE D'UTILISATION, DE DONNEES OU DE PROFITS; OU L'INTERRUPTION DES AFFAIRES). LES LIMITATIONS CI-DESSUS S'APPLIQUERONT QUAND BIEN MEME RADWARE A ETE INFORMEE DE LA POSSIBLE EXISTENCE DE CES DOMMAGES. CERTAINES JURIDICTIONS N'ADMETTANT PAS LES EXCLUSIONS OU LIMITATIONS DE GARANTIES IMPLICITES OU DE RESPONSABILITE EN CAS DE DOMMAGES ACCESSOIRES OU INDIRECTS, LESDITES LIMITATIONS OU EXCLUSIONS POURRAIENT NE PAS ETRE APPLICABLE DANS VOTRE CAS.
Haftungs- und Gewhrleistungsausschluss

IN KEINEM FALL IST RADWARE LTD. ODER EIN IHR VERBUNDENES UNTERNEHMEN HAFTBAR FR SCHDEN, WELCHE BEIM GEBRAUCH DES PRODUKTES (HARDWARE UND SOFTWARE) WIE IM BENUTZERHANDBUCH BESCHRIEBEN, ODER AUFGRUND EINES FEHLERS ODER EINER UNGENAUIGKEIT IN DIESEM BENUTZERHANDBUCH SELBST ENTSTANDEN SIND. DAZU GEHREN UNTER ANDEREM (OHNE DARAUF BEGRENZT ZU SEIN) JEGLICHE DIREKTEN; IDIREKTEN; NEBEN; SPEZIELLEN, BELEGTEN ODER FOLGESCHDEN (EINSCHLIESSLICH ABER NICHT BEGRENZT AUF BESCHAFFUNG ODER ERSATZ VON WAREN ODER DIENSTEN, NUTZUNGSAUSFALL, DATEN- ODER GEWINNVERLUST ODER BETRIEBSUNTERBRECHUNGEN). DIE OBEN GENANNTEN BEGRENZUNGEN GREIFEN AUCH, SOFERN RADWARE AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WORDEN SEIN SOLLTE. EINIGE RECHTSORDNUNGEN LASSEN EINEN AUSSCHLUSS ODER EINE BEGRENZUNG STILLSCHWEIGENDER GARANTIEN ODER HAFTUNGEN BEZGLICH NEBEN- ODER FOLGESCHDEN NICHT ZU, SO DASS DIE OBEN DARGESTELLTE BEGRENZUNG ODER DER AUSSCHLUSS SIE UNTER UMSTNDEN NICHT BETREFFEN WIRD.
Safety Instructions
The following safety instructions are presented in English, French, and German.
Safety Instructions
CAUTION A readily accessible disconnect device shall be incorporated in the building installation wiring. Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that involve opening panels or changing components must be performed by qualified service personnel only. To reduce the risk of fire and electrical shock, disconnect the device from the power line before removing cover or panels.
10
The following figure shows the caution label that is attached to Radware platforms with dual power supplies.
Figure 1: Electrical Shock Hazard Label
DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE The following figure is the warning for Radware platforms with dual power supplies.
Figure 2: Dual-Power-Supply-System Safety Warning in Chinese
Translation of Dual-Power-Supply-System Safety Warning in Chinese: This unit has more than one power supply. Disconnect all power supplies before maintenance to avoid electric shock. SERVICING Do not perform any servicing other than that contained in the operating instructions unless you are qualified to do so. There are no serviceable parts inside the unit. HIGH VOLTAGE Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided as much as possible and, when inevitable, must be carried out only by a skilled person who is aware of the hazard involved. Capacitors inside the instrument may still be charged even if the instrument has been disconnected from its source of supply. GROUNDING Before connecting this device to the power line, the protective earth terminal screws of this device must be connected to the protective earth in the building installation. LASER This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 + A2:2001 Standard. FUSES Make sure that only fuses with the required rated current and of the specified type are used for replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided. Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be made inoperative and be secured against any unintended operation.
11
LINE VOLTAGE Before connecting this instrument to the power line, make sure the voltage of the power source matches the requirements of the instrument. Refer to the Specifications for information about the correct power rating for the device. 48V DC-powered platforms have an input tolerance of 36-72V DC. SPECIFICATION CHANGES Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the interference at his own expense. SPECIAL NOTICE FOR NORTH AMERICAN USERS For North American power connection, select a power supply cord that is UL Listed and CSA Certified 3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [10 A], with a minimum length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated 250 V, 3 A. RESTRICT AREA ACCESS The DC powered equipment should only be installed in a Restricted Access Area. INSTALLATION CODES This device must be installed according to country national electrical codes. For North America, equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16, 110 -17, and 110 -18 and the Canadian Electrical Code, Section 12. INTERCONNECTION OF UNITS Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or DP-2. (Note- when residing in non LPS circuit) OVERCURRENT PROTECTION A readily accessible listed branch-circuit over current protective device rated 15 A must be incorporated in the building wiring for each power input. REPLACEABLE BATTERIES If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type, then an explosion may occur. This is the case for some Lithium batteries and the following is applicable: If the battery is placed in an Operator Access Area, there is a marking close to the battery or a statement in both the operating and service instructions. If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a statement in the service instructions.
This marking or statement includes the following text warning: CAUTION RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE. DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
12
Caution To Reduce the Risk of Electrical Shock and Fire 1. This equipment is designed to permit connection between the earthed conductor of the DC supply circuit and the earthing conductor equipment. See Installation Instructions. 2. All servicing must be undertaken only by qualified service personnel. There are not user serviceable parts inside the unit. 3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit. 4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED. 5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label adjacent to the power inlet, housing the fuse. 6. Do not operate the device in a location where the maximum ambient temperature exceeds 40C/104F. 7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove and/or check the main power fuse. CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60 825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001 AC units for Denmark, Finland, Norway, Sweden (marked on product): Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket outlet which is connected to a protective earth. Socket outlets which are not connected to earth are not to be used! Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla varustettuun pistorasiaan Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt Unit is intended for connection to IT power systems for Norway only. Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.
To connect the power connection: 1. Connect the power cable to the main socket, located on the rear panel of the device. 2. Connect the power cable to the grounded AC outlet. CAUTION Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one power supply module. To isolate the unit completely, disconnect all power supplies.
Instructions de scurit
AVERTISSEMENT Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment. En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et dincendie, chaque procdure impliquant louverture des panneaux ou le remplacement de composants sera excute par du personnel qualifi. Pour rduire les risques dincendie et de chocs lectriques, dconnectez le dispositif du bloc dalimentation avant de retirer le couvercle ou les panneaux.
13
La figure suivante montre ltiquette davertissement appose sur les plateformes Radware dotes de plus dune source dalimentation lectrique.
Figure 3: tiquette davertissement de danger de chocs lectriques
AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES DALIMENTATION LECTRIQUE (EN CHINOIS) La figure suivante reprsente ltiquette davertissement pour les plateformes Radware dotes de deux sources dalimentation lectrique.
Figure 4: Avertissement de scurit pour les systmes dotes de deux sources dalimentation lectrique (en chinois)
Traduction de la Avertissement de scurit pour les systmes dotes de deux sources dalimentation lectrique (en chinois): Cette unit est dote de plus dune source dalimentation lectrique. Dconnectez toutes les sources dalimentation lectrique avant dentretenir lappareil ceci pour viter tout choc lectrique. ENTRETIEN Neffectuez aucun entretien autre que ceux rpertoris dans le manuel dinstructions, moins dtre qualifi en la matire. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare. HAUTE TENSION Tout rglage, opration dentretien et rparation de linstrument ouvert sous tension doit tre vit. Si cela savre indispensable, confiez cette opration une personne qualifie et consciente des dangers impliqus. Les condensateurs au sein de lunit risquent dtre chargs mme si lunit a t dconnecte de la source dalimentation lectrique. MISE A LA TERRE Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de cette unit doivent tre relies au systme de mise la terre du btiment. LASER Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1: 1993 + A1: 1997 + A2: 2001.
14
FUSIBLES Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en remplacement. Lusage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre vits. Lorsquil est pratiquement certain que la protection offerte par les fusibles a t dtriore, linstrument doit tre dsactiv et scuris contre toute opration involontaire. TENSION DE LIGNE Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source dalimentation correspond aux exigences de linstrument. Consultez les spcifications propres lalimentation nominale correcte du dispositif. Les plateformes alimentes en 48 CC ont une tolrance dentre comprise entre 36 et 72 V CC. MODIFICATIONS DES SPCIFICATIONS Les spcifications sont sujettes changement sans notice pralable. Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022 Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC 61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et, sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur devra corriger le problme ses propres frais. NOTICE SPCIALE POUR LES UTILISATEURS NORD-AMRICAINS Pour un raccordement lectrique en Amrique du Nord, slectionnez un cordon dalimentation homologu UL et certifi CSA 3 - conducteur, [18 AWG], muni dune prise moule son extrmit, de 125 V, [10 A], dune longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la connexion europenne, choisissez un cordon dalimentation mondialement homologu et marqu <HAR>, 3 - conducteur, cble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isole. La prise lextrmit du cordon, sera dote dun sceau moul indiquant: 250 V, 3 A. ZONE A ACCS RESTREINT Lquipement aliment en CC ne pourra tre install que dans une zone accs restreint. CODES DINSTALLATION Ce dispositif doit tre install en conformit avec les codes lectriques nationaux. En Amrique du Nord, lquipement sera install en conformit avec le code lectrique national amricain, articles 110-16, 110 -17, et 110 -18 et le code lectrique canadien, Section 12. INTERCONNEXION DES UNTES. Les cbles de connexion lunit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou DP-2. (Remarque- sils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES SURCHARGES. Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit tre intgr au cblage du btiment pour chaque puissance consomme. BATTERIES REMPLAABLES Si lquipement est fourni avec une batterie, et quelle est remplace par un type de batterie incorrect, elle est susceptible dexploser. Cest le cas pour certaines batteries au lithium, les lments suivants sont donc applicables: Si la batterie est place dans une zone daccs oprateur, une marque est indique sur la batterie ou une remarque est insre, aussi bien dans les instructions dexploitation que dentretien. Si la batterie est place ailleurs dans lquipement, une marque est indique sur la batterie ou une remarque est insre dans les instructions dentretien.
Cette marque ou remarque inclut lavertissement textuel suivant: AVERTISSEMENT
15
RISQUE DEXPLOSION SI LA BATTERIE EST REMPLACE PAR UN MODLE INCORRECT. METTRE AU REBUT LES BATTERIES CONFORMMENT AUX INSTRUCTIONS. Attention - Pour rduire les risques de chocs lectriques et dincendie 1. 2. 3. 4. 5. 6. 7. Cet quipement est conu pour permettre la connexion entre le conducteur de mise la terre du circuit lectrique CC et lquipement de mise la terre. Voir les instructions dinstallation. Tout entretien sera entrepris par du personnel qualifi. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare. NE branchez pas, nallumez pas ou nessayez pas dutiliser une unit manifestement endommage. Vrifiez que lorifice de ventilation du chssis dans lunit nest PAS OBSTRUE. Remplacez le fusible endommag par un modle similaire de mme puissance, tel quindiqu sur ltiquette de scurit adjacente larrive lectrique hbergeant le fusible. Ne faites pas fonctionner lappareil dans un endroit, o la temprature ambiante dpasse la valeur maximale autorise. 40C/104F. Dbranchez le cordon lectrique de la prise murale AVANT dessayer de retirer et/ou de vrifier le fusible dalimentation principal.
PRODUIT LASER DE CLASSE 1 ET RFRENCE AUX NORMES LASER LES PLUS RCENTES: IEC 60 825-1: 1993 + A1: 1997 + A2: 2001 ET EN 60825-1: 1994+A1: 1996+ A2: 2001 Units CA pour le Danemark, la Finlande, la Norvge, la Sude (indiqu sur le produit): Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les dviations du Danemark. Le cordon inclut un conducteur de mise la terre. Lunit sera branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas utilises! Finlande (tiquette et inscription dans le manuel) - Laite on liitettv suojamaadoituskoskettimilla varustettuun pistorasiaan Norvge (tiquette et inscription dans le manuel) - Apparatet m tilkoples jordet stikkontakt Lunit peut tre connecte un systme lectrique IT (en Norvge uniquement). Sude (tiquette et inscription dans le manuel) - Apparaten skall anslutas till jordat uttag.
Pour brancher lalimentation lectrique: 1. 2. Branchez le cble dalimentation la prise principale, situe sur le panneau arrire de lunit. Connectez le cble dalimentation la prise CA mise la terre.
AVERTISSEMENT Risque de choc lectrique et danger nergtique. La dconnexion dune source dalimentation lectrique ne dbranche quun seul module lectrique. Pour isoler compltement lunit, dbranchez toutes les sources dalimentation lectrique. ATTENTION Risque de choc et de danger lectriques. Le dbranchement dune seule alimentation stabilise ne dbranche quun module Alimentation Stabilise. Pour Isoler compltement le module en cause, il faut dbrancher toutes les alimentations stabilises. Attention: Pour Rduire Les Risques dlectrocution et dIncendie 1. 2. 3. 4. Toutes les oprations dentretien seront effectues UNIQUEMENT par du personnel dentretien qualifi. Aucun composant ne peut tre entretenu ou remplace par lutilisateur. NE PAS connecter, mettre sous tension ou essayer dutiliser une unit visiblement dfectueuse. Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES. Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme capacit, comme indiqu sur ltiquette de scurit proche de lentre de lalimentation qui contient le fusible.
16
5. NE PAS UTILISER lquipement dans des locaux dont la temprature maximale dpasse 40 degrs Centigrades. 6. Assurez vous que le cordon dalimentation a t dconnect AVANT dessayer de lenlever et/ou vrifier le fusible de lalimentation gnrale.
Sicherheitsanweisungen
VORSICHT Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert integrieren. Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge, in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von qualifiziertem Servicepersonal durchgefhrt werden. Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der Abdeckung oder der Paneele von der Stromversorgung getrennt werden. Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit Doppelspeisung angebracht ist.
Figure 5: Warnetikett Stromschlaggefahr
SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FR SYSTEME MIT DOPPELSPEISUNG Die folgende Abbildung ist die Warnung fr Radware-Plattformen mit Doppelspeisung.
Figure 6: Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung
bersetzung von Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung: Die Einheit verfgt ber mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von Stromschlag vor Wartungsarbeiten smtliche Stromversorgungsleitungen ab. WARTUNG Fhren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angefhrt sind, es sei denn, Sie sind dafr qualifiziert. Es gibt innerhalb des Gertes keine wartungsfhigen Teile. HOCHSPANNUNG Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geffneten Gert unter Spannung mssen so weit wie mglich vermieden werden. Sind sie nicht vermeidbar, drfen sie ausschlielich von qualifizierten Personen ausgefhrt werden, die sich der Gefahr bewusst sind.
17
Innerhalb des Gertes befindliche Kondensatoren knnen auch dann noch Ladung enthalten, wenn das Gert von der Stromversorgung abgeschnitten wurde. ERDUNG Bevor das Gert an die Stromversorgung angeschlossen wird, mssen die Schrauben der Erdungsleitung des Gertes an die Erdung der Gebudeverkabelung angeschlossen werden. LASER Dieses Gert ist ein Laser-Produkt der Klasse 1 in bereinstimmung mit IEC60825 - 1: 1993 + A1:1997 + A2:2001 Standard. SICHERUNGEN Vergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstrke und der angefhrten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie die Kurzschlieung von Sicherungsfassungen muss vermieden werden. In Fllen, in denen wahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeintrchtigt ist, muss das Gert abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden. LEITUNGSSPANNUNG Vor Anschluss dieses Gertes an die Stromversorgung ist zu gewhrleisten, dass die Spannung der Stromquelle den Anforderungen des Gertes entspricht. Beachten Sie die technischen Angaben bezglich der korrekten elektrischen Werte des Gertes. Plattformen mit 48 V DC verfgen ber eine Eingangstoleranz von 36-72 V DC. NDERUNGEN DER TECHNISCHEN ANGABEN nderungen der technischen Spezifikationen bleiben vorbehalten. Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC 61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung. Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese Interferenzen auf eigene Kosten zu korrigieren. BESONDERER HINWEIS FR BENUTZER IN NORDAMERIKA Whlen Sie fr den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgefhrt und CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, fr 125 V, [10 A], mit einer Mindestlnge von 1,5 m [sechs Fu], doch nicht lnger als 4,5 m. Fr europische Anschlsse verwenden Sie ein international harmonisiertes, mit <HAR> markiertes Stromkabel, mit 3 Leitern von mindestens 0,75 mm2, fr 300 V, mit PVC-Umkleidung. Das Kabel muss in einem gegossenen Stecker fr 250 V, 3 A enden. BEREICH MIT EINGESCHRNKTEM ZUGANG Das mit Gleichstrom betriebene Gert darf nur in einem Bereich mit eingeschrnktem Zugang montiert werden. INSTALLATIONSCODES Dieses Gert muss gem der landesspezifischen elektrischen Codes montiert werden. In Nordamerika mssen Gerte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden. VERKOPPLUNG VON GERTEN Kabel fr die Verbindung des Gertes mit RS232- und Ethernetmssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem nicht-LPS-Stromkreis) BERSTROMSCHUTZ Ein gut zugnglicher aufgefhrter berstromschutz mit Abzweigstromkreis und 15 A Strke muss fr jede Stromeingabe in der Gebudeverkabelung integriert sein.
18
AUSTAUSCHBARE BATTERIEN Wird ein Gert mit einer austauschbaren Batterie geliefert und fr diese Batterie durch einen falschen Batterietyp ersetzt, knnte dies zu einer Explosion fhren. Dies trifft zu fr manche Arten von Lithiumsbatterien zu, und das folgende gilt es zu beachten: Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung. Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie eine Markierung oder einer Erklrung in der Wartungsanleitung.
Diese Markierung oder Erklrung enthlt den folgenden Warntext: VORSICHT EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD. GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN. Denmark - Unit is class I - mit Wechselstromkabel benutzen, dass fr die Abweichungen in Dnemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine geerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden! Finland - (Markierungsetikett und im Handbuch) - Laite on liitettv suojamaadoituskoskettimilla varustettuun pistorasiaan Norway - (Markierungsetikett und im Handbuch) - Apparatet m tilkoples jordet stikkontakt Ausschlielich fr Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen Sweden - (Markierungsetikett und im Handbuch) - Apparaten skall anslutas till jordat uttag.
Anschluss des Stromkabels: 1. Schlieen Sie das Stromkabel an den Hauptanschluss auf der Rckseite des Gertes an. 2. Schlieen Sie das Stromkabel an den geerdeten Wechselstromanschluss an. VORSICHT Stromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur ein Stromversorgungsmodul von der Stromversorgung. Um das Gert komplett zu isolieren, muss es von der gesamten Stromversorgung getrennt werden. Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr 1. Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe Montageanleitung. 2. Wartungsarbeiten jeglicher Art drfen nur von qualifiziertem Servicepersonal ausgefhrt werden. Es gibt innerhalb des Gertes keine vom Benutzer zu wartenden Teile. 3. Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen, einzuschalten oder zu betreiben. 4. Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT SIND. 5. Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem Stromkabelanschluss, am Sicherungsgehuse. 6. Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung 40C berschreitet. 7. Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die Hauptsicherung entfernen und/oder prfen.
19
Electromagnetic-Interference Statements
The following statements are presented in English, French, and German.
Electromagnetic-Interference Statements
SPECIFICATION CHANGES Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-4-11For CE MARK Compliance. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user is required to correct the interference at his own expense. VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS
Figure 7: Statement for Class A VCCI-certified Equipment
Translation of Statement for Class A VCCI-certified Equipment: This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur, in which case, the user may be required to take corrective action.
Figure 8: Statement for Class B VCCI-certified Equipment
Translation of Statement for Class B VCCI-certified Equipment: This is a Class B product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a domestic environment, it may cause radio interference. Install and use the equipment according to the instruction manual.
20
KCC KOREA
Figure 9: KCCKorea Communications Commission Certificate of Broadcasting and Communication Equipment
Figure 10: Statement for Class A KCC-certified Equipment in Korean
Translation of Statement for Class A KCC-certified Equipment in Korean: This equipment is Industrial (Class A) electromagnetic wave suitability equipment and seller or user should take notice of it, and this equipment is to be used in the places except for home. BSMI
Figure 11: Statement for Class A BSMI-certified Equipment

Translation of Statement for Class A BSMI-certified Equipment: This is a Class A product, in use in a residential environment, it may cause radio interference in which case the user will be required to take adequate measures.
Dclarations sur les Interfrences lectromagntiques

MODIFICATIONS DES SPCIFICATIONS Les spcifications sont sujettes changement sans notice pralable. Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022 Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC 61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et, sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur devra corriger le problme ses propres frais.
21
DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI
Figure 12: Dclaration pour lquipement de classe A certifi VCCI
Traduction de la Dclaration pour lquipement de classe A certifi VCCI: Il sagit dun produit de classe A, bas sur la norme du Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Si cet quipement est utilis dans un environnement domestique, des perturbations radiolectriques sont susceptibles dapparatre. Si tel est le cas, lutilisateur sera tenu de prendre des mesures correctives.
Figure 13: Dclaration pour lquipement de classe B certifi VCCI
Traduction de la Dclaration pour lquipement de classe B certifi VCCI: Il sagit dun produit de classe B, bas sur la norme du Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Sil est utilis proximit dun poste de radio ou dune tlvision dans un environnement domestique, il peut entraner des interfrences radio. Installez et utilisez lquipement selon le manuel dinstructions. KCC Core
Figure 14: KCCCertificat de la commission des communications de Core pour les equipements de radiodiffusion et communication.
Figure 15: Dclaration pour lquipement de classe A certifi KCC en langue corenne
22
Translation de la Dclaration pour lquipement de classe A certifi KCC en langue corenne: Cet quipement est un matriel (classe A) en adquation aux ondes lectromagntiques et le vendeur ou lutilisateur doit prendre cela en compte. Ce matriel est donc fait pour tre utilis ailleurs qu la maison. BSMI
Figure 16: Dclaration pour lquipement de classe A certifi BSMI

Translation de la Dclaration pour lquipement de classe A certifi BSMI: Il sagit d'un produit de Classe A; utilis dans un environnement rsidentiel il peut provoquer des interfrences, l'utilisateur devra alors prendre les mesures adquates.
Erklrungen zu Elektromagnetischer Interferenz

NDERUNGEN DER TECHNISCHEN ANGABEN nderungen der technischen Spezifikationen bleiben vorbehalten. Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC 61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung. Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese Interferenzen auf eigene Kosten zu korrigieren. ERKLRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ
Figure 17: Erklrung zu VCCI-zertifizierten Gerten der Klasse A
bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse A: Dies ist ein Produkt der Klasse A gem den Normen des Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt, knnen elektromagnetische Strungen auftreten. In einem solchen Fall wre der Benutzer verpflichtet, korrigierend einzugreifen.
Figure 18: Erklrung zu VCCI-zertifizierten Gerten der Klasse B
23
bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse B: Dies ist ein Produkt der Klasse B gem den Normen des Voluntary Control Council for Interference by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt, knnen elektromagnetische Strungen auftreten. Montieren und benutzen Sie das Gert laut Anweisungen im Benutzerhandbuch. KCC KOREA
Figure 19: KCCKorea Communications Commission Zertifikat fr Rundfunk-und Nachrichtentechnik
Figure 20: Erklrung zu KCC-zertifizierten Gerten der Klasse A
bersetzung von Erklrung zu KCC-zertifizierten Gerten der Klasse A: Verkufer oder Nutzer sollten davon Kenntnis nehmen, da dieses Gert der Klasse A fr industriell elektromagnetische Wellen geeignete Gerten angehrt und dass diese Gerte nicht fr den heimischen Gebrauch bestimmt sind. BSMI
Figure 21: Erklrung zu BSMI-zertifizierten Gerten der Klasse A

bersetzung von Erklrung zu BSMI-zertifizierten Gerten der Klasse A: Dies ist ein Class A Produkt, bei Gebrauch in einer Wohnumgebung kann es zu Funkstrungen kommen, in diesem Fall ist der Benutzer verpflichtet, angemessene Manahmen zu ergreifen.
Altitude and Climate Warning

Note: This warning only applies to The Peoples Republic of China. 1. 2. Tma 25C 2000m
24
2000m DD 2000m
DD DD.1
2000m 2000m DD.2
Document Conventions
The following describes the conventions and symbols that this guide uses:
Item
Description
An example scenario
Description (French)
Un scnario dexemple
Beschreibung (German)
Ein Beispielszenarium
Example
Possible damage to equipment, software, or data Caution: Additional information Note: Endommagement Mgliche Schden an possible de lquipement, Gert, Software oder des donnes ou du Daten logiciel Informations complmentaires Zustzliche Informationen
25
Item
Description
A statement and instructions
Description (French)
Rfrences et instructions
Beschreibung (German)
Eine Erklrung und Anweisungen
To
A suggestion or workaround Tip: Possible physical harm to Blessure possible de the operator loprateur Warning: Verletzungsgefahr des Bedieners Une suggestion ou solution Ein Vorschlag oder eine Umgehung
26
Table of Contents
Important Notices .......................................................................................................... 3 Copyright Notices .......................................................................................................... 4 Standard Warranty ........................................................................................................ 8 Limitations on Warranty and Liability ............................................................................. 9 Safety Instructions ....................................................................................................... 10 Electromagnetic-Interference Statements ................................................................... 20 Altitude and Climate Warning ...................................................................................... 24 Document Conventions ............................................................................................... 25
Chapter 1 Introduction......................................................................................... 35
Introducing DefensePro ............................................................................................... 35 DefensePro System Components ............................................................................... 35 Radware Security Update Service on the Web ........................................................... 36 Typical Deployment ..................................................................................................... 37 Network Connectivity ................................................................................................... 38 Management InterfacesAPSolute Vision and Others .............................................. 38 DefensePro Features .................................................................................................. 39
Security Protections ............................................................................................................. 39 Real-time Security Reporting for DefensePro ...................................................................... 40 Historical Security ReportingAPSolute Vision Reporter .................................................. 40
Related Documentation ............................................................................................... 40

DefensePro Release Notes and Maintenance Release Notes ............................................ Radware Installation and Maintenance Guide ..................................................................... APSolute Vision Documentation .......................................................................................... APSolute Vision Reporter Documentation ........................................................................... 40 40 41 41
Chapter 2 Getting Started.................................................................................... 43

DefensePro Physical Ports .......................................................................................... 43 DefensePro Platforms and Models .............................................................................. 43 Working with DefensePro x420 Instances .................................................................. 43
Management-Interface Issues ............................................................................................. 44 Instance-Configuration Issues ............................................................................................. 44 Monitoring and Reporting Issues ......................................................................................... 44 Optimizing Performance When Working with Instances ...................................................... 44
Logging into APSolute Vision ...................................................................................... 45 Changing Password for Local Users ........................................................................... 45
27
DefensePro User Guide Table of Contents
APSolute Vision User Interface Overview .................................................................. 46

Configuration Perspective ................................................................................................... Monitoring Perspective ........................................................................................................ Security Monitoring Perspective .......................................................................................... Asset Management Perspective .......................................................................................... APSolute Vision Sites ......................................................................................................... 46 49 50 51 51
APSolute Vision Sites and DefensePro Devices ........................................................ 52 Configuring Inspection Ports ...................................................................................... 52
Configuring Port Pairs ......................................................................................................... 52 Managing the Status of Physical Ports ................................................................................ 53
Updating the Attack Description File .......................................................................... 54 Managing DefensePro Security Groups ..................................................................... 55
Chapter 3 Basic Device Configuration............................................................... 59

Locking and Unlocking a Device ................................................................................ 59 DefensePro Device Setup .......................................................................................... 60
Configuring DefensePro Global Parameters ....................................................................... Configuring Date and Time Synchronization ....................................................................... Configuring Daylight Saving ................................................................................................ Configuring Access Protocols ............................................................................................. Configuring SNMP Supported Versions .............................................................................. Upgrading a License for a DefensePro Device ................................................................... Configuring RADIUS Authentication for Device Management ............................................ Configuring Syslog Settings ................................................................................................ Managing Certificates ......................................................................................................... Configuring High Availability ................................................................................................ Configuring BOOTP ............................................................................................................ Configuring DNS Client Settings ......................................................................................... ............................................................................................................................................ Configuring DefensePro Security Signaling ........................................................................ 60 61 62 63 64 65 67 68 69 74 81 82 82 82
Advanced Parameters ................................................................................................ 84

Configuring Advanced Settings ........................................................................................... 85 Configuring Configuration Auditing ...................................................................................... 86 Configuring Dynamic Protocols ........................................................................................... 86 Configuring Tuning Parameters .......................................................................................... 88 Configuring Security Reporting ........................................................................................... 97 Configuring Out-of-Path Settings for DefensePro ............................................................. 100 Configuring Session Table Settings .................................................................................. 101 Configuring Suspend Settings ........................................................................................... 104 Configuring the Device Event Scheduler ........................................................................... 105 Configuring Tunneling Inspection ...................................................................................... 105
Configuring SNMP .................................................................................................... 106

Configuring SNMP Users .................................................................................................. 107 Configuring SNMP Community Settings ........................................................................... 108
28
Configuring the SNMP Group Table ................................................................................. Configuring SNMP Access Settings ................................................................................. Configuring SNMP Notify Settings .................................................................................... Configuring SNMP View Settings ..................................................................................... Configuring the SNMP Target Parameters Table ............................................................. Configuring SNMP Target Addresses ...............................................................................
109 109 110 111 112 113
Configuring Device Users ......................................................................................... 114 Configuring Access Permissions on Physical Ports ................................................. 116 Configuring Port Pinging ........................................................................................... 116
Chapter 4 Device Network Configuration ........................................................ 117

Configuring Device IP Interfaces .............................................................................. 117 Managing IP Routing ................................................................................................ 118
Configuring IP Routing ...................................................................................................... 118 Configuring ICMP ............................................................................................................. 119 Configuring the ARP Table ............................................................................................... 120
Configuring Ports ...................................................................................................... 121

Configuring Port Mirroring ................................................................................................. 123
Configuring the Basic Network Parameters .............................................................. 124

IPv4 and IPv6 Support ...................................................................................................... IP Fragmentation .............................................................................................................. Traffic Exclusion ............................................................................................................... Configuring the Basic Networking Parameters ................................................................. 125 125 125 125
Configuring Port Pairs .............................................................................................. 127
Chapter 5 Security Configuration..................................................................... 129

Security Protections .................................................................................................. 129 Selecting a Device for Security Configuration .......................................................... 130 Configuring Global Security Settings ........................................................................ 130
Configuring Global Signature Protection .......................................................................... Configuring DoS Shield Protection ................................................................................... Configuring Global Behavioral DoS Protection ................................................................. Configuring Global Anti-Scanning Protection Settings ..................................................... Configuring Global SYN Flood Protection ........................................................................ Configuring Global Out of State Protection ....................................................................... Configuring Global HTTP Flood Protection ...................................................................... Configuring Global SIP Cracking Protection ..................................................................... Configuring Global Fraud Protection ................................................................................ Configuring Global Packet Anomaly Protection ................................................................ Configuring Global DNS Flood Protection ........................................................................ 131 131 133 138 140 141 142 143 144 146 149
Managing the Network Protection Policy .................................................................. 155

Configuring the Network Protection Policy ....................................................................... 156 Configuring Signature Protection for Network Protection ................................................. 160
29
Configuring BDoS Profiles for Network Protection ............................................................ Configuring Anti-Scanning Protection for Network Protection ........................................... Configuring Connection Limit Profiles for Network Protection ........................................... Configuring SYN Profiles for Network Protection .............................................................. Configuring DNS Protection Profiles for Network Protection ............................................. Configuring Out of State Protection Profiles for Network Protection .................................
175 178 180 185 192 195
Managing the Server Protection Policy .................................................................... 196

Configuring the Server Protection Policy ........................................................................... 197 Server Cracking Protection ............................................................................................... 198 Configuring HTTP Flood Mitigation Profiles for Server Protection .................................... 209
Configuring White Lists ............................................................................................. 215

Configuring White Lists in Defense Pro ............................................................................. 215
Configuring Black Lists ............................................................................................. 218

Enabling and Disabling the Packet Trace Feature for Black List Rules ............................ 218 Configuring Black List Rules ............................................................................................. 219
Managing the ACL Policy ......................................................................................... 223

Configuring Global ACL Policy Settings ............................................................................ 223 Configuring ACL Policy Rules ........................................................................................... 226 Viewing Active ACL Policy Rules ...................................................................................... 230
Chapter 6 Managing Classes ............................................................................ 231

Configuring Network Classes ................................................................................... 231 Configuring Service Classes .................................................................................... 233
Configuring Basic Filters ................................................................................................... 233 Configuring AND Group Filters .......................................................................................... 239 Configuring OR Group Filters ............................................................................................ 239
Configuring Application Classes ............................................................................... 240 Configuring Physical Port Classes ........................................................................... 242 Configuring VLAN Tag Classes ................................................................................ 242 Configuring MAC Address Classes .......................................................................... 243 Viewing Active Class Configurations ........................................................................ 244
Viewing the Active Network Class Configuration .............................................................. Viewing the Active Service Class Configurations .............................................................. Viewing the Active Application Class Configuration .......................................................... Viewing the Active Physical Port Class Configuration ....................................................... Viewing the Active VLAN Tag Class Configuration ........................................................... Viewing the Active MAC Address Class Configuration ..................................................... 244 244 245 246 246 246
Configuring MPLS RD Groups ................................................................................. 246
Chapter 7 Managing Device Operations and Maintenance............................ 249

Rebooting a DefensePro Device .............................................................................. 249 Shutting Down a DefensePro Device ....................................................................... 250 Viewing and Setting Device Date and Time ............................................................. 250
30
Upgrading Device Software ...................................................................................... 250 Downloading a Devices Log File to the APSolute Vision Client .............................. 252 Updating a Radware Signature File or RSA Signature File ...................................... 252 Downloading a Technical Support File to the APSolute Vision Client ...................... 253 Managing DefensePro Device Configurations .......................................................... 254
Configuration File Content ................................................................................................ 254 Downloading a Devices Configuration File ...................................................................... 255 Restoring a Devices Configuration .................................................................................. 255
Updating Policy Configurations on a DefensePro Device ........................................ 256 Checking Device Memory Availability ....................................................................... 256 Resetting the Baseline for DefensePro .................................................................... 257 Enabling and Disabling Interfaces ............................................................................ 257 Scheduling APSolute Vision and Device Tasks ....................................................... 258
Overview of Scheduling .................................................................................................... 258 Configuring Tasks in the Scheduler .................................................................................. 259 Task Parameters .............................................................................................................. 260
Chapter 8 Monitoring DefensePro Devices and Interfaces ............................ 271

Monitoring DefensePro Devices ............................................................................... 271
Monitoring General DefensePro Device Information ........................................................ Monitoring DefensePro High Availability ........................................................................... Monitoring the DefensePro Suspend Table ...................................................................... Monitoring DefensePro CPU Utilization ............................................................................ Monitoring and Clearing DefensePro Authentication Tables ............................................ Monitoring DefensePro SNMP Statistics .......................................................................... Monitoring DME Utilization According to Configured Policies .......................................... Monitoring DefensePro Syslog Information ...................................................................... Monitoring Session Table Information .............................................................................. Monitoring DefensePro IP Statistics ................................................................................. Monitoring Routing Table Information ............................................................................... Monitoring DefensePro ARP Table Information ................................................................ Monitoring MPLS RD Information ..................................................................................... 271 272 274 274 275 276 277 278 279 281 282 283 284
Monitoring and Controlling Device Interfaces ........................................................... 284
Chapter 9 Real-Time Security Reporting ......................................................... 287

Risk Levels ............................................................................................................... 287 Viewing the Security Dashboard .............................................................................. 288 Viewing and Managing Current Attack Information .................................................. 290
Attack Details .................................................................................................................... 294 Sampled Data Dialog Box ................................................................................................. 305
31
Viewing Real-Time Traffic Statistics ......................................................................... 306

Viewing Traffic Utilization Statistics ................................................................................... 307 Viewing Connection Rate Statistics ................................................................................... 310 Viewing Concurrent Connections Statistics ....................................................................... 311
Monitoring Attack SourcesGeographical Map ...................................................... 311 Protection Monitoring ................................................................................................ 313
Displaying Attack Status Information ................................................................................. 313 Monitoring Network Rule Traffic ........................................................................................ 314 Monitoring DNS Flood Attack Traffic ................................................................................. 316
HTTP Reports ........................................................................................................... 319

Monitoring Continuous Learning Statistics ........................................................................ Monitoring Hour-Specific Learning Statistics ..................................................................... HTTP Request Size Distribution ........................................................................................ MIB Support for Real-Time HTTP Monitoring Data ........................................................... 319 320 321 322
Chapter 10 Administering DefensePro ............................................................ 323

Command Line Interface .......................................................................................... 323
CLI Session Time-Out ....................................................................................................... CLI Capabilities ................................................................................................................. CLI Traps .......................................................................................................................... Send Traps To All CLI Users ............................................................................................. 324 324 325 325
Web Based Management ......................................................................................... 325 Web Services ........................................................................................................... 326

API Structure ..................................................................................................................... 326 APSolute API Software Development Kit (SDK) ............................................................... 327
Appendix A Footprint Bypass Fields and Values ........................................... 329

BDoS Footprint Bypass Fields and Values ............................................................... 329 DNS Footprint Bypass Fields and Values ................................................................ 333
Appendix B Configuring SSL-Based Protection with AppXcel ..................... 335

Configuring SSL Inspection Layer 4 Ports for DefensePro ...................................... 336
Appendix C Predefined Basic Filters ............................................................... 337 Appendix D DefensePro Attack-Protection IDs .............................................. 347 Appendix E Protocols and OSs Protected by DefensePro Signatures......... 357
32
Appendix F Troubleshooting ............................................................................ 359

Diagnostic Tools ....................................................................................................... 359
Traffic Capture Tool .......................................................................................................... Trace-Log ......................................................................................................................... Diagnostic Tools Files Management ................................................................................. Diagnostics Policies .......................................................................................................... 359 361 363 364
Technical Support File .............................................................................................. 366
Appendix G Glossary......................................................................................... 369 Radware Ltd. End User License Agreement....................................................... 375
33
34
Chapter 1 Introduction
This guide describes DefensePro 7.20.00 and how to use it. Unless specifically stated otherwise, the procedures described in this guide are performed using APSolute Vision version 2.15. This chapter introduces Radwares DefensePro and provides a general explanation of its main features and modules. This chapter contains the following sections: Introducing DefensePro, page 35 DefensePro System Components, page 35 Radware Security Update Service on the Web, page 36 Typical Deployment, page 37 Network Connectivity, page 38 Management InterfacesAPSolute Vision and Others, page 38 DefensePro Features, page 39 Related Documentation, page 40
Introducing DefensePro
Radwares award-wining DefensePro is a real-time Intrusion Prevention System (IPS) and DoSprotection device, which maintains business continuity by protecting the application infrastructure against existing and emerging network-based threats that cannot be detected by traditional IPSs such as: network- and application-resource misuse, malware spreading, authentication defeat and information theft. DefensePro features full protection from traditional vulnerability-based attacks through proactive signature updates, preventing the already known attacks, including worms, trojans, bots, SSL-based attacks, and VoIP attacks. Unlike market alternatives that rely on static signatures, DefensePro provides unique behavioralbased, automatically generated, real-time signatures, preventing attacks that are not vulnerabilitybased and zero-minute attacks such as: network and application floods, HTTP page floods, malware propagation, Web application hacking, brute force attacks aiming to defeat authentication schemes, and moreall without blocking legitimate users traffic and with no need for human intervention. With multiple-segment protection in a single unit, a pay-as-you-grow license-upgrade approach, and ease of management through hands-off security features such as no-configuration and self-tuning, DefensePro is the industrys leading IPS for best functionality, maximum affordability, and ease of management.
DefensePro System Components

Radware DefensePro is an in-line Intrusion Prevention and Denial-of-Service protection system that detects and prevents network threats in real-time. DefensePro inspects incoming and outgoing traffic for potential attacks, clearing the network from unwanted malicious traffic. DefensePro also manages bandwidth and establishes traffic shaping rules.
35
DefensePro User Guide Introduction The DefensePro system contains the following components: DefensePro deviceThe term device refers to the physical platform and the DefensePro product. Management interfaceAPSolute Vision and others. Radware Security Update Service on the Web.
Figure 22: DefensePro System Components

Security Update Service at www.radware.com: - Weekly Updates - Emergency Updates - Custom Updates DefensePro Device: - Traffic Scanning Against Attacks - Traffic Shaping
e dat Up e r u nat Sig
Lo gg ing sec uri ty
Co nfig ura tion and dev ice eve nts
APSolution Vision Management Station: - Configuring - Monitoring - Reporting
Radware Security Update Service on the Web

Radwares Security Update Service delivers immediate and ongoing signature updates, protecting against the latest network and application security threats including worms, trojans, bots, and application vulnerabilities, to safeguard your applications, network and users. The Security Update Service consists of the following key service elements: 24/7 Security Operations Center (SOC) ScanningContinuous threat monitoring, detection, risk assessment and filter creation for threat mitigation. Emergency FiltersRapid response filter releases for high impact security events through Emergency Filters. Weekly UpdatesScheduled periodic updates to the signature files, with automatic distribution through Radware APSolute Vision, or on-demand download from http://www.radware.com/content/support/securityzone/serviceinfo/default.asp. Custom FiltersCustom filters for environment-specific threats and newly reported attacks reported to the SOC.
For up-to-date security information, refer to the Radware Security Zone, available from the Radware Web site: http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.
36
DefensePro User Guide Introduction
Typical Deployment
The following illustration shows an in-line installation of DefensePro IPS in an enterprise. In this deployment, DefensePro is located at the gateway, protecting hosts, servers and network resources against incoming network attacks. DefensePro also protects DMZ servers against attacks targeting Web, e-mail, VoIP and other services. This Radware deployment is at the enterprise gateway, in front of the DMZ servers, where DefensePro provides perimeter protection for the enterprise servers, users, routers and firewalls.
Figure 23: Typical DefensePro Deployment
37
Network Connectivity
The following figure shows the typical network topology of DefensePro.
Figure 24: Typical Network Connectivity
Management InterfacesAPSolute Vision and Others

APSolute Vision is the main management interface for DefensePro. Additional management interfaces for DefensePro devices include: Web-Based Management (WBM) Command-Line Interface (CLI)
You can perform most tasks using any of the management systems. However, for the most part, this guide describes management tasks by means of APSolute Vision. APSolute Vision is a graphical application that enables you to configure, modify, monitor, and generate reports centrally for single or multiple DefensePro deployments. You can connect a DefensePro device to management interfaces through network physical interfaces or through serial ports. DefensePro supports the following port types: Using the network connection: SNMP, HTTP, HTTPS, Telnet, SSH Using the serial port connection: RS-232 up to 115 Kbit/s (default is 19,200 Kbit/s)
38
DefensePro User Guide Introduction The following table lists the DefensePro physical interfaces and supporting management interfaces:
Table 1: DefensePro Interfaces
Protocol
SNMPv1, SNMPv3 HTTP Secure Web Telnet SSH RS-232
APSolute Vision
Web Based Management
Command Line Interface
Note: For more information, see Administering DefensePro, page 323.
DefensePro Features
This section provides a brief description of the main DefensePro features and includes the following topics: Security Protections, page 39 Real-time Security Reporting for DefensePro, page 40 Historical Security ReportingAPSolute Vision Reporter, page 40
Security Protections
DefensePros multi-layer security approach combines a set of features detecting and mitigating a wide range of network attacks. DefensePro supports the following types of security protections: Network-wide protections comprise the following: Behavioral DoS Protects against zero-day flood attacks, including SYN Floods, TCP Floods, UDP floods, ICMP and IGMP floods. Scanning and worm protection Zero-day protection against self-propagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps. SYN protection Protects against any type of SYN flood attack using advanced SYN cookies. A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements. Connection limit Protects against session-based attacks, such as half open SYN attacks, request attacks and connection attacks. Server-cracking protection Zero-day protection against application-vulnerability scanning, brute-force and dictionary attacks. HTTP Mitigator Mitigates zero-day HTTP page flood attacks.
Server protections comprise the following:
39
DefensePro User Guide Introduction Signature-based protections Protects against known application vulnerabilities, and common malware, such as worms, trojans, spyware, and DoS. Out-of-State inspection Ensures that transmission and application stateful rules are enforced based on the TCP RFCs. Access Control List Provides stateful access control.
Real-time Security Reporting for DefensePro

APSolute Vision provides real-time attack views and security service alarms for DefensePro devices. When DefensePro detects an attack, the attack is reported as a security event. DefensePros security monitoring enables you to analyze real-time and historical attacks. When DefensePro detects an attack, it automatically generates counter-measures that you can observe and analyze using various monitoring tools. DefensePro provides you with monitoring tools that show real-time network traffic and applicationbehavior parameters. Security monitoring also provides statistical parameters that represent normal behavior baselines, which are generated using advanced statistical algorithms.
Historical Security ReportingAPSolute Vision Reporter

APSolute Vision supports the APSolute Vision Reporter for DefensePro. APSolute Vision Reporter is a historical security reporting engine, which provides the following: Customizable dashboards, reports, and notifications Advanced incident handling for security operating centers (SOCs) and network operating centers (NOCs) Standard security reports In-depth forensics capabilities Ticket workflow management
Related Documentation
See the following documents for information related to DefensePro: DefensePro Release Notes and Maintenance Release Notes Radware Installation and Maintenance Guide APSolute Vision Documentation APSolute Vision Reporter Documentation
DefensePro Release Notes and Maintenance Release Notes

See the DefensePro Release Notes and DefensePro Maintenance Release Notes for information about the relevant DefensePro version.
Radware Installation and Maintenance Guide

See the DefensePro Installation and Maintenance Guide for the following: Pre-installation procedures, which include: Mounting the platform Verifying accessibility of management ports
40
DefensePro User Guide Introduction Connecting and installing DefensePro, which includes: Information on DefensePro physical platforms Connecting the Management port cable Connecting the inspection ports cables
Installing APSolute Vision Initializing DefensePro using APSolute Vision, which comprises the following: Connecting DefensePro using APSolute Vision Adding a DefensePro device
The DefensePro Installation and Maintenance Guide includes additional useful information on the following: Maintenance and software upgrade Troubleshooting Hardware upgrades Specifications
APSolute Vision Documentation

APSolute Vision documentation includes the following: APSolute Vision Administrator Guide See this for information about: APSolute Vision features User managementfor example, adding users and defining their permissions. Adding and removing DefensePro devices. Configuring siteswhich is a physical or logical representation of a group of managed devices. Administration and maintenance tasks on managed devices; such as, scheduling tasks, making backups, and so on. APSolute Vision CLI APSolute Vision features APSolute Vision interface navigation Monitoring APSolute Visionfor example, version, server, database, device-configuration files, controlling APSolute Vision operations, backing up the APSolute Vision database Managing auditing and alerts Scheduling all APSolute Vision and device tasks
APSolute Vision User Guide See this for information about:
APSolute Vision online helpSee this for information about monitoring managed devices
APSolute Vision Reporter Documentation

See the APSolute Vision Reporter online help and APSolute Vision Reporter User Guide for information about APSolute Vision Reporter and how to use it.
41
42
Chapter 2 Getting Started

This chapter describes what to do before you configure DefensePro with security policies. The DefensePro Installation and Maintenance Guide covers the information and procedures related to the physical specifications and basic setup of APSolute Vision server and DefensePro platforms. Read the relevant information and follow the instructions in the DefensePro Installation and Maintenance Guide before you perform the other tasks covered in this chapter. This chapter contains the following sections: DefensePro Physical Ports, page 43 DefensePro Platforms and Models, page 43 Working with DefensePro x420 Instances , page 43 APSolute Vision User Interface Overview, page 46 APSolute Vision Sites and DefensePro Devices, page 52 Configuring Inspection Ports, page 52 Updating the Attack Description File, page 54 Managing DefensePro Security Groups, page 55
DefensePro Physical Ports

DefensePro platforms are equipped with 8P8C (RJ-45) and fiber-optic ports for inspecting traffic. By default, the RJ-45 traffic ports are configured in pairs, configured to operate in Process mode, and they are displayed in the Static Forwarding table (see Configuring Inspection Ports, page 52). You cannot delete the RJ-45 traffic ports from the Static Forwarding table. You must manually add fiberoptic ports to the Static Forwarding table, and you can delete the fiber-optic ports from the table as required. All DefensePro models support CLI commands for managing the status of physical ports. For more information, see Managing the Status of Physical Ports, page 53.
DefensePro Platforms and Models

DefensePro x420 models run on a platform that is equipped with four (4) QSFP+ 40-Gigabit Ethernet (40GbE) ports, twenty (20) SFP+ 10-Gigabit Ethernet (10GbE) ports, and two (2) RJ-45 10/100/1000 Ethernet ports for management only.
Working with DefensePro x420 Instances

DefensePro x420 contains internal logic of two DefensePro software instancesusing the DoS Mitigation Engine (DME) and physical ports as shared resources. Each DefensePro instance includes a dedicated string-matching engine (SME) unit. The capacity of each instancein terms of bandwidth, connections per second, and packets per secondis roughly half of the total capacity of the hardware platform. In DefensePro x420, you must set the operating instance for each Network Protection policy. DefensePro does not support automatic assignment of a policy to one of the instances.When assigning a policy, you should consider the maximum capacity of an instance to balance the workload between the two instances.
43
DefensePro User Guide Getting Started Although most configuration and monitoring in DefensePro x420 devices is transparent, there are some issues that you should note.
Management-Interface Issues
When working with instances, note the following management-interface issue: All management interfaces operate from a single location: Instance 0 This applies to all management interfaces (CLI, WBM, and APSolute Vision).
Instance-Configuration Issues
When working with instances, note the following instance-configuration issues: All configuration actions are executed on both instances simultaneously by an internal process called iCDE The values for various tuning parameters displayed in the APSolute Vision Configuration perspective are the values per instance. Network policies The configuration of Network Protection policies was enhanced with an Instance ID field in the Basic Parameters group box of the Network Protection Rule dialog box. You need to set the instance ID that handles the traffic and protection set for the policy. Server policies The configuration of the Server Protection policies was enhanced with a Policy field in the Server Protection Policy dialog box. You need to specify the name of the Network Protection policy of which the Server Protection policy is a subset.
Monitoring and Reporting Issues

When working with instances, note the following monitoring and reporting issues: APSolute Vision Connection Timeout It is highly recommended to configure the APSolute Vision SNMP connection timeout to 20 seconds when working with x420 devices. This ensures better connectivity to APSolute Vision (Asset Management perspective System pane > General Settings > Connectivity > SNMP Parameters Towards Devices > Timeout.) Security monitoring All security monitoring data sent from the DefensePro platform to the managing APSolute Vision server and displayed in the Security Monitoring perspective remain as they are with other DefensePro platforms. The security reports do not include an indication of the assigned instance. Additional reporting destinations All security SNMP traps and syslog messages are sent from a single source IP address, which is the defined management IP address of the DefensePro platform, regardless of the instance ID that handles the specific Network Protection policy. Monitoring All other operational monitoring data is displayed in the APSolute Vision Monitoring perspective, unified for the platformexcept that in DefensePro 7.20, the Session Table tab displays data from Instance 0 only.
Optimizing Performance When Working with Instances

When working with instances, note the following for optimizing performance: Balancing policies To reach maximum capacity, Network Protection policies should be balanced such that the expected legitimate traffic CPS values are divided equally between the instances. You can use CPS traffic monitoring to determine the CPS values per policy. Splitting policies In cases where the CPS of one policy is very high, it is recommended to divide the Network-Protection-policy classification definitions into two policies and assign each policy to a different instance.
44
DefensePro User Guide Getting Started
Logging into APSolute Vision

To start working with APSolute Vision, you log into the APSolute Vision client. After successfully logging in with a username and authenticated password, the APSolute Vision client application opens. The APSolute Vision client connects to the specified APSolute Vision server. This means that you always works online with APSolute Vision and its managed network elements. Up to 10 users can access the APSolute Vision server simultaneously. APSolute Vision supports role-based access control (RBAC) to manage user privileges. Your credentials and privileges may be managed through a RADIUS Authentication server or through the local APSolute Vision user database. For RBAC users, after successful authentication of your username and password, your role is determined together with the devices that you are authorized to manage. The assigned role remains fixed throughout your user session, and you can access only the content panes, menus, and operations that the role allows. Depending on the configuration of the APSolute Vision server, you may be prompted to change your user password when you log in for the first time. If you enter the credentials incorrectly, you are is prompted to re-enter the information. After a globally defined number of consecutive failures, the APSolute Vision server locks you out of the system. If you use local user credentials, a user administrator can release the lockout by resetting the password to the global default password. If you use RADIUS credentials, you must contact the RADIUS administrator.
To log into APSolute Vision as an existing user

1. Click the APSolute Vision Client program icon. 2. In the login dialog box, specify the following: User NameThe name of the user. PasswordThe password for the user. Depending on the configuration of the server, you may be required to change your password immediately. Default: radware. Vision ServerThe name or IP address of the APSolute Vision server. This parameter is displayed if you click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server that was specified previously. AuthenticationThe method to authenticate the user: Local or RADIUS. That is, select whether to use the credential stored in the APSolute Vision server or the credentials managed by the specified RADIUS Authentication server (see Configuring RADIUS Server Connections, page 34). This parameter is displayed if you click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server using the authentication method that was specified previously.
3. Click OK.
Changing Password for Local Users

If your user credentials are managed through the local APSolute Vision Users table (not RADIUS), you can change your user password at the login. For information about password requirements, see APSolute Vision Password Requirements, page 60.
45
To change a password for a local user

1. 2. 3. 4. 5. 6. Click the APSolute Vision Client program icon. In the User Name drop-down list, enter your username. Click Options. Click Change Password. In the dialog box, enter your old password, new password, and confirm the new password. Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.
APSolute Vision User Interface Overview

The APSolute Vision interface follows a consistent hierarchical structure, organized functionally to enable easy access to options. You start at a high functional level and drill down to a specific module, function, or object. Each high-level function, such as device configuration, monitoring, or viewing real-time reports, is accessible from a separate perspective. APSolute Vision supports the following perspectives: Configuration Perspective, page 46 Monitoring Perspective, page 49 Security Monitoring Perspective, page 50 Asset Management Perspective, page 51
Note: You can configure which perspective is displayed by default when you start an APSolute Vision client session.
Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to configure in the Configuration perspective system pane Organization tab. You can view and modify device settings in the content pane tabs, which have their own navigation panes for easier navigation through configuration tasks. You can filter the sites and devices that APSolute Vision displays. The filter does not change the contents of the tree, only how APSolute Vision displays the tree to you. The Configuration perspective also includes the Properties pane, which displays information about the currently selected device.
46
Figure 25: Configuration PerspectiveDefensePro

System pane Organization tabDisplays, according to your filter, the site tree, configured sites, and configured devices Button that opens the APSolute Vision Reporter Configuration buttonOpens the Configuration perspective Navigation area for the tab Content area
Properties pane Alerts paneDisplays the Alerts tab. The Alerts tab displays APSolute Vision alerts, device alerts, and DefensePro security alerts.
47
DefensePro User Guide Getting Started The following points apply to all configuration tasks in the Configuration perspective: To configure a device, you must lock it. For more information, see the APSolute Vision documentation. When you change a field value, the field label is displayed in italics. Mandatory fields are displayed in red. You must enter data, or select an option in these fields. After setting a mandatory field, the field label changes to black. By default, tables display up to 20 rows per table page. You can change the number of rows per table up to a maximum of 100 rows. You can perform one or more of the following operations on table entries: Add a new entry to the table, and define its parameters. Edit one or more parameters of an existing table entry. Delete a table entry.
Device configuration information is saved only on the DefensePro device, not in the APSolute Vision database. To commit information to the device, you must do the following: Click OK when you modify settings in a configuration dialog box. Click (Submit) when you modify settings in a configuration page. Some configuration changes require an immediate device reboot. When you submit the configuration change the device will reboot immediately. Some configuration changes require a device reboot to take effect, but you can save the change without an immediate reboot. When you submit a change without a reboot, the Properties pane displays a Reboot Required notification until you reboot the device. Click Update Policies to implement policy-configuration changes if necessary. Policyconfiguration changes for a device are saved on the DefensePro device, but the device does not apply the changes until you perform a device configuration update.
Example Device selection in the Configuration perspective

The following example shows the selections you would make to view or change configuration parameters for a Radware device: 1. 2. 3. 4. 5. 6. Open the Configuration perspective by clicking Right-click the device name, and select Lock Device. Select the required configuration tab in the content pane. Each tab displays a tab navigation pane and configuration options. Select an option in the navigation pane. You can now view and change configuration parameters. at the top of the window. Select the required device in the system pane by drilling down through the sites and subsites.
48
Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects, such as farms and servers. The Monitoring perspective navigation pane contains two navigation tabs. The System tab contains the physical devices and interfaces. The Properties pane displays information about the currently selected device. The content pane for each type of entity contains tabs in which you can view different types of information. Some tabs contain a navigation pane. You can filter the sites and devices that APSolute Vision displays. The filter does not change the contents of the tree, only how APSolute Vision displays the tree to you.
Figure 26: Monitoring PerspectiveDefensePro

System paneIncludes the Organization, Application Delivery, and Physical tabs. The Organization tabs is relevant for DefensePro. Navigation area for tab Monitoring buttonopens Monitoring perspective Content area
Properties pane Alerts paneDisplays the Alerts tab. The Alerts tab displays APSolute Vision alerts, device alerts, and security alerts.
49
Security Monitoring Perspective

The Security Monitoring perspective is displayed only for devices that support the relevant Security module. You can filter the sites and devices that APSolute Vision displays. The filter does not change the contents of the tree, only how APSolute Vision displays the tree to you. In the Security Monitoring perspective, you can access a collection of real-time security-monitoring tools that provide visibility regarding current attacks that the DefensePro device has detected. The Properties pane displays information about the currently selected device. The Security Monitoring perspective includes the following tabs: Security Dashboard A graphical summary view of all current active attacks in the network with color-coded attack-category identification, graphical threat-level indication, and instant drill-down to attack details. Current Attacks A view of the current attacks in a tabular format with graphical notations of attack categories, threat-level indication, drill-down to attack details, and easy access to the protecting rules for immediate fine-tuning. Traffic Monitoring A real-time graph and table displaying network information, with the attack traffic and legitimate traffic filtered according to specified traffic direction and protocol. Geo Map A graphical map view that displays threats by origin with hierarchical drill-down to IP level. Protection Monitoring Real-time graphs and tables with statistics on rules, protections according to specified traffic direction and protocol, along with learned traffic baselines. HTTP Reports Real-time graphs and tables with statistics on rules, protections according to specified traffic direction and protocol, along with learned traffic baselines.
Figure 27: Security Monitoring PerspectiveShowing the Security Dashboard
50
Asset Management Perspective

The Asset Management perspective is displayed only to users with the Administrator or User Administrator role. A user with the User Administrator role can only view and configure local users. For more information about roles and the Asset Management perspective, see the APSolute Vision User Guide.
Figure 28: Asset Management Perspective

System pane Content area Asset Management buttonOpens the Asset Management perspective
Alerts paneDisplays the Alerts tab. The Alerts tab displays APSolute Vision alerts, device alerts, and DefensePro security alerts.
APSolute Vision Sites

You can organize the Radware devices that APSolute Vision manages according to sites. APSolute Vision displays the sites and managed devices in the system tab. Typically, a site is a group of devices that share properties, such as location, services, or device type. You can nest sites; that is, each site can contain subsites and devices. In the context of role-based access control (RBAC), sites enable administrators to define the scope of each user. Sites also play a role in the context of vADCs and ADC-VXs. When you manage a vADC hosted by an ADC-VX in the Physical tab, you specify the site under which that vADC is displayed in the Organization tab.
51
APSolute Vision Sites and DefensePro Devices

A site in APSolute Vision is a physical or logical representation of a group of managed devices, such as managed DefensePro devices. A site can be based on a geographical location, an administrative function, device type, and so on. Each site can contain nested sites and devices. Before you can configure a DefensePro device and security policies through APSolute Vision, the DefensePro device must be exist on and connected to the APSolute Vision server. The sites and DefensePro devices are displayed in the System tab. Only users with the proper permissions can add sites and DefensePro devices to an APSolute Vision server. See the APSolute Vision Administrator Guide for information on the following topics: APSolute Vision sites Configuring sites Adding and removing devices Administration and maintenance tasks on managed devices; such as, scheduling tasks, making backups, and so on Monitor managed devices through APSolute Vision. For more information, see the APSolute Vision online help
Configuring Inspection Ports

An inspection port is a port on a DefensePro device that you can configure to receive, inspect, and transmit traffic. This section contains the following: Configuring Port Pairs Managing the Status of Physical Ports
Configuring Port Pairs

You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic from the receiving port is always sent out of the device from its corresponding transmitting port. The ports are paired; one port receives traffic while another transmits traffic. You can set the operation mode of a port pair. When the port pair operates in Process mode, the traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates in Forward mode, the traffic is forwarded to the destination port without any inspection.
To configure a pair of ports

1. 2. In the Configuration perspective Networking tab navigation pane, select Port Pairs. Do one of the following: 3. To add a pair of ports, click the (Add) button.
To edit a pair of ports, double-click the row.
Configure the parameters; and then, click OK.
52
Table 2: Port Pair Parameters
Parameter
Source Port Destination Port Operation
Description Port Pairs

The user-defined source port for received traffic. The user-defined destination port for transmitted traffic. The operation mode assigned to a pair of ports. Values: ForwardThe traffic is forwarded without any inspection. ProcessThe traffic passes thought the CPU and is inspected for attacks, bandwidth, and so on.
In Port
Specifies which port in the pair is designated as the inbound portthe source or destination port. This setting is used in real-time reports for inbound and outbound traffic.
Advanced Parameters
Enable Interface Grouping Specifies whether the device groups the statuses of the port-pair interfaces. When the option is enabled, if one port of a port pair is disconnected, DefensePro sets the status of the paired port to disconnected also; so, a remote device connected to the DefensePro device perceives the same disconnected status. Typically, the option is enabled when DefensePro is configured between switches that use link redundancy. Interface grouping is the only way both switches always perceive the same DefensePro interfaces status. Default: Disabled
Managing the Status of Physical Ports

You can manage the status of physical ports using CLI.
To view the status of a physical port using CLI

Run the following command:
device enter-failure-state get <port>

where port is the identifier of the physical port.
53
To set the status of a physical port using CLI

Run the following command:
device enter-failure-state set <port> -fs <failure-state>

where port is the identifier of the physical port and the value for the failure-state flag can be:
1 enable 2 disable
Example device enter-failure-state set 2 -fs 1

sets the status of port 2 on the device to fail. The port will fail to the state that is defined in the Static Forwarding table.
Updating the Attack Description File

The Attack Description file contains descriptions of all the different attacks. You can view a specific description by entering the attack name. When you first configure APSolute Vision, you should download the latest Attack Description file to the APSolute Vision server. The file is used for realtime and historical reports to show attack descriptions for attacks coming from DefensePro devices. The file versions on APSolute Vision and on the DefensePro devices should be identical; Radware recommends synchronizing regular updates of the file at regular intervals on APSolute Vision and on the individual devices. When you update the Attack Description file, APSolute Vision downloads the file directly from Radware.com or from the enabled proxy file server.
To update the Attack Description file

1. Do one of the following: In the Asset Management perspective system pane, select General Settings; and then, in the content pane, select the Overview tab and click Update in the Attack Description group box. In the Asset Management perspective system pane, right-click General Settings; and then, select Update Attack Description File. To update the Attack Description file from Radware, select the Radware.com radio button. To update the files from the APSolute Vision client host: a. b. Select the Client radio button. In the File Name text box, enter the file path of the Attack Description file or click Browse to navigate to and select the file.
2.
Do one of the following:
54
DefensePro User Guide Getting Started 3. Click Send and OK. 4. The Alerts pane displays a success or failure notification and whether the operation was performed using a proxy server.
Managing DefensePro Security Groups

APSolute Vision can manage Security Groups, which are groups of DefensePro devices that share security-threat information. The configuration of a Security Group includes senders and receivers. Senders send security-threat information detected by the Anti-Scanning and/or Server Cracking modules to APSolute Vision. Receivers receive security-threat information from APSolute Vision as Dynamic Black List rules. A device can be both a sender and a receiver in the same group. When a sender detects an attack and sends the information to APSolute Vision, APSolute Vision configures each receiver with a Dynamic Black List rule that corresponds to the detected threat information.
Note: For more information on black-list rules, see Configuring Black Lists, page 218. DefensePro devices running version 6.05 and later can be senders and/or receivers. DefensePro devices running versions prior to 6.05 can be senders only. A receiver in a DefensePro Security Group cannot be a secondary device in a cluster. Security Groups reduce false-negatives in various environments and enhance DefensePros proactive approach to security. Especially in asymmetrical network environments, there are cases where a DefensePro device inspects only one direction of the traffic while other DefensePro devices inspect the rest of the traffic. In such cases, without a Security Group to share information, when a DefensePro device identifies a source as a threat and suspends it (blocks it), other DefensePro devices can continue to forward traffic from the same source. In an extreme example of an asymmetric (stateful) environment, a DefensePro device may identify a malicious source based on server responses, though the DefensePro device cannot block the source because the sources originated traffic passes through another DefensePro device. In such cases, with a Security Group to share the information, all the receiver DefensePro devices can block the malicious traffic.
Caution: The Security Groups feature does not support redundant APSolute Vision servers. Unexpected results may occur if more than one APSolute Vision server manages the DefensePro devices that are members of a Security Group.
Note: APSolute Vision does not limit the number of Security Groups, the number of senders, or the number of receivers. Radware has tested the feature with five Security Groups, each with five senders and five receivers.
55
DefensePro User Guide Getting Started Security Group behavior: 1. The Anti-Scanning or Server Cracking module of a sender detects an attack. The configuration of the Security Group includes the modules (Anti-Scanning and/or Server Cracking) that participate in the group. The sender notifies APSolute Vision using the regular security-event traps. APSolute Vision configures each receiver with a Dynamic Black List rule. The rule name is in the following format:
2. 3.
<SecurityGroupName> hhmm $$$$

where:
hhmm is the time (hour and minutes) that the Security Group configured the rule. This is the time set in the APSolute Vision server (and not on the DefensePro receiver or sender). $$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.
The configuration of the black-list rule (in the receiver) exposes the Detector Module and the Detector IP Address (in the Detector Security Module and Detector text boxes), which identify the protection module (for example, Anti-Scanning) and the sender that detected the attack. APSolute Vision does not configure a sender with a black-list rule based on its own security events. That is, if a DefensePro device is a sender and a receiver in a Security Group, when the device sends a security-event trap to the Security Group, APSolute Vision does not configure that same device with the corresponding black-list rule. The configuration of the Security Group determines the blocking period and whether the rule blocks all the traffic from the source or only combination of the following: Attacked address Attacked port Protocol
To configure a DefensePro Security Group

1. 2. In the Asset Management perspective System tab navigation pane, select DefensePro Security Groups. Do one of the following: 3. To add an entry, click the (Add) button.
To edit an entry, double-click the row.
Table 3: Security Group Parameters
Parameter
Enabled
Description
Specifies whether the Security Group is enabled. This enables you to keep a Security Group configuration even when it is not in use. Default: Disabled The name of the Security Group.
Group Name
56
Table 3: Security Group Parameters
Parameter
Blocking Period
Description
The time, in minutes, that the receivers block traffic. This is the value of the Expiration Timer in the black-list rule with which APSolute Vision configures the receivers. The Expiration Timer fields display the time remaining. Values: 1120 Note: For information on black lists, see Configuring Black Lists, page 218.
Blocking Rule Parameters

The Security Group uses a Boolean AND operator to determine which packets to block. That is, the more parameters enabled here, the more specific the blocked traffic. Source (Read-only always enabled) Specifies that the receivers always block all the traffic from the IP address of the source of the attack. Default: Disabled Destination Port Specifies that the receivers block the attacked port of the attacked machine. Default: Disabled Protocol Specifies that the receivers block the protocol used in the attack. Default: Disabled
Destination IP Address Specifies that the receivers block the IP address of the attacked machine.
Security Modules
Anti-Scanning Specifies that the receivers block malicious traffic detected by the AntiScanning module of the senders. Default: Enabled Server Cracking Specifies that the receivers block malicious traffic detected by the Server Cracking module of the senders. Default: Enabled
Senders
The Available Devices list and the Selected Devices list. The Available Devices list displays the available DefensePro devices. The Selected Devices list displays the senders of the Security Group.
Receivers
The Available Devices list and the Selected Devices list. The Available Devices list displays the available DefensePro devices. The Selected Devices list displays the receivers of the Security Group.
57
58
Chapter 3 Basic Device Configuration

Users with the proper permissions can add DefensePro devices to the sites tree and configure them. The following topics describe basic device-configuration tasks: Locking and Unlocking a Device, page 59 DefensePro Device Setup, page 60 Advanced Parameters, page 84 Configuring SNMP, page 106 Configuring Device Users, page 114 Configuring Access Permissions on Physical Ports, page 116 Configuring Port Pinging, page 116
Locking and Unlocking a Device

When you have permissions to perform device configuration on a specific device, you must lock the device before you can configure it. Locking the device ensures that other users cannot make configuration changes at the same time. The device remains locked until you unlock the device, you disconnect, until the Device Lock Timeout elapses, or an Administrator unlocks it. Locking a device does not apply to the same device that is configured on another APSolute Vision server, using WBM, or using CLI.
Note: Only one APSolute Vision server should manage any one Radware device. For more information, see the APSolute Vision Administrator Guide. While the device is locked: The device icon in the main navigation pane System tab includes a small lock symbol DefensePro. Configuration panes are displayed in read-only mode to other users with configuration permissions for the device. If applicable, the If applicable, the (Commit) button is displayed. (Add) button is displayed. for
To lock a device
In the Configuration perspective main navigation pane System tab, right-click the device name, and select Lock Device.
59
DefensePro User Guide Basic Device Configuration
To unlock a device
In the Configuration perspective main navigation pane System tab, right-click the device name, and select Unlock Device.
DefensePro Device Setup

You can configure the following setup parameters for a selected DefensePro device: Configuring DefensePro Global Parameters, page 60 Configuring Date and Time Synchronization, page 61 Configuring Daylight Saving, page 62 Configuring Access Protocols, page 63 Configuring SNMP Supported Versions, page 64 Upgrading a License for a DefensePro Device, page 65 Configuring RADIUS Authentication for Device Management, page 67 Configuring Syslog Settings, page 68 Managing Certificates, page 69 Configuring High Availability, page 74 Configuring BOOTP, page 81 Configuring DNS Client Settings, page 82 Configuring DefensePro Security Signaling, page 82
Configuring DefensePro Global Parameters

You can view the following device information: Basic device parameters The time and date settings on the device Device hardware and software versions
To view and configure DefensePro global parameters

1. 2. In the Configuration perspective Setup tab navigation pane, select Global Parameters. Configure location and contact information, if required; and then, click the changes. (Submit) to submit
Table 4: DefensePro Global Parameters
Parameter
Device Description Device Name
Description Basic Parameters

(Read-only) The description configured on the device. (Read-only) The device name configured in APSolute Vision.
60
Table 4: DefensePro Global Parameters
Parameter
Location Contact Information System Up Time Base MAC Address Device Serial Number
Description
Enter the device location, if required. Enter contact information, if required. (Read-only) The length of time since that the device has been up since last device reboot. (Read-only) The MAC address of the device hardware. (Read-only) The serial number of the device hardware.
Date and Time

Device Time Device Date (Read-only) The time setting on the device. (Read-only) The date setting on the device.
Version Information
Software Version Hardware Version (Read-only) The version of the product software on the device. (Read-only) The version of device hardware.
Configuring Date and Time Synchronization

DefensePro uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device synchronization by distributing an accurate clock across the network. At predefined intervals, a device sends time query messages to the NTP Server. The server sends the date and time to the device. Enabling or disabling the NTP capability results in different levels of accuracy.
Note: When NTP is disabled, the time and date must be set manually for the device.
To configure DefensePro date and time synchronization

1. In the Configuration perspective Setup tab navigation pane, select Time Settings. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 5: NTP Parameters
Parameter
Enable NTP
Description
Enables or disables the NTP feature. Default: Disabled Note: The NTP Server Address must be configured to enable the NTP feature.
Server Name L4 Port
The IP address of the NTP server. The NTP server port. Default: 123
61
Table 5: NTP Parameters
Parameter
Polling Interval
Description
The interval, in seconds, between time query messages sent to the NTP server. Default: 64
Time Zone
The time-zone offset from GMT (-12:00 to +12:00 hours). Default: 00:00
Configuring Daylight Saving

DefensePro supports daylight savings time. You can configure the daylight savings time start and end dates and times. During daylight savings time, the device automatically adds one hour to the system clock. The device also indicates whether it is on standard time or daylight saving time.
Note: When the system clock is manually configured, the system time is changed only when daylight saving time starts or ends. When daylight saving time is enabled during the daylight saving time period, the device does not change the system time.
To configure DefensePro daylight saving

1. In the Configuration perspective Setup tab navigation pane, select Time Settings > Daylight Saving. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 6: Daylight Saving Parameters
Parameter
Enabled Begins at Ends at Current Mode
Description
Enables or disables daylight saving time. Default: Disabled The start date and time for daylight saving time. The end date and time for daylight saving time. Specifies whether the device is on standard time or daylight saving time.
62
Configuring Access Protocols

In addition to managing DefensePro devices using APSolute Vision, you can also use Web Based Management (WBM) and Command Line Interface (CLI). You can connect DefensePro devices to the following: WBM on the device through HTTP and HTTPS CLI through Telnet and SSH Web services
To configure access protocols for WBM and CLI

1. In the Configuration perspective Setup tab navigation pane, select Access Protocols. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 7: Access Protocol Parameters
Parameter
Enable Web Access L4 Port Web Help URL
Description Web Access

Specifies whether to enable access to the Web server. Default: Disabled The port to which WBM is assigned. Default: 80 The location (path) of the Web help files.
Secured Web Access

Enable Secured Web Access Specifies whether to enable secured access to the Web server. Default: disabled L4 Port Certificate The port through which HTTPS gets requests. Default: 443 The certificate file used by the secure Web server for encryption.
Telnet
Enable Telnet L4 Port Session Timeout Specifies whether to enable Telnet access to the device. Default: Disabled The TCP port used by the Telnet. Default: 23 The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. Values: 1120 Default: 5 Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore, the actual timeout can be up to 10 seconds longer than the configured time.
63
Table 7: Access Protocol Parameters
Parameter
Authentication Timeout
Description
The timeout, in seconds, required to complete the authentication process. Values: 1060 Default: 30
SSH
Enable SSH L4 Port Session Timeout Specifies whether to enable SSH access to the device. Default: Disabled The source port for the SSH server connection. Default: 22 The period of time, in minutes, the device maintains a connection during periods of inactivity. If the session is still inactive when the predefined period ends, the session terminates. Values: 1120 Default: 5 Note: To avoid affecting device performance, the timeout is checked every 10 seconds. Therefore the actual timeout can be up to 10 seconds longer than the configured time. Authentication Timeout The timeout, in seconds, required to complete the authentication process. Values: 1060 Default: 10
Web Services
Enable Web Services Specifies whether to enable access to Web services. Default: Enabled
Configuring SNMP Supported Versions

APSolute Vision connects to DefensePro devices using SNMP. For information about SNMP, and configuring SNMP for the DefensePro devices, see Configuring SNMP, page 106.
To configure SNMP supported versions

1. 2. In the Configuration perspective Setup tab navigation pane, select SNMP Versions. Configure the parameters; and then, click (Submit) to submit the changes.
64
Table 8: SNMP Supported Version Parameters
Parameter
Supported SNMP Versions Supported SNMP Versions after Reset
Description
The currently supported SNMP versions. The SNMP versions supported by the SNMP agent after resetting the device. Select the SNMP version to support. Clear the versions that are not supported.
Upgrading a License for a DefensePro Device

You can upgrade the capabilities of a DefensePro device using the licensing procedure. The license provided to you, is a one-time license. To change licenses, you must use a new license key, after which, the old license key cannot be reused. Each license is based on the devices MAC address and on a license ID that is changed every time a new license is used. To obtain a license upgrade or downgrade, you must include the MAC address and the current license ID of the device when you order the required license part number. This information is displayed in the License Upgrade window. You will receive the new license string by e-mail. After you enter the new license information in the License Upgrade pane, the old license cannot be reused.
To upgrade a license after receiving new license keys

1. In the Configuration perspective Setup tab navigation pane, select License Upgrade. 2. Configure license upgrade parameters for the new license keys; and then, click submit the changes. (Submit) to
Table 9: DefensePro License Upgrade Parameters
Parameter
Base MAC Address
Description Basic Information

The MAC address of the first port on the device. This is the MAC address on which the license is based.
License Upgrade
License ID New License Key Throughput License ID Throughput License Key Reports the device software license ID and must be provided to Radware when requesting a new license. The device software license allows you to activate advanced software functionality. Manages the device throughput license ID and must be provided to Radware when requesting a new throughput license. Manages the device throughput level license.
65
DefensePro User Guide Basic Device Configuration You can configure the device to send information messages via e-mail to device users. This feature can be used for sending trap information via e-mail. When you configure device users, you can specify whether an individual user should receive notifications via e-mail and the minimal event severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity and higher. The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP notifications are enabled globally for the device.
Note: The device optimizes the mailing process by gathering security and system events, which it sends in a single notification message when the buffer is full, or when a timeout of 60 seconds expires.
To configure DefensePro e-mail settings

1. 2. In the Configuration perspective Setup tab navigation pane, select Email Settings. Configure the parameters; and then, click (Submit) to submit the changes.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail address and notification severity level for each user. For information about configuring users, see Configuring Device Users, page 219.
Table 10: DefensePro E-mail Parameters
Parameter
Enable Email Client
Description Basic SMTP Parameters

Specifies whether the e-mail client is enabled, which supports features that are related to sending e-mail messages. Default: Disabled
Enable Sending Email upon Specifies whether the device sends notifications via e-mail. Errors Default: Disabled
SMTP Server Parameters

Primary Server Address Alternate Server Address The IP address of the SMTP server. An IP address of an alternative SMTP Server. The alternate SMTP server is used when SMTP connection cannot be established successfully with the main SMTP server, or when main SMTP server closed the connection. The device tries to establish connection to the main SMTP server, and starts re-using it when available.
SMTP Client Parameters

Email Address The mail address that appears in the Sender field of e-mail messages generated by the device, for example device1@domain.com.
66
Configuring RADIUS Authentication for Device Management

DefensePro provides additional security by authenticating the users who access a device for management purposes. With RADIUS authentication, you can use RADIUS servers to determine whether a user is allowed to access device management using CLI, Telnet, SSH or Web Based Management. You can also select whether to use the device User Table when RADIUS servers are not available.
Note: The DefensePro devices must have access to the RADIUS server and must allow device access.
To configure RADIUS authentication for device management

1. In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication. 2. Configure RADIUS authentication parameters for the managed Radware device, and then, click (Submit) to submit the changes.
Table 11: RADIUS Authentication Parameters
Parameter
Server IP Address L4 Port
Description Main
The IP address of the primary RADIUS server. The access port number of the primary RADIUS server. Values: 1645, 1812 Default: 1645
Secret Verify Secret
The authentication password for the primary RADIUS server. When defining the password, reenter for verification.
Backup
Server IP Address L4 Port The IP address of the backup RADIUS server. The access port number of the backup RADIUS server. Values: 1645, 1812 Default: 1645 Secret Verify Secret The authentication password for the backup RADIUS server. When defining the password, reenter for verification.
Basic Parameters
Timeout The time, in seconds, that the device waits for a reply from the RADIUS server before a retry, or, if the Retries value is exceeded, before the device acknowledges that the server is offline. Default: 1
67
Table 11: RADIUS Authentication Parameters
Parameter
Retries
Description
The number of connection retries to the RADIUS server, after the RADIUS server does not respond to the first connection attempt. After the specified number of Retries, if all connection attempts have failed (Timeout), the backup RADIUS server is used. Default: 2 The duration, in seconds, of client's authentication. After the RADIUS Client Lifetime expires, the device re-authenticates the user. The value is not absolute (fixed), but rather, is based on the idle timeout of the last activity. Default: 30
Client Lifetime
Configuring Syslog Settings

DefensePro can send event traps to up to five syslog servers. For each DefensePro device, you can configure the appropriate information.
Note: Instead of configuring each individual device, Radware recommends configuring the APSolute Vision server to convey the syslog messages from all devices.
To configure syslog in DefensePro

1. 2. In the Configuration perspective Setup tab, select Syslog. Do one of the following: 3. To enable the syslog feature, select the Enable Syslog checkbox. To disable the syslog feature, clear the Enable Syslog checkbox.
Default: Enabled Do one of the following: 4. To add an entry, click the (Add) button.
To modify an entry, double-click the entry in the table. (Submit) to submit the changes.
Configure the parameters; and then, click
68
Table 12: Syslog Parameters
Parameter
Enable Syslog Server
Description
Specifies whether the syslog server is enabled. Default: Enabled Note: The device sends syslog messages using UDP. That is, the device sends syslog messages with no verification of message delivery. The Status is N/R in the DefensePro Syslog Monitor (Monitoring perspective > Resource Utilization tab > Syslog Monitor).
Server Address Source Port
The IP address or hostname of the device running the syslog service (syslogd). The syslog source port. Default: 514 Note: Port 0 specifies a random port.
Destination Port Facility
The syslog destination port. Default: 514 The type of device of the sender. This is sent with syslog messages. You can use this parameter to distinguish between different devices and define rules that split messages. Values: Authorization Messages Clock Daemon Clock Daemon2 FTP Daemon Kernel Messages Line Printer Subsystem Local 0 Local 1 Local 2 Local 3 Local 4 Local 5 Local 6 Local 7 Log Alert Log Audit Mail System Network News Subsystem NTP Daemon Syslogd Messages System Daemons User Level Messages UUCP
Default: Local Use 6
Managing Certificates
This section describes certificates for AppDirector and DefensePro, and how to manage the certificates using APSolute Vision.
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually provided in the form of an electronic key or value. The digital certificate represents the certification of an individual business or organizational public key but can also be used to show the privileges and roles for which the holder has been certified. It can also include information from a third-party verifying identity. Authentication is needed to ensure that users in a communication or transaction are who they claim to be.
69
DefensePro User Guide Basic Device Configuration A basic certificate includes the following: The certificate holders identity The certificates serial number The certificate expiry date A copy of the certificate holders public key The identity of the Certificate Authority (CA) and its digital signature to affirm the digital certificate was issued by a valid agency
Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or interpret the data. The recipient also uses the key to authenticate that the data comes from the sender. The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the appropriate key can the information be easily deciphered or understood. Stolen or copied data would be incomprehensible without the appropriate key to decipher it and prevent forgery. DefensePro supports the following key size lengths: 512, 1024, or 2048 bytes.
Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an HTTPS session, the DefensePro device uses a certificate for identification. By default, the device has self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
Modifying Certificate Information for a Selected Device
To view and modify certificate information for a selected device

In the Configuration perspective Setup tab navigation pane, select Certificates. The Certificates table displays information for each certificate stored on the device. From here, you can add, edit, and delete certificates. You can also import and export certificates, and show certificate text.
70
Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management (WBM). You can also create certificate signing requests and keys for new certificates.
To create or modify a certificate or key

1. In the Configuration perspective Setup tab navigation pane, select Certificates. 2. Do one of the following: To add a certificate, click the (Add) button.
To edit a certificate, double-click the certificate name.
3. Configure certificate parameters and click OK.
Table 13: Certificate Parameters
Parameter
Name Type
Description
The name of Key or Certificate. The type of certification. Values: Certificate Certificate of Client CA1 Certificate Signing Request Intermediate CA Certificate1 KeyWhen you select Key, only the Key Size and Passphrase fields are available.
Default: Key Key Size The key size, in bytes. Larger key sizes offer an increased level of security. Radware recommends that certificates have a key size of 1024 or more. Using a certificate of this size makes it extremely difficult to forge a digital signature or decode an encrypted message. Values: 512 Bytes, 1024 Bytes, 2048 Bytes Default: 1024 Bytes Common Name Organization Email Address Key Passphrase The domain name of the organization (for example, www.radware.com) or IP address. The name of the organization. Any e-mail address that you want to include within the certificate. The Key Passphrase encrypts the key in storage and is required to export the key. Since Private Keys are the most sensitive parts of PKI data, they must be protected by a passphrase. The passphrase should be at least four characters and Radware recommends using stronger passphrases than that based on letters, numbers and signs. After you define the key passphrase, re-enter it for verification. The name of the city.
Verify Key Passphrase Locality
71
Table 13: Certificate Parameters
Parameter
State / Province Organization Unit Country Name Certificate Expiration
Description
The state or province. The department or unit within the organization. The organization country. The duration (in days) that the certificate remains valid. Values: 14,294,967,295 (4 GB) Default: 365
1 If you select this option when it is not allowed (according to the type of certificate you are using), the device alerts you with an error message.
Configuring Default Certificate Attributes

Use certificate defaults to define your organizations default parameters to be used when creating signing requests or self-signed certificates. To configure default attributes, the connection between the APSolute Vision server and the relevant device must use SNMPv3.
To configure the default certificate attributes

1. In the Configuration perspective Setup tab navigation pane, select Certificates > Default Attributes. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 14: Default Certificate Parameters
Parameter
Common Name Locality State / Province Organization Organization Unit Country Name Email Address
Description
The domain name of the organization. For example, www.radware.com. The name of the city. The state or province. The name of the organization. The department or unit within the organization. The organization country. Any e-mail address to include in the certificate.
Importing Certificates
You can import keys and certificates from another machine, and import a certificate to an existing Signing Request to complete its process. Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for certificate, you must import them consecutively with the same entry name.
72
To import a certificate or key

1. In the Configuration perspective Setup tab navigation pane, select Certificates. 2. Click the Import button below the table. 3. Configure the parameters; and then, click OK to submit the changes.
Table 15: Import Certificate Parameters in DefensePro
Parameter
Entry Name Entry Type
Description
A new entry name to create by import, or an existing entry name to overwrite or complete a Key or CSR. Values: KeyImports a key from backup or exported from another system. To complete the configuration, you will need to import a certificate into this key. CertificateImports a certificate from backup or exported from another machine. The certificate must be imported onto a matching key or signing request. Certificate of Client CAImports a Client CA certificate.
Default: Key Note: In Web Based Management, DefensePro supports the following three additional options: Intermediate CA Certificate, Certificate and Key, SSH Public Key. Passphrase (This parameter is available only when the Entry Type is Key.) Verify Passphrase (This parameter is available only when the Entry Type is Key.) File Name Since Private Keys are the most sensitive parts of PKI data they must be protected by a passphrase. The passphrase should be at least four characters, and Radware recommends using stronger passwords than that based on letters, numbers, and signs. Since Private Keys are the most sensitive parts of PKI data they must be protected by a passphrase. The passphrase should be at least four characters, and Radware recommends using stronger passwords than that based on letters, numbers, and signs. The certificate file to import.
Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing configurations to another system or for completion of Signing Request processes. You can export certificates from a device by copying and pasting a key or by downloading a file. Keys and certificates are exported to PEM format.
Note: The Radware key is created without a Radware password at system startup, thus it can be exported without a Radware password.
73
To export a certificate or key

1. 2. 3. In the Configuration perspective Setup tab navigation pane, select Certificates. Click the Export button below the table. Configure the parameters; and then, click OK to submit the changes.
Table 16: Export Certificate Parameters
Parameter
Entry Name Entry Type Passphrase
Description
Select the name of the entry to export. By default, the name of the selected certificate in the Certificates table is displayed. According to the selected entry name, you can export Certificate, Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request. Required when exporting Keys. Use the passphrase entered when the key was created or imported. You must enter the key passphrase to validate that you are authorized to export the key.
Showing Certificate Content

You can display the content of keys, certificates, or signing requests listed in the Certificates table. The content is displayed in encrypted text format for copy-paste purposes, for example sending signing requests to a certificate signing authority.
To display certificate content

1. 2. 3. 4. 5. In the Configuration perspective Setup tab navigation pane, select Certificates. Click the Show button below the table. Select the entry name to show. By default, the name of the selected certificate in the Certificates table is displayed. Select the entry type, and password for the key, if required. Click Show to display the content in the Certificate field.
Configuring High Availability

This section contains the following topics: High-Availability in DefenseProOverview, page 74 Monitoring DefensePro Cluster in the System Tab, page 77 Configuring the Settings for a DefensePro High-Availability Cluster, page 78 Switching the Device States, page 80
High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in a two-node cluster. One member of the cluster is the primary; the other member of the cluster is the secondary.
74
DefensePro User Guide Basic Device Configuration Both cluster members must meet the following requirements: Must use the same: Platform Software version Software license Throughput license Radware signature file
Must be on the same network. Must use the same management port (that is, MNG-1 on both devices, MNG-2 on both devices, or both MNG-1 and MNG-2 on both devices).
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster. When you configure a cluster and submit the configuration, the newly designated primary device configures the required parameters on the designated secondary device. You can configure a DefensePro high-availability cluster in the following ways: To configure the primary device of the cluster, the failover parameters, and the advanced parameters, you can use the High Availability pane (Configuration perspective, Setup > High Availability). When you specify the primary device, you specify the peer device, which becomes the secondary member of the cluster. To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and Associated Management Ports), you can use the Configuration perspective system pane.
The members of a cluster work in an active-passive architecture. When a cluster is created: The primary device becomes the active member. The secondary device becomes the passive member. The primary device transfers the relevant configuration objects to the secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, routing, and the port-pair Failure Mode. A primary device immediately transfers each relevant change to its secondary device. For example, after you make a change to a Network Protection policy, the primary device immediately transfers the change to the secondary device. However, if you change the list of device users on the primary device, the primary device transfers nothing (because the secondary device maintains its own list of device users). The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections. The following situations trigger the active device and the passive device to switch states (active to passive and passive to active): The passive device does not detect the active device according to the specified Heartbeat Timeout. All links are identified as down on the active device according to the specified Link Down Timeout. Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the specified Idle Line Timeout. You issue the Switch Over command. To switch the device states, in the Monitoring perspective system pane, right-click the cluster node; and then select Switch Over.)
75
DefensePro User Guide Basic Device Configuration You cannot perform many actions on a secondary device. You can perform only the following actions on a secondary device: Switch the device state (that is, switch over active to passive and passive to active) Break the cluster if the primary device is unavailable Configure management IP addresses and routing Configure the port-pair Failure Mode. Manage device users Download a device configuration Upload a signature file Download the device log file Download the support log file Reboot Shut down Change the device name Change the device time Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.
Notes Before you can configure a cluster, the devices must be locked. By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster. You can initiate a baseline synchronization if a cluster member is passive, using CLI or Web Based Management. When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster as you require. In an existing cluster, you cannot change the role of a device (primary to secondary or vice versa). To change the role of a device, you need to break the cluster (that is, ungroup the two devices), and then, reconfigure the cluster as you require. If the devices of a cluster belong to different sites, APSolute Vision creates the cluster node under the site where the primary device resides; and APSolute Vision removes the secondary device from the site where it was configured. APSolute Vision issues an alert if the state of the device clusters is ambiguous. For example, if there has been no trigger for switchover and both cluster members detect traffic. This state is normal during the initial synchronization process. There is no failback mechanism. There is only the automatic switchover action and the manual Switch Over command. When a passive device becomes active, any grace time resets to 0 (for example, the time of the Graceful Startup Mode Startup Timer). You can monitor high-availability operation in the High Availability pane of the Monitoring perspective. The Properties pane displays the high-availability information of the selected device.
76
Monitoring DefensePro Cluster in the System Tab

In the system pane, APSolute Vision identifies the high-availability cluster elements, roles, modes, and states using various combinations of icons and icon elements.
Note: You can monitor high-availability operation in the High Availability pane of the Monitoring perspective. The following table describes the icons that APSolute Vision displays in the system pane for DefensePro high-availability clusters.
Table 17: Icons in the System Pane High-Availability Clusters
Icon
Description
Cluster Primary device Secondary device
The following table describes the icon elements that APSolute Vision displays in the system pane for DefensePro high-availability clusters.
Table 18: Icons Elements in the System Pane High-Availability Clusters
Icon Element Description

Active device Synchronizing Unavailable The following table describes some icons that APSolute Vision can displays in the system pane for DefensePro high-availability clusters.
Table 19: Icons in the System Pane High-Availability ClustersExamples
Icon
Description
The cluster is operating nominally. The cluster is synchronizing its members. The cluster is unavailable. The primary device is active, unlocked, and operating nominally. The primary device is passive, unlocked, and operating nominally. The secondary device is passive, unlocked, and operating nominally.
77
Table 19: Icons in the System Pane High-Availability ClustersExamples
Icon
Description
The secondary device is active, unlocked, and operating nominally. The secondary device is unlocked and unavailable.
Configuring the Settings for a DefensePro High-Availability Cluster

You can use the High Availability pane in the Configuration perspective to specify the primary device of the cluster, and configured the failover parameters and advanced parameters. When you specify the primary device, you specify the peer device, which becomes the secondary member of the cluster.
To configure the settings for a high-availability cluster

1. 2. In the Configuration perspective Setup tab navigation pane, select High Availability. Configure the parameters; and then, click (Submit) to submit the changes. APSolute Vision names the cluster Cluster_<IP address of primary device>.
Note: To rename the cluster, in the Configuration perspective system pane, right-click the cluster node, and select Rename <Cluster Name>. Rename the cluster (up to 32 characters); and then, click outside the cluster node.
Table 20: High Availability Parameters
Parameter
Cluster Member
Description Cluster Definition

Specifies whether the device is a member of a two-node cluster for high availability. If you clear the Cluster Member checkbox in the configuration (of the primary or secondary member), APSolute Vision breaks the cluster (after you submit the changes). Note: You can clear the Cluster Member checkbox in the configuration of the secondary only when the primary member is unavailable.
Peer Device
The name of the other device in the cluster. The drop-down list contains the names of all the DefensePro devices that are not part of a cluster. When the device is a member of an existing high-availability cluster, the drop-down list is unavailable. Specifies the management (MNG) port or ports through which the primary and secondary devices communicate. Values: MNG1, MNG2, MNG1+2 Note: You cannot change the value if the currently specified management port is being used by the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you cannot change the value to MNG2.
Associated Management Ports
78
Table 20: High Availability Parameters
Parameter
Heartbeat Timeout
Description Failover
The time, in seconds, that the passive device detects no heartbeat from the active device before the passive device becomes active. Values: 1030 Default: 10
Link Down Timeout
The time, in seconds, after all links to the active device are identified as being down before the devices switch states. Values: 165,535 Default: 1 Note: If a dead link or idle line is detected on both cluster members, there is no switchover.
Use Idle Line Detection
Specifies whether the devices switch states due to an idle line detected on the active device. Default: Disabled Note: If an idle line is detected on both cluster members, there is no switchover.
Idle Line Threshold
The minimum bandwidth, in Kbit/s, that triggers a switchover when the Use Idle Line Detection option is enabled. Values: 5124,294,967,296 Default: 512 Note: If the Use Idle Line Detection checkbox is cleared, this parameter is ignored.
Idle Line Timeout
The time, in seconds, with line bandwidth below the Idle Line Threshold that triggers a switchover when the Use Idle Line Detection option is enabled. Values: 365,535 Default: 10 Note: If the Use Idle Line Detection checkbox is cleared, this parameter is ignored.
Advanced Configuration
Baseline Sync. Interval The interval, in seconds, that the active device synchronizes the BDoS and HTTP Mitigator baselines. Values: 360086,400 Default: 3600 Note: The active device synchronizes the baselines also when the cluster is created. Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster members will not change states. Values: 303600 Default: 180
79
Switching the Device States
To switch the device states

1. 2. In the Monitoring perspective system pane, right-click the cluster node. Select Switch Over.
Configuring a High-Availability Cluster in the System Tab

In the Configuration perspective system pane, you can configure the basic parameters of a cluster (Cluster Name, Primary Device, and Associated Management Ports).
Notes Before you can configure a cluster, the devices must be locked. By design, an active device does not to fail over during a user-initiated reboot. Before you reboot an active device, you can manually switch to the other device in the cluster. When you upgrade the device software, you need to break the cluster (that is, ungroup the two devices). Then, you can upgrade the software and reconfigure the cluster as you require.
To create a DefensePro high-availability cluster from the system pane

1. 2. 3. 4. In the Configuration perspective system pane, select a DefensePro device. Press Ctrl and click the other device for the cluster. Right-click one of the selected devices and select Create Cluster. Configure the parameters; and then click OK.
Table 21: Cluster Setup Parameters
Parameter
Cluster Name Primary Device Associated Management Ports
Description
The name for the cluster (up to 32 characters). Specifies which of the cluster members is the primary device. Specifies the management (MNG) port or ports through which the primary and secondary devices communicate. Values: MNG1, MNG2, MNG1+2 Note: You cannot change the value if the currently specified management port is being used by the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you cannot change the value to MNG2.
80
To break a DefensePro high-availability cluster from the system pane

In the Configuration perspective system pane, right-click the cluster node and select Break Cluster. After your confirmation, the cluster node is removed from the tree, and the DefensePro devices are displayed under the parent node.
To rename an DefensePro high-availability cluster from the system pane

1. In the Configuration perspective system pane, right-click the cluster node, and select Rename <Cluster Name>. 2. Rename the cluster (up to 32 characters); and then, click outside the cluster node.
To change the associated management ports of a DefensePro high-availability cluster from the system pane
1. In the Configuration perspective system pane, select the cluster node and click Edit Cluster. 2. Configure the parameters; and then click OK.
Note: You cannot change the value if the currently specified management port is being used by the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you cannot change the value to MNG2.
Configuring BOOTP
BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.
To configure BOOTP settings

1. In the Configuration perspective Setup tab navigation pane, select BootP. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 22: BOOTP Parameters for DefensePro
Parameter
Server Address Relay Threshold
Description
The IP address of the BootP server. The device forwards BootP requests to the BootP server and acts as a BootP relay. The time, in seconds, that the device waits before relaying requests to the BootP server. This delay allows local BootP servers to answer first.
81
Configuring DNS Client Settings

You can configure DefensePro to operate as a Domain Name Service (DNS) client. When the DNS client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must configure servers for which DefensePro will send out queries for host name resolving. You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic DNS. In addition, you can set static DNS parameters.
To configure DNS settings

1. 2. 3. In the Configuration perspective Setup tab, select DNS. Configure basic DNS client parameters, and click (Submit) to submit the changes.
To add or modify static DNS entries, do one of the following: To add an entry, click the (Add) button.
To modify an entry, double-click the entry in the table.
4.
Configure the parameters, and click OK.
Table 23: DNS Client Parameters
Parameter
DNS Client
Description DNS Client Parameters

Specifies whether the DefensePro device operates as a DNS client to resolve IP addresses. Values: Enable, Disable Default: Disable
Primary DNS Server Alternative DNS Server
The IP address of the primary DNS server to which DefensePro sends queries. The IP address of the alternative DNS to which DefensePro sends queries.
Static DNS Table

The static DNS hosts. Click the (Add) button to add a new static DNS. The configuration of each static DNS comprises the following parameters: Host NameThe domain name for the specified IP address IP AddressThe IP address for the specified domain name
Configuring DefensePro Security Signaling

For more information on this feature, see the DefensePro 6.07 release notes. DefensePro can expose situational signals through the DefensePro SOAP API and attack data to specified syslog servers. A Network Operation Center (NOC) or Security Operation Center (SOC) situated in the cloud can use the signals to monitor and control attack situations.
82
DefensePro User Guide Basic Device Configuration For example, if a DefensePro device, working as customer premises equipment (CPE), is configured to detect low-volume attacks, when a DoS attack starts, the signals will alert the NOC or SOC that an attack has started. Then, using the information, the NOC or SOC can divert traffic through additional mitigation devices in the cloud, and thus, prevent pipe saturation.
Note: Typically, in the context of DefensePro signaling, NOCs are carriers, and SOCs are managedsecurity-service providers (MSSPs). When signaling is enabled: DefensePro exposes situational data through its SOAP interface. The data includes device-health information, traffic statistics, and management information. Under normal circumstancesthat is, when there is no attack, the SOAP queries and responses get through. However, during attacks, the pipe may be saturated, and the SOAP queries and responses get lost. When DefensePro detects an attack, DefensePro sends signals to a specified syslog server. The signals include the attack events and, optionally, additional attack data.
For information on the SOAP API and syslog signals, see the DefensePro Signaling API Integration Guide. You configure signaling policies to send signals to a syslog server configured in the DefensePro device. The configuration of each signaling policy specifies the Network Protection Rules, Servers Protection Rules, and protection types.
To enable or disable signaling

1. In the Configuration perspective Setup tab navigation pane, select Signaling. 2. Select or clear the Enable Signaling checkbox. 3. Click (Submit) to submit the changes.
To configure a signaling policy

1. In the Configuration perspective Setup tab, select Signaling. 2. Do one of the following: To add an entry, click the (Add) button.
To modify an entry, double-click the entry in the table.
3. Configure the parameters; and then, click OK.
Table 24: Signaling Policy Parameters
Parameter
Enabled Policy ID
Description
Specifies whether the signaling policy is enabled. Default: Enabled A numerical identifier for the signaling policy. Values: 1100
83
Table 24: Signaling Policy Parameters
Parameter
Policy Name Syslog Server Customer Name
Description
The name of the signaling policy. Maximum characters: 80 The syslog server to which DefensePro sends the attack alert signals. The name of the customer, which is included in the alert messages. Maximum characters: 32 The description of the customer, which is included in the alert messages. This description can include, for example, details of the specific device or environment. Maximum characters: 100 The total size, in Mbps, of the ISP link of the customer. DefensePro uses this value to calculate the pipe-utilization percentage, which is included in attack alerts. Values: Events and DataAttack signals contain the basic attack alerts and the additional metadata for the alert events. Events OnlyAttack signals contain the basic attack alerts only.
Customer Description
Pipe Size
Signaling Mode
All Network Rules
Specifies whether the signaling policy sends signals for all enabled Network Protection policies/rules or only for specific rule groups. Default: Enabled The ID of the Network-Policies Group ID, which define specific Network Protection policies/rules.
Network-Policies Group ID (This parameter is available only when the All Network Rules checkbox is cleared.) All Servers
Specifies whether the signaling policy sends signals for all enabled Server Protection policies/rules or only for specific rule groups. Default: Enabled The ID of the Network-Policies Group ID, which define specific Server Protection policies/rules.
Server-Protection Group ID (This parameter is available only when the All Servers checkbox is cleared.)
Advanced Parameters
This section describes the advanced parameters that are relevant for the basic configuration of a DefensePro device. This section contains the following topics: Configuring Advanced Settings, page 85 Configuring Configuration Auditing, page 86 Configuring Dynamic Protocols, page 86 Configuring Tuning Parameters, page 88
84
DefensePro User Guide Basic Device Configuration Configuring Security Reporting, page 97 Configuring Out-of-Path Settings for DefensePro, page 100 Configuring Session Table Settings, page 101 Configuring Suspend Settings, page 104 Configuring the Device Event Scheduler, page 105 Configuring Tunneling Inspection, page 105
Configuring Advanced Settings

The advanced settings comprise the following parameters: Accept Weak SSL Ciphers Enable Overload Mechanism SRP Management Host IP Address
The Overload Mechanismthat is, the overload-protection mechanism identifies and reports overload conditions, and acts to reduce operations with high resource consumption. DefensePro device uses the overload-protection mechanism to prevent the following: SME Overload When the overload occurs in the string-matching engine (SME), the accelerator reduces the number of new sessions sent to the SME. The existing sessions continue to pass through the SME and are inspected. Features that require the SME, including some of the attack signatures, will not be applied to some of the sessions. Master Overload When the overload occurs in the Master CPU, only a percentage of the traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data, ensuring the continuation of the feature, but SYN Protection does not work. Accelerator Overload When the overload occurs in the Accelerator CPU, only a percentage of the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is passed to the Master and SME if they are not overloaded. System Wide Overload If all offload operations have failed to prevent overloaded conditions, then a full bypass is implemented. Every device application is bypassed, including Statistics, Security, and so on.
To configure advanced settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Advanced Parameters. 2. Configure the overload mechanism and SRP parameters; and then, click the changes. (Submit) to submit
Table 25: Advanced Settings Parameters
Parameter
Accept Weak SSL Ciphers
Description
Specifies whether the device allows management connections over secure protocols with ciphers shorter than 128 bits. Default: Enabled
85
Table 25: Advanced Settings Parameters
Parameter
Description
Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which identifies and reports overload conditions. Radware recommends that the overload-protection mechanism always be enabled. SRP Management Host IP Address The IP address to which the device sends Statistics Reporting Protocol (SRP) data. SRP is a private Radware protocol for efficient transmission of statistical data from the device to the APSolute Vision server. Enter the APSolute Vision server IP address. This parameter must be configured to view real-time reports and attack details in APSolute Vision.
Configuring Configuration Auditing

When configuration auditing for devices is enabled on the APSolute Vision server and on the device, any configuration change on a device using APSolute Vision creates two records in the Audit database, one from the APSolute Vision server, and one from the device audit message.
Note: To prevent overloading the managed device and prevent degraded performance, the feature is disabled by default.
To enable configuration auditing for a managed device

1. 2. 3. 4. In the Configuration perspective system pane, select the device for which you want to configure auditing. In the Advanced Parameters tab navigation pane, select Configuration Audit. To enable configuration auditing, select the Enable Configuration Auditing checkbox. Click (Submit) to submit changes.
Configuring Dynamic Protocols

Dynamic protocols use control or signaling channels that handle data, voice, and audio streaming channels. For example, FTP has control session and data session; SIP has signaling sessions, data sessions (RTP), and control sessions (RTCP). Some dynamic sessions are in the Session Table longer than regular sessions. With VoIP, SIP and H255, there are times with no traffic, however, the call is still active and the session does not age. You can configure different aging times for various dynamic protocols, and different policies for different connections of the same session. In FTP, for example, you can set one policy for FTP data and another policy for FTP control. Before you configure dynamic protocols, ensure that the Session table Lookup Mode is Full L4 (which is the default). To change settings, see Configuring Session Table Settings, page 101.
86
To configure dynamic protocols

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic Protocols. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 26: Dynamic Protocol Parameters
Parameter
Enable FTP Control Session Aging Time Data Session Aging Time
Description FTP
Enables/disables FTP Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 The Data Session Aging Time, in seconds. Default: 0
TFTP
Enable TFTP Data Session Aging Time Enables/disables TFTP Dynamic Protocol. Default: Enabled The Data Session Aging Time, in seconds. Default: 0
Rshell
Enable Rshell Control Session Aging Time Data Session Aging Time Enables/disables Rshell Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 Enter a value for Data Session Aging Time, in seconds.
Rexec
Enable Rexec Control Session Aging Time Data Session Aging Time Enables/disables Rexec Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 The Data Session Aging Time, in seconds.
H.225
Enable H.225 Control Session Aging Time H.245 Data Session Aging Time Enables/disables H.225 Dynamic Protocol. Default: Enabled The Control Session Aging Time, in seconds. Default: 0 The Data Session Aging Time, in seconds. Default: 0
87
Table 26: Dynamic Protocol Parameters
Parameter
Enable SIP
Description SIP
Enables/disables SIP Dynamic Protocol. Session Initiation Protocol (SIP) is an IETF standard for initiating an interactive user session involving multimedia elements such as video, voice, chat, gaming, and so on. SIP can establish, modify, or terminate multimedia sessions or Internet telephony calls. When a policy for SIP is configured to block traffic from one direction, it is not possible to open a SIP connection from another direction (SIP uses the same port number for both source and destination). Default: Disabled
Signaling Session Aging Time
The Signaling Session Aging Time, in seconds. When the clients communicate directly with each other, or work with non-standard SIP ports, increase the aging time of the Signaling Session Aging Time parameter. Default: 20 The RTCP Session Aging Time, in seconds. Default: 0 The SIP TCP Segments Aging Time, in seconds. Default: 5
RTCP Session Aging Time TCP Segments Aging Time
Configuring Tuning Parameters

You can adjust tuning parameters to use memory resources more efficiently and conserve memory resources.
Caution: Radware strongly recommends that you perform any device tuning only after consulting with Radware Technical Support. This section contains the following: Configuring Device Tuning, page 89 Configuring Security Tuning, page 90 Configuring SYN Protection Tuning, page 93 Configuring Authentication Table Tuning, page 94 Configuring Classifier Tuning, page 95 Configuring SDM Tuning, page 97
88
Configuring Device Tuning
To configure device tuning parameters

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning Parameters. 2. To change the current setting, enter the new value in the After Reset column. 3. Click (Submit) to submit the changes. You can reboot immediately or at a later time. Changes will not take effect until after reboot.
Note: Radware recommends performing a memory check before rebooting the device.
Table 27: Device Tuning Parameters
Parameter
IP Fragmentation Table
Description
The maximum number of IP fragments that the device stores. Values: 1256,000 Default: 10,240
Session Table
The maximum number of sessions that the device can track. Values: 204,000,000 Default: 2, 700,000
Session Resets Entries
The maximum number of sessions that the device tracks to send RESET when Send Reset To Server is enabled in the Session table. Values: 110,000 Default: 1000
Routing Table
The maximum number of entries in the Routing table. Values: 2032,767 Default: 64
Pending Table
The maximum number of new simultaneous dynamic sessions the device can open. Values: 1616,000 Default: 1024
SIP Call Table
The maximum number of SIP calls the device can track. Values: 16256,000 Default: 1024
TCP Segmentation Table
The maximum number of TCP Segments. This parameter is used when SIP Protocol is enabled and SIP is running over TCP. Values: 132,768 Default: 256
89
Configuring Security Tuning

The security tables store information about sessions passing through the device and their sizes, correlating them to the number of sessions. Some tables store Layer 3 information for every sourcedestination address pair of traffic going through the device requiring an entry for each combination. Some tables keep information about Layer 4 sessions. Every combination of source address, source port, destination address and destination port requires its own entry in the table.
Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several TCP sessions to one destination address. Each security table is responsible for clearing tables of old entries that are no longer required, and ensuring that traffic is properly classified and inspected.
To configure security tuning

1. 2. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning Parameters > Security. Configure the tuning parameters.
Table 28: Security Tuning Parameters
Parameter
Max. Number of HTTP Mitigator Suspect Sources
Description
The maximum number of suspect sources in HTTP Mitigation policies. Values: 1000500,000 Default: 100,000
Max. Number of Server Protection Servers
The maximum number of entries in the Server Protection policy. Values: 10010,000 Default: 350 The maximum number of configurable Behavioral DoS policies. Values: 150 Default: 10
Max. Number of BDoS Policies
Max. Number of DNS Policies
The maximum number of configurable DNS Flood Protection policies. Values: 150 Default: 10
Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device Pairs stores for anti-scanning purposes. Values: 10,0001,000,000 Default: 50,000
90
Parameter
Max. Number of Entries in Counter Target Table
Description
The maximum number of sessions in which a Destination address is tracked. Some attack signatures use thresholds per destination for activation. The Counter Target Table counts the number of times traffic to a specific destination matches a signature. When the number of packets sent to a particular destination exceeds the predefined limit, it is identified as an attack. Values: 10065,536 Default: 65,536
Max. Number of Entries in Counter Source Table
The maximum number of sessions in which a source address is tracked. Some attack signatures use thresholds per source for activation. The Counter Source Table counts the number of times traffic from a specific source matches a signature. When the number of packets sent from a particular source exceeds the predefined limit, it is identified as an attack. Values: 10065,536 Default: 65,536
Max. Number of Entries in The maximum number of sessions in which Source and Counter Source and Target Table Destination addresses are tracked. Some signatures use thresholds per source and destination for activation. The Counter Source & Target Table counts the number of times traffic from a specific source to a specific destination matches a signature. When the number of packets sent from a particular source to a particular destination exceeds the predefined limit, it is identified as an attack. Values: 10065,536 Default: 65,536 Max. Number of Concurrent Active DoS Shield Protections The maximum number of filters tracked. DoS Shield filters use thresholds for activation. The tablethe New Count Per Filter (NCPF) tablecounts the number of times traffic matches a DoS Shield signature per policy. When the number of packets exceeds the predefined limit, it is identified as an attack. Values: 10016,000 Default: 10,000 Max. Number of Entries in Counters Report The maximum number of entries for reports on active concurrent Tracking Signatures attacks. Values: 10064,000 Default: 20,000
91
Parameter
Max. Number of Entries in Counters Server Cracking Protection
Description
The maximum number of entries for concurrent active Server Cracking protections. When the Server Cracking protection feature is enabled, DefensePro uses one entry in this table whenever DefensePro receives a response from the server that can indicate a potential Server Cracking attack. The entry includes the IP address of the potential attacker, the protected server, and the protocol. The entry remains in use as long as DefensePro receives such server responses. Values: 10065,536 Default: 100
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests. Table The DHCP Discover table detects attacks by counting the IP requests for each MAC address. The requests are made using Dynamic Host Configuration Protocol. When the number of IP requests for a particular MAC address exceeds the predefined limit, it is identified as an attack. Values: 10064,000 Default: 100 Max. Number of Signatures Configured by User The maximum number of user-configurable IPS signatures and RSA signatures. DefensePro can store up to 500 concurrent RSA signatures. Values: 1010,000 Default with fraud protection not enabled: 100 Default with fraud protection not enabled: 3,000 Note: RSA signatures on the device accumulate until the device ages them. The device ages RSA signatures according to the specified aging times, Phishing Signatures Aging, Drop Points Aging, and Malicious Download Aging. If the Max. Number of Signatures Configured by User is greater than 500, and number of RSA signatures reaches 500, you cannot add any new RSA signature. If you must add new RSA signatures immediately, you can reduce the aging time, add the RSA signature, and increase the aging time as appropriate. Max. Number of Source IPs in Suspend Table The maximum number of hosts that the Suspend table is able to block simultaneously. This value affects the abilities of other defenses, such as, AntiScanning, Server Cracking, and SYN protection. Values: 1000100,000 Default: 10,000 Max. Number of Concurrent Connection PPS Attacks1 The maximum number of concurrent Connection Packet Rate Limit attacks that the device can handle. Values: 51000 Default: 50 Max. Number of IPs in the quarantine table1 The maximum number of IP addresses in the Quarantine table. Values: 1,00010,000 Default: 1000 1 This parameter is not relevant for DefensePro 7.20.
92
Configuring SYN Protection Tuning

SYN tables are used to define SYN Flood protection.
To configure SYN Protection tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning Parameters > SYN Protection. 2. Configure the tuning parameters.
Table 29: SYN Protection Tuning Parameters
Parameter
SYN Protection Table
Description
The number of entries in the table that stores data regarding the delayed binding process. An entry exists in the table from the time a client starts the three-way handshake until the handshake is complete. Values: 10500,000 Default: 200,000
SYN Protection Requests Table
The number of entries in the table that stores the ACK, or data packet, the client sends, until the handshake with the server is complete and the packet is sent to the server. The Request table and the SYN Protection tables are approximately the same size, whereas the Triggers table is much smaller. Values: 10500,000 Default: 200,000
93
Table 29: SYN Protection Tuning Parameters
Parameter
SYN Protection Signature Detection Entries
Description
The number of entries in the table that stores active triggers that is, the destination IP addresses and ports from which the device identifies an ongoing attack. Values: 100020,000 Default: 1000 Note: There are several reasons that might cause the table to become full: Too many services in the protected networksThis might happen in extremely large networks. Too many protected servicesIf there are too many services running in the protected network, or if all TCP ports are protected by SYN Protection, this may cause problems in networks that use multiple TCP ports for providing a service such as gaming applications, which use numerous high TCP ports. Vertical TCP-SYN floodIf the attackers are using an attack technique that repeatedly performs high-rate scans on the entire protected range. Limit the size of the network protected by SYN Protection Because the SYN Protection Signature Detection Entries is forced to include records for every destination, it should be applied only on servers and not on network classes that include a PC. Remove some of the protected protocolsIf you are unnecessarily protecting all TCP ports by SYN protection, remove SYN protection and apply the policy only on relevant services. Increase the table sizeNote that increasing the table size consumes memory allocation and therefore requires system reboot.
The following are possible solutions to this problem:
SYN Statistics Entries
The number of entries in the SYN Flood Statistics table. Values: 100020,000 Default: 1000
Configuring Authentication Table Tuning
To configure Authentication Table tuning

1. 2. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning Parameters > Authentication Tables. Configure the tuning parameters.
94
Table 30: Authentication Table Tuning Parameters
Parameter
HTTP Authentication Table Size
Description Authentication Table Tuning

The number of sources in the HTTP Authentication table. DefensePro uses the HTTP Authentication table in HTTP Flood profiles and the HTTP Authentication feature in a SYN Protection profile. Values: 500,0002,000,000 Default: 2,000,000
Authentication Tables Aging

HTTP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the HTTP Authentication table. Values: 603600 Default: 1200 TCP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the TCP Authentication table. Values: 603600 Default: 1200 DNS Authentication Table Aging The time, in minutes, that the device keeps idle sources in the DNS Authentication table. Values: 160 Default: 20 Note: The DNS Authentication Table Aging text box is empty if DNS Flood Protection has not been enabled on the device (Configuration perspective > Security Settings > DNS Flood Protection > Enable DNS Flood Protection). You can, however, enter a value even if DNS Flood Protection is not enabled, and the value will persist.
Configuring Classifier Tuning

APSolute Vision supports the classifier (that is, Classes) module. A packet first flows into the system through the classifier. The classifier handles the packet according to the Class that best matches the packet and by these tuning parameters. You can view and edit the Classifier tuning parameters. The changes take effect after a device reset.
To configure classifier tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning Parameters > Classifier. 2. To change the current setting, enter the new value in the After Reset column. 3. Click (Submit) to submit the changes. You can reboot immediately or at a later time. Changes will not take effect until after reboot.
95
Note: Radware recommends performing a memory check before rebooting the device.
Table 31: Classifier Tuning Parameters
Parameter
Max. Number of Networks
Description
The maximum number of entries in the table for ranges. Values: 3210,000 Default: 256
Max. Number of Discrete IP Addresses per Network
The maximum number of entries in the table for IP addresses that are allocated to a network. Values: 161024 Default: 64
Max. Number of Subnets per Network
The maximum number of entries in the table for network subnets. Values: 16256 Default: 64
Max. Number of MAC Groups
The maximum number of entries in the table for MAC groups. Values:162048 Default: 128
Max. Number of Filter Entries
The maximum number of entries in the table for basic filters. Values:5122048 Default: 512
Max. Number of AND Groups
The maximum number of entries in the advanced filters table for AND groups. Values: 2562048 Default: 256
Max. Number of OR Groups
The maximum number of entries in the advanced filters table for OR groups. Values: 2562048 Default: 256
Max. Number of Application Ports Groups
The maximum number of entries in the table for application port groups. Values: 322000 Default: 512
Max. Number of Content Entries The maximum number of content entries in the table. Values: 164096 Default: 256
96
Configuring SDM Tuning
To configure SDM tuning

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning Parameters > SDM. 2. Configure the tuning parameter.
Table 32: SDM Tuning Parameter
Parameter
SDM Table Size
Description
The size of the SDM table. Values: Small, Medium, Large Default: Medium
Configuring Security Reporting

To support historical and real-time security-monitoring capabilities and provide in-depth attack information for each attack event, the DefensePro device establishes a data-reporting protocol between the device and APSolute Vision. This protocol, called Statistical Real-time Protocol (SRP), uses UDP packets to send attack information. You can enable the reporting channels used by DefensePro devices to receive information about attacks, and to report detected attacks based on their various risk levels. In addition, DefensePro can provide the APSolute Vision server sampled captured packets that were identified by the DefensePro device as part of the specific attack. DefensePro sends these packets to the specified IP address, encapsulated in UDP packets.
Caution: DefensePro does not provide sampled captured packets from suspicious sources that DefensePro challenged. (DefensePro supports an option to challenge sources in HTTP Flood Protection, SYN Flood Protection, DNS Flood Protection, and SSL Protection.) You can also configure DefensePro devices to send captured attack packets along with the attack event for further offline analysis. Packet reporting and SRP use the same default port, 2088.
To configure security reporting settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select (depending on the product) Security Reporting Settings. 2. Configure the parameters; and then, click (Submit) to submit the changes.
97
Table 33: Security Reporting Parameters
Parameter
Report Interval

The frequency, in seconds, the reports are sent though the reporting channels. Values: 165,535 Default: 5
Maximal Number of Alerts per Report
The maximum number of attack events that can appear in each report (sent within the reporting interval). Values: 12000 Default: 1000
Report per Attack Aggregation Threshold
The number of events for a specific attack during a reporting interval, before the events are aggregated to a report. When the number of the generated events exceeds the Aggregation Threshold value, the IP address value for the event is displayed as 0.0.0.0, which specifies any IP address. Values: 165,535 Default: 5
L4 Port for Reporting
The port used for packet reporting and SRP. Values: 165,535 Default: 2088
Enable Sending Traps Minimal Risk Level for Sending Traps Enable Sending Syslog Minimal Risk Level for Sending Syslog Enable Sending Terminal Echo
When selected, the device uses the traps reporting channel. Default: Enabled The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. Default: Low When selected, the device uses the syslog reporting channel. Default: Enabled The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. Default: Low When selected, the device uses the Terminal Echo reporting channel. Default: Disabled The minimal risk level for the reporting channel. Attacks with the specified risk value or higher are reported. Default: Low When selected, the device uses the security logging reporting channel.
Minimal Risk Level for Sending Terminal Echo Enable Security Logging
Packet Reporting and Packet Trace

Enable Packet Reporting Specifies whether the DefensePro device sends sampled attack packets along with the attack event. Default: Enabled
98
Parameter
Maximum Packets per Report
Description
The maximum number of packets that the device can send within the Report Interval. Values: 165,535 Default: 100
Destination IP Address
The destination IP address for the packet reports. Default: 0.0.0.0 Note: Only one destination IP address can be configured for packet reporting, even when more than one APSolute Vision server manages the device.
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the feature and specifies the physical port to which the DefensePro device sends identified attack traffic (when the Packet Trace feature is enabled in the policy rule or profile). Values: noneThe Packet Trace feature is disabled. The physical, inspection ports (that is, excluding the management ports)
Default: none Caution: A change to this parameter takes effect only after you update policies. Caution: A change to this parameter takes effect only after you update policies. Maximum Rate The maximum number of packets per second that the Packet Trace feature sends. Values: 1200,000 Default: 50,000 Caution: A change to this parameter takes effect only after you update policies. Maximum Length of Dropped Packets The maximum length, in bytes, of dropped packets that the Packet Trace feature sends. DefensePro can limit the size of Packet Trace sent packets only for dropped packets. That is, when a rule is configured with Report Only (as opposed to Block), the Packet Trace feature sends the whole packets. Values: 641550 Default: 1550 Tip: If you are interested only in the packet headers of the dropped packets, to conserve resources, modify the minimal value, 64. Caution: A change to this parameter takes effect only after you update policies.
netForensics Reporting
Enable netForensics Reporting When selected, enables reporting using netForensics reporting agent. Default: Disabled
99
Parameter
Agent IP Address L4 Port
Description
The IP address of the netForensics agent. The port used for netForensics reporting. Values: 165,535 Default: 555
Data Reporting Destinations

Destination IP Address The target addresses for data reporting. The table can contain up to 10 addresses. By default, when there is room in the table, addresses are added automatically when you add a DefensePro device to the tree in the system pane. To add an address, click the (Add) button. Enter the destination IP address; and then, click OK.
Configuring Out-of-Path Settings for DefensePro

When you install DefensePro outside the critical path of the traffic, you can configure the Out-of-Path Mode to mitigate DoS attacks using the capabilities of the routers access list. When the device operates in the Out-of-Path mode, the traffic is copied to the device and verified separately from the main traffic route. When an attack is identified, Behavioral DoS translates the footprint into a router Access List (ACL) command and configures the router accordingly.
Note: The feature works on Cisco routers that have the capability to mirror an interface and accept ACL commands to reroute traffic. This feature was tested on Cisco 6509 IOS 12.2.
To configure out-of-path settings

1. 2. In the Configuration perspective Advanced Parameters tab navigation pane, select Out of Path. Configure the parameters; and then, click (Submit) to submit the changes.
Table 34: Out of Path Parameters
Parameter
Enable Out of Path Mode Router IP Address Routers Enable Password Verify Password
Description
You must enable and reboot the device before you can configure out-ofpath settings. When Out of Path is enabled, the only available protection is BDoS. The IP address of the organization router that manages all the incoming traffic. Administrators password for the router. Verification of password for the router.
100
Table 34: Out of Path Parameters
Parameter
SSH User Name SSH Password Verify SSH Password Router Interface for Receiving Traffic
Description
The name of the SSH user. The password of the SSH user. Verification of password for the SSH user. The router interface that is being monitored, and traffic from it will be redirected.
Configuring Session Table Settings

DefensePro includes a Session table, which tracks sessions bridged and forwarded by the device.
To configure Session table settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Session Table Settings. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 35: Session Table Parameters
Parameter
Enable Session Table

Specifies whether the device uses the Session table. Default: Enabled
Session Aging Parameters

Note: When the Access Control List (ACL) feature is enabled, aging times are determined by the relevant ACL parameters. Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP sessions. Values: 17200 Default: 100 Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP sessions. Values: 17200 Default: 100 Idle SCTP-Session Aging Time The time, in seconds, that the Session table keeps idle SCTP sessions. Values: 17200 Default: 100
101
Parameter
Idle ICMP-Session Aging Time
Description
The time, in seconds, that the Session table keeps idle ICMP sessions. Values: 17200 Default: 100
Idle GRE-Session Aging Time
The time, in seconds, that the Session table keeps idle GRE sessions. Values: 17200 Default: 100
Idle Other-Protocol-Session Aging Time
The time, in seconds, that the Session table keeps idle sessions of protocols other than TCP, UDP, SCTP, ICMP, or GRE. Values: 17200 Default: 100
Incomplete TCP Handshake Timeout
How long, in seconds, the device waits for the three-way handshake to be achieved for a new TCP-session. When the timeout elapses, the device deletes the session and, if the Send Reset To Server checkbox is selected, sends a reset packet to the server. Values: 0The device uses the specified Session Aging Time. 110The TCP Handshake Timeout in seconds.
Default: 10
Advanced Parameters
Remove Session Entry at Session End Specifies whether the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session within the Remove Session Entry at Session End Timeout period. Default: Enabled Remove Session Entry at Session End Timeout (This option is available only if Remove Session Entry at Session End is enabled.) Send Reset to Destination of Aged TCP Connection When Remove Session Entry at Session End is enabled, the time, in seconds, after which the device removes sessions from the Session Table after receiving a FIN or RST packet if no additional packets are received on the same session. Values: 060 Default: 5 Specifies whether the DefensePro device sends a RST packet to the destination of aged TCP sessions. Values: EnabledDefensePro sends reset a RST packet to the destination and cleans the entry in the DefensePro Session table. DisabledDefensePro ages the session normally (using short SYN timeout), but the destination might hold the session for quite some time.
Default: Disabled
102
Parameter
Session-Table-Full Action
Description
The action that the device takes when the Session Table is at full capacity. Values: Allow new trafficThe device bypasses new sessions until the till session table has room for new entries. Block new trafficThe device blocks new sessions until the session table has room for new entries.
Default: Allow new traffic Alert-Start Threshold The percentage of full capacity of the Session Table when the device starts issuing alerts. Default: 95 Alert-Stop Threshold The percentage of full capacity of the Session Table when the device stops issuing alerts. Default: 90 Lookup Mode The layer of address information that is used to categorize packets in the Session table. Values: Full L4 An entry exists in the Session table for each source IP, source port, destination IP, and destination port combination of packets passing through the device. L4 Destination PortEnables traffic to be recorded based only on the TCP/UDP destination port. This mode uses minimal Session table resources (only one entry for each port that is secured).
Default: Full L4 Caution: Radware recommends that you always use the Full L4 option. When Session Table Lookup Mode is Layer 4 Destination Port, the following protections do not work: Disable Session Aging ACL Anti Scanning Connection Packet Rate Limit Connection Rate Limit HTTP Mitigator HTTP Replies Signatures Out-of-State protection Server Cracking SYN Protection
When enabled, the device enables aging sessions in the Session (This option is available only for table. L4 Destination Port Lookup Default: Disabled Mode.)
103
Configuring Suspend Settings

DefensePro can suspend traffic from an IP address that was the source of an attack, for a defined period of time. Dynamic blocking duration is implemented by the Anti-Scanning and Server Cracking protections based on the suspend settings that you configure. (Although connection-rate limits and intrusion signatures can be set manually to suspend the source, they do not support dynamic duration.) The dynamic blocking duration is usually set by the DefensePro Anti-Scanning and Server Cracking protections: The initial suspend time period cannot be lower than the Minimal Aging Timeout. Each additional time the same source is suspended, the suspension length is doubled until it reaches the Maximal Aging Timeout. When the suspension length has reached the maximum length allowed, it remains constant for each additional suspension.
To configure Suspend-table settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend Table Settings. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 36: Suspend Table Parameters
Parameter
Minimal Aging Timeout
Description
The time, in seconds, for which the DefensePro suspends first-time offending source IP addresses. Default: 10 The maximal time, in seconds, for which the DefensePro suspends a specific source. Each time the DefensePro suspends the same source, the suspension length doubles until it reaches the Maximal Aging Timeout. Default: 600
Maximal Aging Timeout
Maximum Entries with Same The number of times the DefensePro suspends the same source IP Source IP address before the DefensePro suspends all traffic from that source IP addressregardless of the specified Suspend Action. For example, if the value for this parameter is 4 and the specified Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the DefensePro suspends all traffic from a source IP address that had an entry in the Suspend list more than four times, even if the destination IP address, source port, and destination ports were different for the previous updates to the Suspend table. This parameter is irrelevant when the specified Suspend Action is SrcIP. Values: 0The device does not implement the feature. 110
Default: 0
104
Configuring the Device Event Scheduler

Some network policy rules remain inactive during certain hours of the day, or are activated only during others. For example, a school library may want to block instant messaging during school hours, but allow it after school hours, or an enterprise may assign high priority to mail traffic between 08:00 and 10:00. You can schedule the activation and inactivation of specific policy rules on the device by using the Event Scheduler, to create schedules, and then attach them to a policy rules configuration. Schedules define a date and time for specific actions.
To configure the event scheduler

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Event Scheduler. 2. Do one of the following: To add a schedule, click the (Add) button.
Table 37: Scheduled Event Parameters
Parameter
Task Name Frequency
Description
The name of the schedule. How often the event occurs. Values: daily, once, weekly Default: once
Time
The time on the designated day in the format hhmm. When multiple days are selected, the value is the same for all the configured days.
Date Days of Week
If the event frequency is once, configure the date that the event occurs in the DD/MM/YYYY format. If the selected event frequency is weekly, select the day or days the event occurs.
Configuring Tunneling Inspection

Carriers, service providers, and large organizations use various tunneling protocols to transmit data from one location to another. This is done using the IP network so that network elements are unaware of the data encapsulated in the tunnel. Tunneling implies that traffic routing is based on source and destination IP addresses. When tunneling is used, IPS devices and load balancers cannot locate the relevant information because their decisions are based on information located inside the IP packet in a known offset, and the original IP packet is encapsulated in the tunnel. To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning DefensePro in peering points and carrier network access points.
105
DefensePro User Guide Basic Device Configuration You can install DefensePro in different environments, which might include encapsulated traffic using different tunneling protocols. In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators deploy GRE and GTP. DefensePro can inspect traffic that may use various encapsulation protocols. In some cases, the external header (tunnel data) is the data that DefensePro needs to inspect. In other cases, DefensePro needs to inspect the internal data (IP header and even the payload). You can configure DefensePro to meet your specific inspection requirements.
Note: DefensePro does not support QinQ (802.1ad) encapsulated traffic.
Caution: Changing the configuration of this feature takes effect only after a device reset.
To configure tunneling inspection

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tunneling Inspection. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the exchange of management information between APSolute Vision and network devices. Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3. The default Radware user is configured in SNMPv1.
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the APSolute Vision are discarded.
Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and authentication details must match one of the users configured on the device. The following topics describe the procedures to configure SNMP on a selected device: Configuring SNMP Users, page 107 Configuring SNMP Community Settings, page 108 Configuring the SNMP Group Table, page 109 Configuring SNMP Access Settings, page 109 Configuring SNMP Notify Settings, page 110 Configuring SNMP View Settings, page 111
106
DefensePro User Guide Basic Device Configuration Configuring the SNMP Target Parameters Table, page 112 Configuring SNMP Target Addresses, page 113
Configuring SNMP Users

With SNMPv3 user-based management, each user can have different permissions based on the user name and authentication method. You define the users who can connect to the device, and store the access parameters for each SNMP user.
Note: In the SNMP configuration, a user name is also known as a security name.
To configure an SNMP users for a device connected with SNMPv3 with Authentication and Privacy
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP User Table. 2. Do one of the following: To add a user, click the (Add) button.
3. Configure SNMP user parameters and click OK.
Table 38: SNMP User Parameters
Parameter
User Name Authentication Protocol
Description
The user name, also known as a security name. The name can be up to 18 characters. The protocol used during authentication process. Values: None MD5 SHA
Default: None Authentication Password Privacy Protocol If an authentication protocol is specified, enter an authentication password. The algorithm used for encryption. Values: Privacy Password NoneThe data is not encrypted. DESThe device uses Data Encryption Standard.
Default: None If a privacy protocol is specified, enter a user privacy password.
107
Configuring SNMP Community Settings

The SNMP Community Table is used only for SNMP versions 1 and 2 to associate community strings to users. When a user is connected to a device with SNMPv1 or SNMPv2, the device checks the community string sent in the SNMP packet. Based on a specific community string, the device maps the community string to a predefined user, which belongs to a group with certain access rights. Therefore, when working with SNMPv1 or SNMPv2, users, groups, and access must be defined. Use the Community Table to associate community strings with user names and vice versa, and to restrict the range of addresses from which SNMP requests are accepted and to which traps can be sent.
Note: You cannot change the community string associated with the user name that you are currently using.
To configure SNMP community settings

1. 2. In the Configuration perspective Device Security tab navigation pane, select SNMP > Community. Do one of the following: 3. To add an SNMP community entry, click the To edit an entry, double-click the row. (Add) button.
Configure SNMP community parameters and click OK.
Table 39: SNMP Community Parameters
Parameter
Index
Description
A descriptive name for this entry. This name cannot be modified after creation. Default: public The community string. Default: public The security name identifies the SNMP community used when the notification is generated. Default: public Specifies a set of target addresses from which the SNMP accepts SNMP requests and to which traps can be sent. The target addresses identified by this tag are defined in the SNMP Target Addresses table. At least one entry in the SNMP Target Addresses table must include the specified transport tag. If no tag is specified, addresses are not checked when an SNMP request is received or when a trap is sent.
Community Name Security Name
Transport Tag
108
Configuring the SNMP Group Table

SNMPv3 permissions are defined for groups of users. If, based on the connection method, there is a need to grant different permissions to the same user, you can associate a user to more than one group. You can create multiple entries with the same group name for different users and security models. Access rights are defined for groups of users in the SNMP Access table.
To configure SNMP group settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Group Table. 2. Do one of the following: To add a group entry, click the (Add) button.
Table 40: SNMP Group Parameters
Parameter
Group Name Security Model
Description
The name of the SNMP group. The SNMP version that represents the required security model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Values: SNMPv1 SNMPv2c User Based (SNMPv3)
Default: SNMPv1 Security Name If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated.
Configuring SNMP Access Settings

The SNMP Access table binds groups and security models with SNMP views, which define subsets of MIB objects. You can define which MIB objects can be accessed for each group and security model. MIB objects can be accessed for a read, write, or notify action based on the Read View Name, Write View Name, and Notify View Name parameters.
109
To configure SNMP access settings

1. 2. In the Configuration perspective Device Security tab navigation pane, select SNMP > Access. Do one of the following: 3. To add an access entry, click the (Add) button.
Configure SNMP access parameters and click OK.
Table 41: SNMP Access Parameters

Parameter
Group Name Security Model
Description
The name of the group. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. Select the SNMP version that represents the required Security Model to determine the permissions set to be used. Values: SNMPv1 SNMPv2c User BasedThat is, SNMPv3
Default: SNMPv1 Security Level The security level required for access. Values: No AuthenticationNo authentication or privacy are required. Authentication & No PrivacyAuthentication is required, but privacy is not required. Authentication & PrivacyBoth authentication and privacy are required.
Default: No Authentication Read View Name Write View Name Notify View Name The name of the View that specifies which objects in the MIB tree are readable by this group. The name of the View that specifies which objects in the MIB tree are writable by this group. The name of the View that specifies which objects in the MIB tree can be accessed in notifications (traps) by this group.
Configuring SNMP Notify Settings

You can select management targets that receive notifications and the type of notification to be sent to each selected management target. The Tag parameter identifies a set of target addresses. An entry in the Target Address table that contains a tag specified in the Notify table receives notifications.
110
To configure SNMP notification settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Notify. 2. Do one of the following: To add an SNMP notify entry, click the To edit an entry, double-click the row. (Add) button.
3. Configure SNMP notify parameters and click OK.
Table 42: SNMP Notify Parameters
Parameter
Name Tag
Description
A descriptive name for this entry, for example, the type of notification. A string that defines the target addresses that are sent this notification. All the target addresses that have this tag in their tag list are sent this notification.
Configuring SNMP View Settings

You can define subsets of the MIB tree for use in the Access Table. Different entries may have the same name. The union of all entries with the same name defines the subset of the MIB tree and can be referenced in the Access Table through its name.
To configure SNMP view settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > View. 2. Do one of the following: To add an SNMP view entry, click the To edit an entry, double-click the row. (Add) button.
3. Configure SNMP view parameters and click OK.
Table 43: SNMP View Parameters
Parameter
View Name Sub-Tree Type
Description
The name of this entry. Note: The Object ID of a subtree of the MIB. Specifies whether the object defined in the entry is included or excluded in the MIB view. Values: Included, Excluded Default: Included
111
Configuring the SNMP Target Parameters Table

The Target Parameters table defines message-processing and security parameters that are used in sending notifications to a particular management target. Entries in the Target Parameters table are referenced in the Target Address table.
To configure SNMP target parameters

1. 2. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target Parameters Table. Do one of the following: 3. To add a target parameters entry, click the To edit an entry, double-click the row. (Add) button.
Configure target parameter settings and click OK.
Table 44: SNMP Target Parameters
Parameter
Name Message Processing Model
Description
The name of the target parameters entry. Maximum characters: 32 The SNMP version to use when generating SNMP notifications. Values: SNMPv1, SNMPv2c, SNMPv3 Default: SNMPv1 Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the APSolute Vision are discarded.
Security Model
The SNMP version that represents the required Security Model. Security models are predefined sets of permissions that can be used by the groups. These sets are defined according to the SNMP versions. By selecting the SNMP version for this parameter, you determine the permissions set to be used. Values: SNMPv1 SNMPv2c User BasedThat is, SNMPv3
Default: SNMPv1 Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the APSolute Vision are discarded.
112
Table 44: SNMP Target Parameters
Parameter
Security Name
Description
If the User Based security model is used, the security name identifies the user that is used when the notification is generated. For other security models, the security name identifies the SNMP community used when the notification is generated. Specifies whether the trap is authenticated and encrypted before it is sent. Values: No AuthenticationNo authentication or privacy are required. Authentication and No PrivacyAuthentication is required, but privacy is not required. Authentication and PrivacyBoth authentication and privacy are required.
Security Level
Default: No Authentication
Configuring SNMP Target Addresses

In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the Transport Tag of an entry in the community table is not empty, it must be included in one or more entries in the Target Address Table.
To configure SNMP target addresses

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target Address. 2. Do one of the following: To add a target address, click the To edit an entry, double-click the row. (Add) button.
3. Configure target address parameters and click OK.
Table 45: SNMP Target Address Parameters
Parameter
Name IP Address and L4 Port [IP-port number]
Description
The name of the target address entry. The IP address of the management station (APSolute Vision server) and TCP port to be used as the target of SNMP traps. The format of the values is <IP address >-<TCP port>, where <TCP port> must be 162. For example, if the value for IP Address and L4 Port is 1.2.3.4162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is the port number for SNMP traps. Note: APSolute Vision listens for traps only on port 162. A subnet mask of the management station.
Mask
113
Table 45: SNMP Target Address Parameters
Parameter
Tag List
Description
Specifies sets of target addresses. Tags are separated by spaces. The tags contained in the list may be either tags from the Notify table or Transport tags from the Community table. Each tag can appear in more than one tag list. When a significant event occurs on the network device, the tag list identifies the targets to which a notification is sent. Default: v3Traps
Target Parameters Name
The set of target parameters to be used when sending SNMP Traps. Target parameters are defined in the Target Parameters table.
Configuring Device Users

For each DefensePro device, you can configure a list of users who are authorized to access that device through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is enabled, users can receive e-mail notifications of changes made to the device.
To configure a device user for a selected device

1. 2. In the Configuration perspective Device Security tab navigation pane, select Users Table. Do one of the following: 3. To add a user, click the (Add) button.
Table 46: Device User Parameters
Parameter
User Name Password Email Address Minimal Severity for Sending Traps
Description
The name of the user. The password of the user. Then, repeat to verify. The e-mail address of the user to which notifications will be sent. The minimum severity level of traps sent to this user. Values: NoneThe user receives no traps. InfoThe user receives traps with severity info or higher. WarningThe user receives Warning, Error, and Fatal traps. ErrorThe user receives Error and Fatal traps. FatalThe user receives Fatal traps only.
Default: None
114
Table 46: Device User Parameters
Parameter
Description
Enable Configuration Tracing When selected, the specified user receives notifications of configuration changes made in the device. Every time the value of a configurable variable changes, information about all the variables in the same MIB entry is reported to the specified users. The device gathers reports and sends them in a single notification message when the buffer is full or when the timeout of 60 seconds expires. The notification message contains the following details: Access Level Name of the MIB variable that was changed. New value of the variable. Time of configuration change. Configuration tool that was used (APSolute Vision, Telnet, SSH, WBM). User name, when applicable.
The users level of access to the WBM and CLI. Default: Read-Write
To configure the advanced parameter for the device users

1. In the Configuration perspective Device Security tab navigation pane, select Users Table. 2. In the Advanced Parameters group box, configure the parameter; and then, click OK.
Table 47: Advanced Parameters for the Device Users
Parameter
Authentication Mode
Description
The method for of authenticating a users access to the device. Values: Local User TableThe device uses the User Table to authenticate access. RadiusThe device uses the RADIUS servers to authenticate access. Radius and Local User TableThe device uses the RADIUS servers to authenticate access. If the request to the RADIUS server times out, the device uses the User Table to authenticate access.
Default: Local User Table
115
Configuring Access Permissions on Physical Ports

Access to devices can be limited to specified physical interfaces. Interfaces connected to insecure network segments can be configured to discard some or all management traffic directed at the device itself. Administrators can allow certain types of management traffic to a device (for example, SSH), while denying others such as SNMP. If an intruder attempts to access the device through a disabled port, the device denies access, and generates syslog and CLI traps as notification.
To configure access permissions for a selected device

1. 2. 3. In the Configuration perspective Device Security tab navigation pane, select Advanced. To edit permissions for a port, double-click the relevant row. Select or clear the checkboxes to allow or deny access; and then, click OK.
Table 48: Port Permission Parameters
Parameter
Port SNMP Access Telnet Access
Description
(Read-only) The name of the physical port. When selected, allows access to the port using SNMP. When selected, allows access to the port using Telnet. Note: In AppDirector 2.31.03 and later, you can open up to five (5) simultaneous Telnet sessions.
SSH Access Web Access SSL Access
When selected, allows access to the port using SSH. When selected, allows access to the port using WBM. When selected, allows access to the port using SSL.
Configuring Port Pinging

You can define which physical interfaces can be pinged. When a ping is sent to an interface for which ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.
To define the ports to be pinged

1. 2. 3. In the Configuration perspective Device Security tab navigation pane, select Advanced > Ping Ports. To edit port ping settings, double-click the relevant row. Select or clear the checkbox to allow or not allow pinging, then click OK.
116
Chapter 4 Device Network Configuration

You can perform the following networking configuration tasks for managed devices: Configuring Device IP Interfaces, page 117 Managing IP Routing, page 118 Configuring Ports, page 121 Configuring the Basic Network Parameters, page 124 Configuring Port Pairs, page 127
Configuring Device IP Interfaces

DefensePro performs routing between all IP interfaces defined on its Layer 2 interfaces (ports, trunks, and VLANs). DefensePro also performs routing based on other network layers, such as Layer 4 and Layer 7.
To configure IP interfaces
1. 2. In the Configuration perspective Networking tab navigation pane, select IP Management. Do one of the following: 3. To add an IP interface, click the (Add) button.
To edit an IP interface, double-click the row.
Table 49: IP Interface Parameters
Parameter
IP Address Mask Port Forward Broadcast
Description
IP address of the interface. The associated subnet mask. The interface identifier, for example, G-1. Specifies whether the device forwards incoming broadcasts to this interface. Default: Enabled Specifies whether to fill the host ID in the broadcast address with ones or zeros. Values: Fill 1Fill the host ID in the broadcast address with ones. Fill 0Fill the host ID in the broadcast address with zeros.
Broadcast Address
Default: Fill 1
117
DefensePro User Guide Device Network Configuration
Table 49: IP Interface Parameters
Parameter
VLAN Tag
Description
The VLAN tag to be associated with this IP Interface. When multiple VLANs are associated with the same switch port, the switch must identify to which VLAN to direct incoming traffic from that specific port. VLAN tagging provides an indication in the Layer 2 header that enables the switch to make the correct decision. The IP address of the interface on the peer device, which is required in a redundant configurationthat is, a cluster for high availability. Default: 0.0.0.0
Peer Address
Managing IP Routing
DefensePro devices forward IP packets to their destination using an IP routing table. This table stores information about the destinations and how they can be reached. By default, all networks directly attached to the device are registered in the IP routing table. Other entries can either be statically configured or dynamically created through the routing protocol.
Configuring IP Routing
IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP interface that contains an IP address associated with a VLAN.
To configure IP routing
1. 2. In the Configuration perspective Networking tab navigation pane, select IP Management > IP Routing. Do one of the following: 3. 4. To add a static route, click the (Add) button.
To edit a static route, double-click the row.
Configure the static route settings and click OK. Configure global advanced parameters, if required.
Notes When editing a static route, you can modify only the Via Interface and Metric fields. The Type field is displayed only in the Static Routes Table, not in the dialog box. It cannot be configured.
118
Parameter
Enable Proxy ARP
Description
When enabled, a network host answers ARP queries for the network address that is not configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed to the destination host via another interface. Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols ICMP Error of the Internet Protocol Suite and is used by networked computers operating systems to send error messagesindicating, for example, that a requested service is not available, or that a host or router could not be reached. Default: Enabled Note: When this option is enabled, a trap is sent when there is an ICMP error message.
Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite and is used by networked computers operating systems to send error messagesindicating, for instance, that a requested service is not available or that a host or router could not be reached.
To modify ICMP interface parameters

1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP Routing > ICMP. 2. Double-click the relevant row. 3. Configure the parameters; and then, click OK.
Table 50: ICMP Interface Settings
Parameter
IP Address Destination Address
Description
IP address of the interface. IP destination address for multicast Router Advertisements sent from the interface. Values: 224.0.0.1The All Hosts multicast group that contains all systems on the same network segment 255.255.255.255The limited-broadcast address
Advertise Interval
Minimum The minimum time, in seconds, between sending unsolicited multicast Router Advertisements from the interface. Values: 3 maximum specified interval Default: 75% of the maximum specified interval
119
Table 50: ICMP Interface Settings
Parameter
Maximum
Description
The maximum time, in seconds, between multicast Router Advertisements from the interface. Values: minimum specified interval 1800 The maximum time, in seconds, that the advertised addresses are considered valid. Values: Maximum specified interval 9000 Default: Three times (3) the maximum interval
Lifetime
Advertise this Interface Preference Level Reset all Parameters to Default
Enables you to advertise the device IP using ICMP Router Advertise. The preference level of the address as the default router address, relative to other router addresses on same subnet. Resets ICMP interface parameters to default values.
Configuring the ARP Table

When Proxy ARP is enabled, a network host answers ARP queries for the network address that is not configured on the receiving interface. Proxying ARP requests on behalf of another host effectively directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed to the destination host via another interface. You can configure and manage the static ARP entries on the local router.
To configure the ARP table

1. 2. In the Configuration perspective Networking tab navigation pane, select IP Management > ARP Table. Do one of the following: 3. 4. To add a new entry, click the (Add) button.
Configure the ARP parameters and click OK. Modify advanced parameters, if required; and then click (Submit) to submit the changes.
Table 51: ARP Parameters
Parameter
Port IP Address
Description
The interface number where the station resides. The stations IP address.
120
Table 51: ARP Parameters
Parameter
MAC Address Type
Description
The stations MAC address. Entry type. Values: OtherNot Dynamic or Static. InvalidInvalidates ARP entry and effectively deletes it. DynamicEntry is learned from ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table. StaticEntry has been configured by the network management station and is permanent.
Table 52: Advanced Parameters
Parameter
Inactive ARP Timeout
Description
The time, in seconds, that inactive ARP cache entries can remain in the ARP table before the device deletes them. If an ARP cache entry is not refreshed within a specified period, it is assumed that there is a problem with that address. Values: 19999999 Default: 60000
Configuring Ports
You can change the duplex mode of each port on the DefensePro device.
To configure ports
1. In the Configuration perspective Networking tab navigation pane, select Port Configuration. 2. To change a ports configuration, double-click the row. 3. Configure the port settings and click OK.
121
Table 53: Port Configuration Parameters
Parameter
Port Speed
Description
(Read-only) The index number of the port. (Read-only) The traffic speed of the port. Values: Auto Ethernet Fast Ethernet GbE 10GbE 40GbE
Duplex Mode Autonegotiation Status
(Read-only) Specifies whether the port allows both inbound and outbound traffic (Full Duplex) or one way only (Half Duplex). (Read-only) Specifies the autonegotiation status of the hardware.1 Values: AutoThere is no transceiver installed in the physical port. OnAutonegotiation is ON. OffAutonegotiation is OFF.
Autonegotiation Setting
Specifies the autonegotiation configuration for the physical port.1 Values: AutoThe Autonegotiation Status value determines whether autonegotiation is ON or OFF. OnAutonegotiation is enabled by the user. OffAutonegotiation is disabled by the user. Fiber GbE transceivers: ON Management ports: ON For fiber GbE transceivers and for management ports, autonegotiation is configurable. That is, the Autonegotiation Setting determines the Autonegotiation Status. 10GbE and 40GbE transceivers do not support autonegotiation. Copper GbE transceivers (not management ports) only support autonegotiation.
Defaults:
Notes:
Caution: You can configure the Autonegotiation Setting even when there is no transceiver currently installed in the physical port. If you specify ON and later insert a transceiver that does not support autonegotiation, DefensePro issues a trap, the Autonegotiation Setting will remain ON but the behavior will be undetermined. If you specify OFF and later insert a transceiver that supports only ON, DefensePro issues a trap, the Autonegotiation Setting will remain OFF but the behavior will be undetermined. 1 Autonegotiation refers to the port automatically detecting and configuring the speed and duplex mode for the interface.
122
Configuring Port Mirroring

Port Mirroring enables the device to duplicate traffic from one physical port on the device to another physical port on the device. This is useful when an intrusion detection system (IDS) device is connected to one of the ports on the device. You can choose to mirror either received and transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether to duplicate the received broadcast packets.
Notes Port mirroring requires that the input port be configured to Static-Forwarding Process mode. When the input port is configured to Static-Forwarding Forward mode, traffic is not mirrored. In Static Forwarding mode, traffic with the same destination MAC address as the device is not mirrored (rare).
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the DefensePro device) to a dedicated sniffer port. This allows collecting packet data during an attack and sending the data to Radwares Security Operation Center (SOC) to develop an attack signature. DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate port mirroring when the device is under attack. Traffic-rate port mirroring is based on a specified traffic threshold. When the threshold value is reached, the DefensePro device starts copying traffic from the interface to its mirroring output port. The process continues for the specified time, and then the copying process stops. For example, if you have a single network segment connected between interfaces 1 and 2, whenever traffic reaches the configured threshold, DefensePro device copies the traffic arriving on interface #1 to interface #3.
To configure port mirroring

1. In the Configuration perspective Networking tab navigation pane, select Port Configuration > Port Mirroring. 2. Do one of the following: To add a pair of ports to mirror traffic, click the To edit an entry, double-click the row. (Add) button.
3. Configure the port mirroring settings; and then, click OK. 4. To configure advanced parameters for port mirroring, in the navigation pane, select Port Mirroring > Advanced Parameters. 5. Configure the advanced parameters; and then, click (Submit) to submit the changes.
Table 54: Port Mirroring Parameters
Parameter
Input Interface Output Port Traffic to Mirror
Description
The traffic port. The port for the mirrored traffic. The direction of the traffic that the device mirrors. Values: Transmit and Receive, Receive Only, Transmit Only
123
Table 54: Port Mirroring Parameters
Parameter
Enable Promiscuous Mode
Description
Values: EnabledThe device copies all traffic to the specified output port. DisabledThe device copies only the traffic destined to the input.
Default: Enabled Backup Port Mode Threshold The backup port for the mirrored traffic. The mode of port mirroring. Values: Enabled, Traffic Rate The number of threshold units (PPS/Kbps) that can pass through the specified input port (Input Interface) before the mirroring process starts.
Note: The Threshold Units parameter and the Threshold Interval parameter are defined globally for each device and not for each pair of ports.
Table 55: Port Mirroring Advanced Parameters
Parameter
Description
Values: PPSPackets per second KbpsKilobits per second
Traffic Threshold Units The units in which the threshold is measured.
Threshold Interval
How long, in seconds, mirroring continues after the traffic rate falls below the specified threshold. Default: 30 Click to set the device to record the traffic that exceeds the predefined limit within a new Threshold Interval.
Reset Traffic Rate
Configuring the Basic Network Parameters

Use the Basic pane to do the following: Specify the IP Version Mode (IPv4 or IPv6) Specify whether jumbo frames bypass the device or are discarded Configure the IP Fragmentation parameters
124
IPv4 and IPv6 Support

DefensePro supports IPv6 and IPv4 protocols and provides a fully functional IPS and DoS prevention solution for IPv6/IPv4 packets. Management works only in IPv4.
Caution: Changing the configuration of this feature takes effect only after a device reset. DefensePro supports processing of IPv6 packets and ICMPv6 packets, including the following: Setting networks with IPv6 addresses Applying security policies Blocking attacks Security reporting
IP Fragmentation
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of the routers transmitting the packet, must fragment the packet to multiple shorter packets. Using IP fragmentation, the DefensePro device can classify the Layer 4 information of IP fragments. The device identifies all the fragments belong to same datagram, then classifies and forwards them accordingly. The device does not reassemble the original IP packet, but forwards the fragmented datagrams to their destination, even if the datagrams arrive at the device out of order.
Traffic Exclusion
Traffic Exclusion is when DefensePro passes through all traffic that matches no network policy configured on the device. In DefensePro 7.20, the device always passes through all traffic that matches no network policy configured on the device.
Configuring the Basic Networking Parameters
To configure the Basic Networking parameters

1. In the Configuration perspective Networking tab navigation pane, select Basic. 2. Configure the parameters; and then, click (Submit) to submit the changes.
125
Table 56: Basic Networking Parameters
Parameter
IP Version Mode

The IP version that the device supports. Values: IPv4The device processes IPv4 packets only. IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are configured, all IPv6 policies (rules) are automatically disabled. Policies applied on both IPv4 and IPv6 traffic continue to process IPv4 traffic only. The IPv6 information remains visible.
Jumbo Frames
Bypass Jumbo Frames Specifies whether jumbo frames bypass the device. Values: EnabledFrames of 15509216 bytes bypass the device without any inspection or monitoring. DisabledThe device discards frames that are larger than 1550 bytes.
Default: Disabled Notes: Changing the configuration of the option takes effect only after a device reset. When the option is enabled, there is no sampling for Black List rules. When the option is enabled, TCP SYN Protection may not behave as expected because the third packet in the TCP three-wayhandshake can include data and be in itself a jumbo frame. When the option is enabled, some protections that rely on the DefensePro session table might produce false-negatives and drop traffic when all the session traffic bypasses the device in both directions for a period longer than Session Aging Time.
IP Fragmentation
Enable IP Fragmentation Specifies whether IP fragmentation is enabled. Default: Disabled Queuing Limit The percentage of IP packets the device allocates for out-of-sequence fragmented IP datagrams. Values: 0100 Default: 25 Aging Time The time, in seconds, that the device keeps the fragmented datagrams in the queue. Values: 1255 Default: 1
126
Configuring Port Pairs

You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic from the receiving port is always sent out of the device from its corresponding transmitting port. The ports are paired; one port receives traffic while another transmits traffic. You can set the operation mode of a port pair. When the port pair operates in Process mode, the traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates in Forward mode, the traffic is forwarded to the destination port without any inspection.
To configure a pair of ports

1. In the Configuration perspective Networking tab navigation pane, select Port Pairs. 2. Do one of the following: To add a pair of ports, click the (Add) button.
To edit a pair of ports, double-click the row.
Table 57: Port Pair Parameters
Parameter
Source Port Destination Port Operation
Description Port Pairs

The user-defined source port for received traffic. The user-defined destination port for transmitted traffic. The operation mode assigned to a pair of ports. Values: ForwardThe traffic is forwarded without any inspection. ProcessThe traffic passes thought the CPU and is inspected for attacks, bandwidth, and so on.
In Port
Specifies which port in the pair is designated as the inbound portthe source or destination port. This setting is used in real-time reports for inbound and outbound traffic.
Advanced Parameters
Enable Interface Grouping Specifies whether the device groups the statuses of the port-pair interfaces. When the option is enabled, if one port of a port pair is disconnected, DefensePro sets the status of the paired port to disconnected also; so, a remote device connected to the DefensePro device perceives the same disconnected status. Typically, the option is enabled when DefensePro is configured between switches that use link redundancy. Interface grouping is the only way both switches always perceive the same DefensePro interfaces status. Default: Disabled
127
128
Chapter 5 Security Configuration

A security policy in an organization is a set of rules and regulations that defines what constitutes a secure network and how it reacts to security violations. You implement a security policy for your organization by using the global security settings, network-protection policy, and server-protection policy. You can adjust a security policy to suit the security needs of different network segments down to a single server, providing comprehensive protection for your organization. Each policy consists of multiple rules. Each rule in a policy defines a network segment or server, one or more protection profiles to be applied, and the action to be taken when the device detects an attack. Each protection profile defines the security defenses that provide protection against a specific network threat. For example, the Signature Protection profile prevents intrusion attempts, and the Behavioral DoS profile prevents flood attacks aimed at creating denial of service.
Notes All the configuration procedures in this section assume that the relevant device is selected in the Configuration perspective navigation pane. Some protections are not supported on management interfaces. Security Protections, page 129 Selecting a Device for Security Configuration, page 130 Configuring Global Security Settings, page 130 Managing the Network Protection Policy, page 155 Managing the Server Protection Policy, page 196 Configuring White Lists, page 215 Configuring Black Lists, page 218 Managing the ACL Policy, page 223
This chapter contains the following sections:
Security Protections
DefensePros multi-layer security approach combines features for detecting and mitigating a wide range of network and server attacks. DefensePro supports three types of security protections: Network-wide protections, Server protections, and Access-control policies. Network-wide protections include the following: Behavioral DoS Protects against zero-day flood attacks, including SYN Floods, TCP Floods, UDP floods, ICMP and IGMP floods. SYN-flood protection Protects against any type of SYN flood attack using SYN cookies. A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements. Signature-based protection Protects against known application vulnerabilities, and common malware, such as worms, trojans, spyware, and DoS. Fraud protection using RSA feeds.
129
DefensePro User Guide Security Configuration Packet-anomaly protections. Scanning and worm-propagation protection Provides zero-day protection against selfpropagating worms, horizontal and vertical TCP and UDP scanning, and ping sweeps. Out of State protection Ensures that TCP connections are established based on the protocol RFCs. Connection limit Protects against session-based attacks, such as half-open SYN attacks, request attacks, and connection attacks. Server-cracking protection Provides zero-day protection against application-vulnerability scanning, brute-force, and dictionary attacks. HTTP-flood protection Mitigates zero-day HTTP page flood attacks.
Server protections include the following:
Access control (ACL) policies block or allow traffic to or from specified networks, based on protocols, applications, and other criteria.
Selecting a Device for Security Configuration

You configure a security policy in the Configuration perspective. Before you configure a security policy, select the device in the Configuration perspective navigation pane.
To select the device for security configuration

Select the required device in the Configuration perspective system pane.
Configuring Global Security Settings

Before you configure the Server Protection Policy or the Network Protection Policy/Rule and their protection profiles, you must enable the protection features you want to use and configure the global parameters for the protection features.
Note: After a protection feature is enabled on a device, the device requires a reboot. However, you need to reboot only once after enabling features within the same navigation branch. Use APSolute Vision to configure the following protection features on a selected device: Configuring Global Signature Protection, page 131 Configuring DoS Shield Protection, page 131 Configuring Global Behavioral DoS Protection, page 133 Configuring Global Anti-Scanning Protection Settings, page 138 Configuring Global SYN Flood Protection, page 140 Configuring Global Out of State Protection, page 141 Configuring Global HTTP Flood Protection, page 142 Configuring Global SIP Cracking Protection, page 143
130
DefensePro User Guide Security Configuration Configuring Global Fraud Protection, page 144 Configuring Global Packet Anomaly Protection, page 146 Configuring Global DNS Flood Protection, page 149
Configuring Global Signature Protection

Signature Protection is enabled by default for all models that support it.
To configure Signature Protection

1. In the Configuration perspective Security Settings tab navigation pane, select Signature Protection. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 58: Signature Protection Settings
Parameter
Enable Application Security Protection
Description
If the protection is disabled, enable it before setting up the protection profiles. Note: Changing the setting of this parameter requires a reboot to take effect.
Reassemble Fragmented TCP Packets Encoding Enable Session Drop Mechanism Security Tracking Tables Free-Up Frequency
Specifies whether the device tries to reassemble fragmented TCP packets. Default: Enabled The encoding (the language and character set) to use for detecting security events. Enable dropping of all session packets when a signature was detected in one of the session packets. How often, in milliseconds, the device clears unnecessary entries from the table, and stores information about newly detected security events. Values: 065,535 Default: 1250
Configuring DoS Shield Protection

The DoS Shield mechanism protects against known flood attacks and flood-attack tools that cause a denial of service effect, making computer resources unavailable to the intended users.
Notes DoS Shield protection is enabled by default. This feature is also supported on management interfaces.
131
DefensePro User Guide Security Configuration DoS Shield profiles prevent the following: Known TCP, UDP, and ICMP floods Known attack tools available in the Internet Known floods created by BOTs, which are automated attacks
DoS Shield protection uses signatures from the Radware Signatures database. This database is continuously updated and protects against all known threats. Radware Signature profiles include all DoS Shield signatures as part of the signature database and Radware predefined profiles that already include DoS Shield protection. To create a profile that includes DoS Shield protection, you configure a profile with the Threat Type attribute set to Floods. Radware also supplies a predefined profile, the All-DoS-Shield profile, which provides protection against all known DoS attacks. The All-DoS-Shield profile is applied when a DoS-only solution is required. Note that if the DoS Shield Radware-defined profile is applied, you cannot apply other Signature profiles in the same security policy. To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the bandwidth of traffic recognized as a DoS attack with predefined actions. Most networks can tolerate sporadic attacks that consume negligible amounts of bandwidth. Such attacks do not require any counter action. An attack becomes a threat to the network when it starts to consume large amounts of the networks bandwidth. DoS Shield detects such events using an advanced sampling algorithm for optimized performance, acting automatically to solve the problem. The DoS Shield considers two protection states: Dormant state Indicates that Sampling mechanism is used for recognition prior to active intervention. A protection in Dormant state becomes active only if the number of packets entering the network exceeds the predefined limit. Active state Indicates that the action is implemented on each packet matching the Attack Signature, without sampling.
DoS Shield counts packets matching Dormant and Active states. Samples of the traffic are compared with the list of protections in Dormant state. When a specified number of packets is reached, the status of the protection changes to Active. The DoS Shield module uses two processes working in parallel. One process statistically monitors traffic to check if any dormant protection has become active. Then, when DoS Shield detects the protection as active, the module compares each packet that passes through the device to the list of Currently Active Protections. The module compares some of the packets that do not match the Active signature with the Dormant protections list. The module forwards the rest of the packets to the network without inspection. In DefensePro, to configure DoS Shield protection, you must enable Signature Protection. For more information, see Configuring Global Signature Protection, page 131.
To configure DoS Shield protection

1. 2. In the Configuration perspective Security Settings tab navigation pane, select DoS Shield. Configure the parameters; and then, click (Submit) to submit the changes.
132
DefensePro User Guide Security Configuration
Table 59: DoS Shield Parameters
Parameter
Enable DoS Shield
Description
Specifies whether the DoS Shield feature is enabled. Note: If the protection is disabled, enable it before configuring the protection profiles.
Sampling Time
How often, in seconds, DoS Shield compares the predefined thresholds for each dormant attack to the current value of packet counters matching the attack. Default: 5 Note: If the sampling time is very short, there are frequent comparisons of counters to thresholds, so regular traffic bursts might be considered attacks. If the sampling time is too long, the DoS Shield mechanism cannot detect real attacks quickly enough.
Packet Sampling Ratio
The packet-sampling rate. For example, if the specified value is 5001, the DoS Shield mechanism checks 1 out of 5001 packets. Default: 5001
To include DoS Shield protection in the network-protection policy

1. In the Configuration perspective Network Protection tab navigation pane, select Network Protection Rules. 2. In the Add New Network Protection Rule dialog box, from the Signature Protection Profile drop-down list, select All-DoS-Shield. For more information, see Configuring the Network Protection Policy, page 156.
Configuring Global Behavioral DoS Protection

Behavioral DoS (Behavioral Denial of Service) Protection, which you can use in your networkprotection policy, defends your network from zero-day network-flood attacks. These attacks fill available network bandwidth with irrelevant traffic, denying use of network resources to legitimate users. The attacks originate in the public network and threaten Internet-connected organizations. The Behavioral DoS profiles detect traffic anomalies and prevent zero-day, unknown, flood attacks by identifying the footprint of the anomalous traffic. Network-flood protection types include: TCP floodswhich include SYN Flood, TCP Fin + ACK Flood, TCP Reset Flood, TCP SYN + ACK Flood, and TCP Fragmentation Flood UDP flood ICMP flood IGMP flood
The main advantage of BDoS Protection is the ability to detect statistical traffic anomalies and generate an accurate DoS-attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and sometimes hours.
133
Note: This feature is also supported on management interfaces.
Enabling BDoS Protection

Before you configure BDoS Protection profiles, enable BDoS Protection. You can also change the default global device settings for BDoS Protection. The BDoS Protection global settings apply to all the network protection-policy rules with BDoS profiles on the device.
To enable BDoS Protection and configure global settings

1. In the Configuration perspective Security Settings tab navigation pane, select BDoS Protection. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 60: BDoS Protection Global Parameters
Parameter
Enable BDoS Protection

Specifies whether BDoS Protection is enabled. Note: Changing the setting of this parameter requires a reboot to take effect.
Learning Response Period
The initial period from which baselines are primarily weighted. The default and recommended learning response period is one week. If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one day period for testing purposes only. Values: Day, Week, Month Default: Week
Enable Traffic Statistics Sampling
Specifies whether the BDoS module uses traffic-statistics sampling during the creation phase of the BDoS footprint. When the BDoS module is trying to generate a real-time signature and there is a high rate of traffic, the device evaluates only a portion of the traffic. The BDoS module tunes the sampling factor automatically, according to the traffic rate. The BDoS module screens all traffic at low traffic rates (below 100K PPS) and only a portion of the traffic at higher rates (above 100K PPS). Default: Enabled Note: For best performance, Radware recommends that the parameter be Enabled.
134
Parameter
Footprint Strictness
Description
When the Behavioral DoS module detects a new attack, the module generates an attack footprint to block the attack traffic. If the Behavioral DoS module is unable to generate a footprint that meets the footprint-strictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the device cannot generate a footprint. Values: HighEnforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives. MediumEnforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint. LowAllows any footprint suggested by the Behavioral DoS module. This level achieves the best attack blocking, but increases the probability of false positives. DefensePro always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness. Footprint Strictness Examples, page 135 shows examples of footprint strictness requirements.
Notes:
Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block these attack types. Duration of Non-attack Traffic in Blocking State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. When the time elapses, DefensePro declares the attack to be terminated. Values: 45300 Default: 45 Duration of Non-attack Traffic in Anomaly or NonStrictness State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Anomaly state or the Non-strictness state. When the time elapses, DefensePro declares the attack to be terminated. Values: 45300 Default: 45
Table 61: Footprint Strictness Examples
Footprint Example
TTL TTL AND Packet Size
Strictness Level Low

Yes Yes
Medium
No Yes Yes
High
No No Yes
TTL AND Packet Size AND Destination Port Yes
135
Configuring BDoS Footprint Bypass

You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values that you define will not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate. For information on the footprint bypass types, see BDoS Footprint Bypass Fields and Values, page 329.
To configure footprint bypass

1. 2. In the Configuration perspective Security Settings tab navigation pane, select BDoS Protection > BDoS Footprint Bypass. From the Footprint Bypass Controller drop-down list, select the attack protection for which you want to configure footprint bypass, and click Go. The table displays the bypass types and values for the selected attack protection. To edit bypass type settings, double-click the corresponding row. Configure the footprint bypass parameters for the selected bypass type; and then, click OK.
3. 4.
Table 62: BDoS Footprint Bypass Parameters
Parameter
Footprint Bypass Controller Bypass Field Bypass Status
Description
(Read-only) The selected attack protection for which you are configuring footprint bypass. (Read-only) The selected bypass type to configure. The bypass option. Values: BypassThe Behavioral DoS module bypasses all possible values of the selected Bypass Field when generating a footprint. AcceptThe Behavioral DoS module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Bypass Values
If the value of the Bypass Status parameter is Accept, when generating the footprint, the Behavioral DoS mechanism does not use the specified Bypass Values of the corresponding selected Bypass Field. The valid Bypass Values vary according to the selected Bypass Field. Multiple values in the Bypass Values field must be comma-delimited.
Configuring Early Blocking of DoS Traffic
Caution: Modifying the values exposed in the Early Blocking of DoS Traffic feature may impair the accuracy of the DoS-attack footprint that DefensePro generates. When DefensePro detects a new DoS attack (by default, after 10 seconds), DefensePro generates a DoS-attack footprint and then blocks or drops the relevant flood traffic.
136
DefensePro User Guide Security Configuration In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DoS Traffic, you can configure thresholds for generating DoS-attack footprints, which shorten the time to start blocking the relevant traffic. DefensePro generates each footprint using values from fields (parameters) in the packet header (for example: Sequence Number, Checksum, and IP ID). The values from fields in the packet header characterize the attack. The thresholds that you can configure for the protection to change from the Analysis state to the Blocking state are Packet-header fields or Packet-header-field values: The Packet-header fields threshold is the number of anomalously distributed packet-header fields that DefensePro must detect to generate a footprint and start early blocking prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You can define either the number of packet-header fields, or the specific fields that DefensePro must detect. For more information, see Selecting Packet Header Fields for Early Blocking of DoS Traffic, page 138. The Packet-header-field values threshold is the number of anomalous packet-header-field values that DefensePro must detect to generate a footprint and start early blocking.
Note: The threshold (that is, the packet-header fields or the number of packet-header fields) cannot conflict with the Footprint Strictness level. You cannot change the specified Footprint Strictness to one that is lower than the strictness necessary for the BDoS mechanism to operate properly. Likewise, you cannot configure fewer packet-header fields than the specified strictness level requires for the BDoS mechanism to operate properly.
To configure early blocking for BDoS

1. In the Configuration perspective Security Settings tab navigation pane, select BDoS Protection > BDoS Early Blocking. 2. To modify a protection type for early blocking, double-click the row. 3. Configure the parameters; and then, click OK.
Table 63: Early Blocking Parameters
Parameter
Protection Type Any Packet Header Field
Description
(Read-only) The protection for which you are configuring early blocking. When selected, DefensePro blocks DoS traffic early based on the specified number of packet-header fields and number of packetheader-field values thresholds. Clear the selection to use specific packet header fields that you select in the BDoS Packet Header table.
Any Packet Header Field Threshold
The number of anomalous packet-header fields that DefensePro must detect to generate a footprint and start early blocking. Values: 120 Default (per protection): ICMP18, IGMP11, TCP-ACK-FIN14, TCP-Fragment17, TCP-RST14, TCP-SYN14, TCP-SYN-ACK 14, UDP21.
137
Table 63: Early Blocking Parameters
Parameter
Packet Header Field Values
Description
The number of anomalous packet-header-field values that DefensePro must detect to generate a footprint and start early blocking. The number of packet-header-field values must not be less than the specified packet-header field threshold. Values: 11000 Default 500
Selecting Packet Header Fields for Early Blocking of DoS Traffic

You can select specific packet header fields be included in the set of specific packet headers that DefensePro must detect to generate a footprint and start early blocking.
To select packet header fields for early blocking

1. 2. 3. In the Configuration perspective Security Settings tab navigation pane, select BDoS Protection > Packet Header. Select the protection type and click Go. The BDoS Packet Header table displays the relevant packet header fields. To change the early blocking enabling setting for a field, double-click the row, change the setting in the dialog box, and click OK.
Table 64: Packet Header Field Parameters
Parameter
Protection Type Packet Header Field Enable Early Blocking Condition
Description
(Read-only) The protection for which you are configuring early blocking. (Read-only) The packet header field. When selected, the packet header is included in the set of specific packet headers that DefensePro must detect to generate a footprint and start early blocking.
Configuring Global Anti-Scanning Protection Settings

Anti-Scanning Protection protects against malicious, scanning activity, which includes zero-day selfpropagating network worms, horizontal scans, and vertical scans. When Anti-Scanning Protection is enabled, upon detecting an attack, the protection implements the blocking footprint rule for a predefined, initial blocking duration. When the protection identifies repeated scanning activities from the same source, the protection extends the blocking duration based on a dynamic blockingduration mechanism. This mechanism includes a random factor that sets an unpredictable blocking duration. When a source continues to scan the network, the device can restart the global Maximal Blocking Duration.
138
To configure global Anti-Scanning Protection settings

1. In the Configuration perspective Security Settings tab navigation pane, select Anti-Scanning. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 65: Global Anti-Scanning Settings
Parameter
Enable Anti-Scanning Protection
Description Anti-Scanning Parameters

Specifies whether Anti-Scanning Protection is enabled. Anti-Scanning Protection prevents zero-day self-propagating network worms, horizontal scans, and vertical scans. Default: Enabled Note: Changing the setting of this parameter requires a reboot to take effect.
Enable Protection for Very Slow Scans
Specifies whether Anti-Scanning Protection blocks slow scans, which can result in very long blocking periods. When enabled, Anti-Scanning Protection adapts the blocking interval based on the scanner-activity frequency. Thus, the device will detect the scanner activity again before the blocking duration elapses. The blocking duration is calculated as the time between scanning events multiplied by the Attack Trigger value. Radware recommends using this option only in exceptional circumstances, when one scan attempt in 20 minutes is considered a security threat. Default: Disabled
Enable High Port Response
Specifies whether the Anti-Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024 (that is, usually unassigned ports). Values: EnabledThe Anti-Scanning Protection emphasizes inspecting scans aimed at ports greater than 1024. Select this checkbox when using applications that utilize standard system ports (that is, port values less than 1024). DisabledThe Anti-Scanning Protection treats all the scan activities equally. Clear this checkbox when using applications utilizing nonstandard ports (that is, port values greater than 1024).
Default: Enabled Note: When the parameter is enabled and you have legitimate applications using high-range ports, the DefensePro device is prone to more false positives. Maximal Blocking Duration The maximum time, in seconds, that the Anti-Scanning Protection blocks the source of a scanif that source continues to scan the network. Values: 203600 Default: 80 Note: This setting overrides the maximum time set in the suspend table parameters.
139
Configuring Global SYN Flood Protection

A SYN flood attack is usually aimed at specific servers with the intention of consuming the servers resources. However, you configure SYN Protection as a Network Protection to allow easier protection of multiple network elements. Before you configure SYN profiles for the network-protection policy, ensure the following: SYN Protection is enabled the SYN Flood Protection global parameters are configured. The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101.
To configure global SYN Flood Protection

1. In the Configuration perspective Security Settings tab navigation pane, select SYN Flood Protection Settings. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 66: SYN Flood Protection Settings Parameters in DefensePro
Parameter
Enable SYN Flood Protection Specifies whether SYN Flood Protection is enabled on the device. Default: Enabled Note: Changing the setting of this parameter requires a reboot to take effect.
Advanced Parameters
Tracking Time The time, in seconds, during which the number of SYN packets directed to a single protected destination must be lower than the Termination Threshold to cause the attack state to terminate for that destination. Values: 110 Default: 5
SSL Parameters
For more information on the SSL Mitigation feature, see Configuring SSL Mitigation Policies, page 191. Enable SSL Mitigation Specifies whether the device enables the SSL Mitigation mechanism with an Alteon device. The IP address of the Alteon management port. The health-check port (that is, the SNMP Traps port) on the Alteon device. The table that displays the pair of static-forwarding ports.
Alteon MNG IP Health-Check Port DefensePro Assigned Ports
140
Configuring Global Out of State Protection

Out of State Protection detects out-of-state packets to provide additional protection for applicationlevel attacks. You configure Out-of-State Protection globally (here) and per policy (see Configuring Out of State Protection Profiles for Network Protection, page 195).
To configure global Out of State Protection

1. In the Configuration perspective Security Settings tab navigation pane, select Out of State. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 67: Out-of-State Protection Parameters
Parameter
Enable Out-of-State Protection Activate (Without Reboot)
Description Global Parameters

Specifies whether the device enables Out-of-State Protection learning. Default: Disabled Specifies whether the device starts and stops Out-of-State Protection without rebooting the device. Default: Disabled The behavior of the device after startup. Out-of-State Protection cannot be applied to existing traffic; therefore, the device can either drop existing traffic and apply Out-of-State Protection to all new traffic, or suspend Out-of-State Protection for a period of time, which is used to learn traffic and sessions. Values: OnStart the protection immediately. Existing sessions are dropped and only new sessions are allowed. OffDo not protect. GracefulStart the protection while maintaining existing sessions for the time specified by the Startup Timer parameter.
Startup Mode
Default: Graceful Startup Timer For Graceful startup mode, this parameter specifies the time, in seconds, after startup when the device ignores Out-of-State Protection and registers all sessions in the Session table, including those whose initiation was not registered (for example, SYN with TCP). After this time, the device drops new sessions whose initiation was not registered (for example, SYN with TCP). Values: 065,535 Default: 1800
141
Configuring Global HTTP Flood Protection

The HTTP Mitigator detects and mitigates HTTP request flood attacks to protect Web servers. The HTTP Mitigator collects and builds a statistical model of the protected server traffic, and then, using fuzzy logic inference systems and statistical thresholds, detects traffic anomalies and identifies the malicious sources.
To configure global HTTP Flood Protection

1. In the Configuration perspective Security Settings tab navigation pane, select HTTP Flood Protections. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 68: HTTP Mitigator Parameters
Parameter
Enable HTTP Mitigator
Description
Specifies whether the HTTP Mitigator is enabled on the device. HTTP flood protection must be enabled to set HTTP flood protection parameters. Default: Enabled
Learning Period before Activation
The time, in days, the HTTP Mitigator takes to collect the data needed to establish the baseline that HTTP Mitigation uses. Values: 065,536 Default: 7
Learning Mode
The learning mode of the HTTP Mitigator. Values: Continuous OnlyThe learning process about the traffic environment is continuous. AutomaticThe HTTP Mitigator can switch to 24x7 learning when it detects a recurring pattern per hour of the day of the week in a period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity
The period from which the HTTP Mitigator establishes baselines. Select the time unit based on the site characteristics. For example, if the site traffic fluctuates during the course of a day, but fluctuates the same way each day, select Day; but if there are significant fluctuations between the days of the week, select Week. Values: Day, Week, Month Default: Week
Mitigation Failure Condition
The number of automatic attempts the device makes before announcing it cannot mitigate the attack. Values: 1100 Default: 3
142
Configuring Global SIP Cracking Protection

SIP Cracking protection, which provides VoIP protection similar to FTP, POP3, and server-based crack protections, is designed to detect and mitigate the following types of threats: Brute-force and dictionary attacksOn registrar and proxies SIP servers. SIP application scanning activitiesOn SIP servers and SIP phones. SIP DoS flood attacksOn SIP servers and SIP phones. The types of attacks that are detected through the SIP crack mechanism include those that use repeated spoofed register and invite messages. Pre-SPIT (Spam over IP Telephony) activitiesTO TAG Invite messages are used.
DefensePro detects attacks based on the frequency and quantity of SIP reply codes. DefensePro performs analysis of authentication, call initiation, registration processes, and reply codes per source IP address and the SIP URI (SIP FROM). A SIP server can send replies and error responses to clients either on the same connection or open a new connection for this purpose. This is also applicable for UDP, where either the same flow or a new one is used. To support such environments, the SIP Server Cracking protection can monitor all outgoing messages from the protected server to the SIP Application Port Group or from the SIP Application Port Group. When DefensePro detects an attack, it does the following: Adds the source IP address of the attacker to the Suspend table. The suspend entry will have both the SIP port and the server IP address. Blocks all traffic from the attacker to the protected server and to the SIP Application Port group. The device also drops existing sessions or flows from the attacker to the protected server and to the Application Port Group.
Before you configure global SIP Cracking Protection, you must configure a profile that includes SIP protection. For more information, see Configuring Server Cracking Profiles for Server Protection, page 205.
To configure global SIP Cracking Protection

1. In the Configuration perspective Security Settings tab navigation pane, select SIP Cracking. 2. Configure the parameters; and then, click (Submit) to submit the changes.
143
Table 69: SIP Cracking Parameters
Parameter
Tracking Type Application Code for Reset
Description
The data that the SIP Cracking feature monitors. Values: SIP-URI, Source IP, Both The SIP error code that is sent back to the source IP address. Values: AmbiguousEvent number 485. Request-URI is ambiguous/not assigned. Busy EverywhereEvent number 600. All possible destinations are busy. Busy HereEvent number 486. User busy. DeclineEvent number 603. Call rejected. Not Acceptable ErrorEvent number 406. Client Failure Response. The resource identified by the request is only capable of generating response entities that have content characteristics but not acceptable according to the Accept header field sent in the request. Not Acceptable FailEvent number 606. Global Failure Response. The users agent was contacted successfully but some aspects of the session description, such as the requested media, bandwidth, or addressing style, were not acceptable) Not Acceptable HereEvent number 488. Some aspects of the session description of the Request-URI is not acceptable. Not FoundEvent number 404. The user does not exist at the specified domain. Request TerminatedEvent number 487. Request has terminated by bye or cancel. Temporarily UnavailableEvent number 480. The user is currently unavailable.
Default: Not Acceptable Error Detect Error Codes in Server Originated Sessions Enables detection of error codes on sessions that originate from the server to the client. Default: Disabled
Configuring Global Fraud Protection

Fraud Protection uses RSA-signature feeds to protect your network from malicious, fraudulent sites. Such sites include phishing sites, trojan drop points, and malicious-download sites.
Note: RSA updates require purchasing a relevant license. DefensePro can periodically receive the RSA-signature feeds by means of a scheduled task, Update RSA Security Signature. You can also trigger an update of RSA signatures manuallyusing the Update Security Signature operation. DefensePro can store up to 500 concurrent RSA signatures.
144
DefensePro User Guide Security Configuration When RSA finds a new malicious server or URL, RSA approaches the hosting provider or service provider to take the site down. DefensePro expects that the feeds it receives become irrelevant after a certain time. DefensePro ages the stored signatures according to the specified estimated time for bringing down various types of malicious sites. When Fraud Protection is enabled, you can configure Network Protection with a Signature Profile rule that uses one or more of the following threat-type attribute values: Fraud - Phishing Fraud - Drop Points Fraud - Malicious Download
To configure fraud protection

1. In the Configuration perspective Security Settings tab navigation pane, select Fraud Protection. 2. Configure the parameters; and then, click (Submit) to submit the changes.
Table 70: Fraud Protection Parameters
Parameter
Enable Fraud Protection
Description General Settings

Specifies whether fraud protection is enabled. Default: Disabled
Advanced Settings
Error Reporting Frequency How often, in hours, the device sends a trap notifying when an expected feed was not received. Values: 124 Default: 1 Phishing Signatures Aging How often, in hours, the device deletes the signatures of phishing sites. Values: 1168 Default: 48 Drop Points Aging How often, in hours, the device deletes the addresses of drop points. Values: 1168 Default: 70 Malicious Download Aging How often, in hours, the device deletes the addresses of maliciousdownload sites. Values: 1168 Default: 48
145
Configuring Global Packet Anomaly Protection

This feature is not supported on management interfaces. Packet Anomaly protection detects and provides protection against packet anomalies.
Enabling and Disabling the Packet Trace Feature for Packet Anomaly Protection
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends anomalous packets to the specified physical port. You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on the device.
Notes When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for Packet Anomaly Protection
1. In the Configuration perspective Security Settings tab navigation pane, select Packet Anomaly. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.
2.
Configuring Packet-Anomaly Protection
To configure packet-anomaly protection

1. 2. 3. In the Configuration perspective Security Settings tab navigation pane, select Packet Anomaly. Double-click the relevant row. Configure the parameters, and then, click OK. For more information about packet anomalies and their default configurations, see Table 72 Default Configuration of Packet-Anomaly Protections, page 148.
Table 71: Packet-Anomaly Protection Parameters
Parameter
ID
Description
(Read-only) The ID number for the packet-anomaly protection. The ID is a Radware ID that appears in the trap sent to APSolute Vision Security
logs.
Protection Name (Read-only) The name of the packet-anomaly protection.
146
Table 71: Packet-Anomaly Protection Parameters
Parameter
Action
Description
The action that the device takes when the packet anomaly is detected. The action is only for the specified packet-anomaly protection. Values: DropThe device discards the anomalous packets and issues a trap. ReportThe device issues a trap for anomalous packets. If the Report Action is Process, the packet goes to the rest of the device modules. If the Report Action is Bypass, the packet bypasses the rest of the device modules. No ReportThe device issues no trap for anomalous packets. If the Report Action is Process, the packet goes to the rest of the device modules. If the Report Action is Bypass, the packet bypasses the rest of the device modules.
Note: Click Drop All to set the action for all packet-anomaly protections to Drop. Click Report All to set the action for all packetanomaly protections to Report. Click No Report All to set the action for all packet-anomaly protections to No Report. Risk The risk associated with the trap for the specific anomaly. Values: Info, Low, Medium, High Default: Info Report Action The action that the DefensePro device takes on the anomalous packets when the specified Action is Report or No Report. The Report Action is only for the specified packet-anomaly protection. Values: BypassThe anomalous packets bypass the device. ProcessThe DefensePro modules process the anomalous packets. If the anomalous packets are part of an attack, DefensePro can mitigate the attack.
Note: You cannot select Process for the following packet-anomaly protections: 104Invalid IP Header or Total Length 107Inconsistent IPv6 Headers 131Invalid L4 Header Length
147
Table 72: Default Configuration of Packet-Anomaly Protections
Anomaly
Unrecognized L2 Format1
Description
Packets with more than two VLAN tags or MPLS labels, L2 broadcast, or L2 multicast traffic. ID: 100 Default Action: No Report Default Risk: Low Default Report Action: Process
Incorrect IPv4 Checksum1
The IP packet header checksum does not match the packet header. ID: 103 Default Action: Drop Default Risk: Low Default Report Action: Bypass
Invalid IPv4 Header or Total The IP packet header length does not match the actual header length, Length or the IP packet total length does not match the actual packet length. ID: 104 Default Action: Drop Default Risk: Low Report Action: Bypass2 TTL Less Than or Equal to 1 The TTL field value is less than or equal to 1. ID: 105 Default Action: Report Default Risk: Low Default Report Action: Process Inconsistent IPv6 Headers Inconsistent IPv6 headers. ID: 107 Default Action: Drop Default Risk: Low Report Action: Bypass2 IPv6 Hop Limit Reached IPv6 hop limit is not be greater than 1. ID: 108 Default Action: Report Default Risk: Low Default Report Action: Process Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP. ID: 110 Default Action: No Report Default Risk: Low Default Report Action: Process
148
Table 72: Default Configuration of Packet-Anomaly Protections
Anomaly
Invalid TCP Flags
Description
The TCP flags combination is not according to the standard. ID: 113 Default Action: Drop Default Risk: Low Default Report Action: Bypass
Source or Dest. Address same as Local Host
The IP packet source address or destination address is equal to the local host. ID: 119 Default Action: Drop Default Risk: Low Default Report Action: Bypass
Source Address same as Dest Address (Land Attack)
The source IP address and the destination IP address in the packet header are the same. This is referred to as a LAND, Land, or LanD attack. ID: 120 Default Action: Drop Default Risk: Low Default Report Action: Bypass
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero. ID: 125 Default Action: Drop Default Risk: Low Default Report Action: Bypass Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid. ID: 131 Default Action: Drop Default Risk: Low Report Action: Bypass2 1 This anomaly cannot be sampled. 2 You cannot select Process for this packet-anomaly protection.
Configuring Global DNS Flood Protection

DNS Flood Protection, which you can use in your network-protection policy, defends your network from zero-day DNS-flood attacks. These attacks fill available DNS bandwidth with irrelevant traffic, denying legitimate users DNS lookups. The attacks originate in the public network and threaten Internet-connected organizations. The DNS Flood profiles detect traffic anomalies and prevent zero-day, unknown, DNS flood attacks by identifying the footprint of the anomalous traffic.
149
DefensePro User Guide Security Configuration DNS Flood Protection types can include the following DNS query types: A MX PTR AAAA Text SOA NAPTR SRV Other
Caution: DefensePro does not support DNS queries of type ANY. DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering with minimal risk of false positives. The default average time for a new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and sometimes hours. Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You can also change the default global device settings for DNS Flood Protection. The DNS Flood Protection global settings apply to all the network protection-policy rules with DNS Flood profiles on the device.
To enable DNS Flood Protection and configure global settings

1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood Protection. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 73: DNS Flood Protection Global Parameters
Parameter
Enable DNS Flood Protection Specifies whether DNS Flood Protection is enabled. Note: Changing the setting of this parameter requires a reboot to take effect. Learning Response Period The initial period from which baselines are primarily weighted. The default and recommended learning response period is one week. If traffic rates legitimately fluctuate (for example, TCP or UDP traffic baselines change more than 50% daily), set the learning response to one month. Use a one day period for testing purposes only. Values: Day, Week, Month Default: Week
150
Parameter
Footprint Strictness
Description
When the DNS Flood Protection module detects a new attack, the module generates an attack footprint to block the attack traffic. If the module is unable to generate a footprint that meets the footprintstrictness condition, the module issues a notification for the attack but does not block it. The higher the strictness, the more accurate the footprint. However, higher strictness increases the probability that the module cannot generate a footprint. Values: HighEnforces at least three Boolean ANDs and no other Boolean OR value in the footprint. This level lowers the probability for false positives but increases the probability for false negatives. MediumEnforces at least two Boolean ANDs and no more than two additional Boolean OR values in the footprint. LowAllows any footprint suggested by the DNS Flood Protection module. This level achieves the best attack blocking, but increases the probability of false positives. The DNS Flood Protection module always considers the checksum field and the sequence number fields as High Footprint Strictness fields. Therefore, a footprint with only a checksum or sequence number is always considered as High Footprint Strictness. Table 74 - DNS Footprint Strictness Examples, page 152 shows examples of footprint strictness requirements.
Notes:
Mitigation Actions
When the protection is enabled and the device detects that a DNS-flood attack has started, the device implements the mitigation actions in escalating orderin the order that they appear in the group box. If the first enabled Mitigation action does not mitigate the attack satisfactorily (after a certain Escalation Period), the device implements the next more-severe enabled mitigation actionand so on. As the most severe mitigation action, the device always implements the Collective Rate Limit, which limits the rate of all DNS queries to the protected server. Enable Signature Challenge Specifies whether the device challenges suspect DNS queries that match the real-time signature. Default: Enabled Note: DefensePro challenges only A and AAAA query types. Enable Signature Rate Limit Specifies whether the device limits the rate of DNS queries that match the real-time signature. Default: Enabled Enable Collective Challenge Specifies whether the device challenges all unauthenticated DNS queries to the protected server. Default: Enabled Note: DefensePro challenges only A and AAAA query types. Enable Collective Rate Limit (Read-only) The device limits the rate of all DNS queries to the protected server. Value: Enabled
151
Parameter
Description Advanced Parameters
These settings affect periodic attack behavior. The settings are used to effectively detect and block these attack types. Duration of Non-attack Traffic in Blocking State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Blocking state. When the time elapses, DefensePro declares the attack to be terminated. Values in DefensePro 7.20: 45300 Default in DefensePro 7.20: 45 Duration of Non-attack Traffic in Anomaly or NonStrictness State The time, in seconds, at which the degree of attack falls below and stays below the hard-coded threshold in the Anomaly state or the Non-strictness state. When the time elapses, DefensePro declares the attack to be terminated. Values in DefensePro 7.20: 45300 Default in DefensePro 7.20: 45 Enable DNS Protocol Compliance Checks Specifies whether the device checks each DNS query for DNS protocol compliance and drops the non-compliant queries.
(This parameter is available Default: Disabled only when the SDM table is enabled.)
Table 74: DNS Footprint Strictness Examples
Footprint Example
DNS Query DNS Query AND DNS ID DNS Query AND DNS ID AND Packet Size
Strictness Level Low

Yes Yes Yes
Medium
No Yes Yes
High
No No Yes
Configuring DNS Footprint Bypass

You can define footprint bypass types and values that will not be used as part of a real-time signature. The types and values that you define will not be used in OR or in AND operations within the blocking rule (real-time signature) even when the protection-engine suggests that the traffic is a real-time signature candidate. For information on the footprint bypass types, see DNS Footprint Bypass Fields and Values, page 333.
152
To configure DNS footprint bypass

1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood Protection > DNS Footprint Bypass. 2. From the Footprint Bypass Controller list, select the DNS query type for which you want to configure footprint bypass, and click Go. The table displays the bypass fields for the selected DNS query type. 3. To edit bypass type settings, double-click the corresponding row. 4. Configure the footprint bypass parameters for the selected bypass field; and then, click OK.
Table 75: DNS Footprint Bypass Parameters
Parameter
Footprint Bypass Controller Bypass Field Bypass Status
Description
(Read-only) The selected DNS query type for which you are configuring footprint bypass. (Read-only) The selected Bypass Field to configure. The bypass option. Values: BypassThe DNS Flood Protection module bypasses all possible values of the selected Bypass Field when generating a footprint. AcceptThe DNS Flood Protection module bypasses only the specified values (if such a value exists) of the selected Bypass Field when generating a footprint.
Bypass Values
Used if the value of the Bypass Status parameter is Accept. DNS Flood Protection bypasses only the values of a selected Bypass Type, while it may use all other values. These values vary according to the Bypass Field selected. The values in the field must be comma-delimited.
Configuring Early Blocking of DNS Traffic
Caution: Modifying the values exposed in the Early Blocking of DNS Traffic feature may impair the accuracy of the DNS-Flood-attack footprint that DefensePro generates. When DefensePro detects a new DNS-flood attack (by default, after 10 seconds), the device generates a DNS-flood-attack footprint and then blocks or drops the relevant flood traffic. In rare cases, such as very sensitive servers or firewalls, or in laboratory tests, it is required to start blocking as soon as possible, even if accuracy is compromised. Using Early Blocking of DNS Traffic, you can configure thresholds for generating DNS-flood-attack footprints, which shorten the time to start blocking the relevant traffic. DefensePro generates each footprint using values from fields in the packet header (for example: Sequence Number, Checksum, and IP ID). The values from fields in the packet header characterize the attack.
153
DefensePro User Guide Security Configuration The thresholds that you can configure for the protection to change from the Analysis state to the Blocking state are Packet-header fields or Packet-header-field values: The Packet-header fields threshold is the anomalously distributed packet-header fields that the DefensePro device must detect to generate a footprint and start early blocking prior to the default 10 seconds. (The transition after 10 seconds occurs even if the condition is not met.) You can define either the number of packet-header fields, or the specific fields that the DefensePro device must detect. For more information, see Selecting Packet Header Fields for Early Blocking of DNS Traffic, page 155. The Packet-header-field values threshold is the number of anomalous packet-header-field values that the DefensePro device must detect to generate a footprint and start early blocking.
Note: The threshold (that is, the packet-header fields or number of packet-header fields) cannot conflict with the Footprint Strictness level. You cannot change the specified Footprint Strictness to one that is lower than the strictness necessary for the DNS Flood Protection mechanism to operate properly. Likewise, you cannot configure fewer packet-header fields than the specified strictness level requires for the DNS Flood Protection mechanism to operate properly.
To configure early blocking for DNS Flood Protection

1. 2. 3. In the Configuration perspective Security Settings tab navigation pane, select BDoS Protection > DNS Early Blocking. To modify a protection type for early blocking, double-click the row. Configure the parameters; and then, click OK.
Table 76: DNS Early Blocking Parameters
Parameter
Protection Type Any Packet Header Field
Description
(Read-only) The protection for which you are configuring early blocking. When selected, DefensePro blocks DNS traffic early based on the specified number of packet-header fields and number of packetheader-field values thresholds. Clear the selection to use specific packet header fields that you select in the DNS Packet Header table.
Any Packet Header Field Threshold
The number of anomalous packet-header fields that DefensePro must detect to generate a footprint and start early blocking. Values: 030 Default: 21
Packet Header Field Values
The number of anomalous packet-header-field values that DefensePro must detect to generate a footprint and start early blocking. The number of packet-header-field values must not be less than the specified packet-header field threshold. Values: 11000 Default 500
154
Selecting Packet Header Fields for Early Blocking of DNS Traffic

You can select specific packet header fields be included in the set of specific packet headers that the DefensePro device must detect to generate a footprint and start early blocking.
To select packet header fields for early blocking

1. In the Configuration perspective Security Settings tab navigation pane, select DNS Flood Protection > Packet Header. 2. From the Protection Type drop-down list, select the protection type and click Go. The DNS Packet Header table displays the relevant packet header fields. 3. To change the early blocking enabling setting for a field, double-click the row, change the setting in the dialog box, and click OK.
Table 77: DNS Packet Header Field Parameters
Parameter
Protection Type Packet Header Field Enable Early Blocking Condition
Description
(Read-only) The protection for which you are configuring early blocking. (Read-only) The packet header field. When selected, the packet header is included in the set of specific packet headers that DefensePro must detect to generate a footprint and start early blocking.
Managing the Network Protection Policy

The network-protection policy protects your configured networks using protection profiles. Individual Network Protection Rules make up the Network Protection Policy. Each rule uses one or more protection profiles that are applied on a predefined network segment. In addition, each rule includes the action to take when an attack is detected. Before you configure rules and profiles for the network-protection policy, ensure that you have enabled all the required protections and configured the corresponding global protection parameters in the Security Settings tab.
Note: The terms Network Protection Rule, DefensePro Rule, Network Protection Policy, and Network Policy may be used interchangeably in APSolute Vision and in the documentation. There are two main types of network protections, Intrusion Preventions (see Table 78 - Intrusion Prevention Protections, page 156) and Denial of Service protection (see Table 79 - Denial of Service Protections, page 156).
155
Table 78: Intrusion Prevention Protections
Protection
Signatures Anti-Scanning
Description
Prevents known application vulnerabilities, exploitation attempts, and protects against known DoS/DDoS flood attacks. Prevents zero-day self-propagating network worms, horizontal scans, and vertical scans.
Table 79: Denial of Service Protections
Protection
Behavioral DoS Connection Limit SYN Protection DoS Shield DNS Protection Out of State Protection
Description
Detects and prevents zero-day DoS/DDoS flood attacks. Protects against connection flood attacks. Prevents SYN flood attacks using SYN cookies. Protects against known flood attacks and flood attack tools that cause a denial of service effect. Detects and prevents zero-day DNS-flood attacks. Detects out-of-state packets to provide additional protection for application-level attacks.
Configuring the Network Protection Policy

Each rule in a network-protection policy consists of two parts: The classification that defines the protected network segment. The action to be applied when an attack is detected on the matching network segment. The action defines the protection profiles to be applied to the network segment, and whether the malicious traffic should be blocked. Malicious traffic is always reported.
Note: The terms Network Protection Rule, DefensePro Rule, Network Protection Policy, and Network Policy may be used interchangeably in APSolute Vision and in the documentation. You can configure up to 50 Network Protection policies on a DefensePro device. Before you configure a policy, ensure that you have configured the following: The Classes that will be required to define the protected network segment. For more information, see Managing Classes, page 231. The Network Protection profiles. For more information see: Configuring Signature Protection for Network Protection, page 160 Configuring BDoS Profiles for Network Protection, page 175 Configuring Anti-Scanning Protection for Network Protection, page 178 Configuring Connection Limit Profiles for Network Protection, page 180 Configuring SYN Profiles for Network Protection, page 185 Configuring Connection PPS Limit Profiles for Network Protection, page 1 Configuring DNS Protection Profiles for Network Protection, page 192 Configuring Out of State Protection Profiles for Network Protection, page 195
156
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it does not download your configuration changes to the device. To apply changes onto the device, you must activate the configuration changes.
To configure a network-protection policy

1. In the Configuration perspective Network Protection tab navigation pane, select Network Protection Rules. 2. To add or modify a network-protection rule, do one of the following: To add an entry to the table, click the (Add) button.
To edit an entry in the table, double-click the entry.
3. Configure the network-protection rule parameters; and then, click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation. For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Table 80: Network Protection Rule Parameters
Parameter
Enabled Rule Name Instance ID

Specifies whether the rule is enabled. The name of the network-protection rule. The identifier or the DefensePro hardware instance on which the network-protection rule runs. Values: Instance 0, Instance 1 Default: Instance 0
Classification
SRC Network The source of the packets that the rule uses. Values: DST Network A Network class displayed in the Classes tab An IP address any
The destination of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address any
157
Parameter
Port Group
Description
The Physical Port class or physical port that the rule uses. Values: A Physical Port class displayed in the Classes tab The physical ports on the device None
Direction
The direction of the traffic to which the rule relates. Values: One WayThe protection applies to sessions originating from sources to destinations that match the network definitions of the policy. Two WayThe protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One Way VLAN Tag Group The VLAN Tag class that the rule uses. Values: A VLAN Tag class displayed in the Classes tab None
Note: If you specify a VLAN group, you cannot specify an MPLS RD group. MPLS RD Group The MPLS route distinguisher (RD) class that the rule uses. The device dynamically associates the MPLS tag value with configured MPLS RD values installed between P and PE routers in the providers MPLS backbone. Values: An MPLS RD class displayed in the Classes tab None
Note: If you specify a MPLS RD group, you cannot specify an VLAN group.
Action
Protection Profile BDoS Profile (Displayed in the table) The profile to be applied to the network segment defined in this rule. The BDoS profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. DNS Profile The DNS Protection profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Anti Scanning Profile The Anti-Scanning profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles.
158
Parameter
Description
Signature Protection Profile The Signature Protection profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Connection Limit Profile The Connection Limit profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. SYN Flood Profile The SYN Flood profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Out of State Profile The Out of State profile to be applied to the network segment defined in this rule. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles. Action The default action for all attacks under this policy. Values: Block and ReportThe malicious traffic is terminated and a security event is generated and logged. Report OnlyThe malicious traffic is forwarded to its destination and a security event is generated and logged.
Default: Block and Report Note: Signature-specific actions override the default action for the policy.
Packet Reporting and Trace Setting

Packet Reporting Specifies whether the device sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). Packet Reporting Configuration on Policy Takes Precedence Specifies whether the configuration of the Packet Reporting feature here, on this policy rule takes precedence over the configuration of the Packet Reporting feature in the associated profiles.
159
Parameter
Packet Trace
Description
Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Packet Trace Configuration Specifies whether the configuration of the Packet Trace feature here, on Policy Takes Precedence on this policy rule, takes precedence over the configuration of the Packet Trace feature in the associated profiles. Caution: A change to this parameter takes effect only after you update policies.
Configuring Signature Protection for Network Protection

Signature Protection detects and prevents network-oriented attacks, Operation System (OS) oriented attacks and application-oriented attacks by comparing each packet to the set of signatures stored in the Signatures database. The attacks handled by this protection can be divided into the following groups: Server-based vulnerabilities: Web vulnerabilities Mail server vulnerabilities FTP server vulnerabilities SQL server vulnerabilities DNS server vulnerabilities SIP server vulnerabilities
Worms and viruses Trojans and backdoors Client-side vulnerabilities IRC bots Spyware Phishing Anonymizers
Configuration Considerations with Signature Protection

You can configure Signature Protection using Radware Security Operations Center (SOC) signature profiles or using user-defined signature profiles. Radware recommends that you configure policies containing Signature Protection profiles using Networks with Source = Any, the public network, and Destination = Protected Network. You can configure policies to use VLAN tags, application ports, physical ports, and MPLS RDs.
160
DefensePro User Guide Security Configuration For implications of direction settings for rules and protections, see Table 81 - Implications of Policy Directions, page 161. Policies containing Signature Protection profiles can be configured with Direction set to either One Way or Two Way. Protections can be configured with the Direction values Inbound, Outbound, or In-Outbound. While most of the attacks (such as worm infections) are detected through their inbound pattern, some attacks require inspecting outbound patterns initiated by infected hosts. For example, trojans require inspecting outbound patterns initiated by infected hosts. Policies configured with Source = Any and Destination = Any inspect only In-Outbound attacks. Radware provides you with a set of predefined signature profiles for field installation, such as Corporate Gateway, DMZ and LAN protections, Carrier links protections, and so on. Radware profiles are continuously updated along with the weekly signature database maintained by the Radware SOC. You cannot edit Radware signature profiles.
Table 81: Implications of Policy Directions
Policy Direction Policy Action Packet Direction
Signature Direction
Inbound Outbound Ignore Inspect Ignore Inspect Ignore Inbound or Outbound Inspect Ignore Inspect Inspect Inspect
From To From To Any to any
One way Two way N/A
Ex to in In to ex Ex to in In to ex N/A
Inspect Ignore Inspect Ignore Ignore
Configuring Signature Protection Profiles

A Signature Protection profile contains one or more rules for the network segment you want to protect. Each rule defines a query on the Signatures database. DefensePro activates protections from the signature database that comply with the set of rules. The user-defined profile is updated each time you download an updated Signatures database. You can configure up to 300 Signature Protection profiles on a DefensePro device. Each rule in the profile can include one or more entries from the various attribute types. Rules define a query on the Signatures database based on the following logic: Values from the same type are combined with logical OR. Values from different types are combined with logical AND.
The rules are combined in the profile with a logical OR.
Note: Rules in the profile are implicit. That is, when you define a value, all signatures that match a specific selected attribute plus all the signatures that have no attribute at all. This logic ensures that signatures that may be relevant to the protected network are includedeven if they are not associated explicitly (by SOC) with the application in the network. To configure Signature Protection profiles, IPS protection must be enabled and global DoS Shield parameters must be configured. For more information, see Configuring Global Signature Protection, page 131 and Configuring DoS Shield Protection, page 131.
161
To configure a Signature Protection profile

1. 2. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Profiles. Do one of the following: 3. To add a profile, click the (Add) button, and enter a profile name.
To edit a profile, double-click the entry in the table. To display the list of signatures associated with the configured protections for the profile, double-click the entry in the table; and then, click Show Matching Signatures. In the rules table, right-click and select, Add New Signature Profile. Enter a profile name, and select an attribute and its value. Click OK. The new rule is displayed in the rule table. You can now add more attributes to the rule, and add more values to existing rule attributes. In the rules table, right-click the rule, and select Add Attribute Type. Select an attribute and its value. Click OK. The new attribute is displayed in the rule. In the rules table, right-click the rule attribute, and select Add Attribute Value. Select a value for the attribute. Click OK. The new attribute value is displayed in the rule.
To add a rule: a. b. c.
4.
To add an attribute to an existing rule: a. b. c.
5.
To add a value to an existing rule attribute: a. b. c.
6.
To save the signature profile configuration, click OK.
Table 82: Signature Profile Parameters
Parameter
Profile Name Show Matching Signatures
Description
The name of the signature profile. For a new profile, enter a profile name. This button appears only when editing a profile. Click to display the list of signatures associated with the configured protections for the profile.
Signature Profile Rules Table

The table displays details of the configured rules for the selected profile. Each rule can contain more than one attribute type, and each attribute type can contain one or more attribute values. Rule Name The name of the signature profile rule. Note: This field is read-only when adding an attribute type or attribute value. Attribute Type Select from the list of predefined attribute types, which are based on the various aspects taken into consideration when defining a new attack. Select the value for the defined attribute type.
Attribute Value
162
Configuring Signature Protection Signatures

A signature is a building block of the protection profile. Each signature contains one or more protection filters and attributes that determine which packets are malicious and how they are treated. Signature settings parameters define how malicious packets are tracked and treated once their signature is recognized in the traffic. Each attack is bound to a tracking function that defines how the packet is handled when it is matched with a signature. The main purpose of these functions is to determine whether the packet is harmful and to apply an appropriate action. The Signatures table provides you with filters that allow viewing Radware and user-defined signatures. You can define filtering criteria, so that all signatures that match the criteria are displayed in the Signatures table. You can also add user-defined signatures.
Note: You can edit and remove only user-defined signatures. For Radware-defined signatures, you can edit the general parameters only.
To view Signature Protection signatures

1. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Signatures. 2. To view all signatures, do one of the following: Click Filter by ID, then click Go. Click Filter by Attribute, select All Signatures in the Display list, then click Go.
3. To view user-defined signatures, click Filter by Attribute, select User Signatures in the Display list, then click Go. 4. To filter the signatures for display: To filter by ID, click Filter by ID, enter the required ID number and click Go. To filter by attribute, click Filter by Attribute, configure the following parameters and click Go.
Parameter
Display
Description
Specifies which sets of signatures to display. Values: User SignaturesUser-defined signatures. You can edit and remove these signatures. Static SignaturesRadware-defined signatures. You can edit only the general parameters of these signatures. All SignaturesUser-defined and Radware-defined signatures.
Attribute Type
Select from the list of predefined attribute types, which are based on the various aspects taken into consideration when defining a new attack. Select the value for the defined attribute type.
Attribute Value
163
To configure Signature Protection signatures

1. 2. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Signatures. To add or edit a signature, do one of the following: 3. To add a signature, click the (Add) button.
To edit a signature, display the required signature, then double-click the signature.
Configure the parameters; and then click OK.
Table 83: Signature Parameters
Parameter
Signature Name Signature ID Enabled Tracking Time
Description
The name of the signature, up to 29 characters. (Read-only) The ID assigned to the signature by the system. Specifies whether the signature can be used in protection profiles. The time, in milliseconds, for measuring the Active Threshold. When a number of packets exceeding the threshold passes through the device within the configured Tracking Time period, the device recognizes it as an attack. Default: 1000
164
Parameter
Tracking Type
Description
Specifies how the device determines which traffic to block or drop when under attack. Values: bobo2KDestination CountSelect this option when the defined attack is destination-basedthat is, the hacker is attacking a specific destination, such as a Web server, for example, Ping Floods or DDoS attacks. DHCP Drop AllSelect this option when each packet of the defined attack is harmful, for example, Code Red and Nimda attacks. Caution: On devices without the SME, this option may have a negative impact on performance. Fragments FTP Bounce Land Attack ncpsdcan SamplingSelect this option when the defined attack is based on sampling, that is a DoS Shield attack. Source and Destination CountSelect this option when the attack type is a source and destination-based attackthat is, the hacker is attacking from a specific source IP to a specific destination IP address, for example, Port Scan attacks. Source CountSelect this option when the defined attack is sourcebasedthat is, the attack can be recognized by its source address, for example, a Horizontal Port Scan, where the hacker scans a certain application port (TCP or UDP) to detect which servers are available in the network. Drop AllOn devices without the SME. SamplingOn devices without the SME.
Default: Action Mode
The action taken when an attack is detected. Values: DropThe packet is discarded. Report OnlyThe packet is forwarded to the defined destination. MM7If the packet contains a threat, the device drops the message and sends an application-level error message to the server to remove the message from the queue to prevent a re-transmission. Contains Transaction ID, Content Length and Message ID. Reset Source Sends a TCP-Reset packet to the packet source IP address. Reset DestinationSends a TCP-Reset packet to the destination address. Reset BidirectionalSends a TCP-Reset packet to both the packet source IP and the packet destination IP address.
Default: Drop
165
Parameter
Suspend Action
Description
Specifies which session traffic the device suspends for the duration of the attack. Values: NoneThe suspend action is disabled for this attack. Source IPAll traffic from the IP address identified as the source of this attack, is suspended. Source IP and Destination IPTraffic from the IP address identified as the source of this attack to the destination IP under attack, is suspended. Source IP and Destination PortTraffic from the IP address identified as the source of this attack to the application (destination port) under attack, is suspended. Source IP, Destination IP and PortTraffic from the IP address identified as the source of this attack to the destination IP and port under attack, is suspended. Source IP and Port, Destination IP and PortTraffic from the IP address and port identified as the source of this attack to the destination IP and port under attack, is suspended. With this action, if Session Drop Mechanism is enabled, there will be no entry of the session in the Suspend Table.
Direction
The protection inspection path. The protections can inspect the incoming traffic only, the outgoing traffic only, or both. Values: Inbound, Outbound, Inbound & Outbound Default: Inbound & Outbound
Activation Threshold
The maximum number of attack packets allowed in each Tracking Time unit. Attack packets are recognized as legitimate traffic when they are transmitted within the Tracking Time period. When the value for Tracking Type is Drop All, the DefensePro device ignores this parameter. Default: 50
Drop Threshold
After an attack has been detected, the device starts dropping excessive traffic only when this threshold is reached. This parameter is measured in PPS. When the value for Tracking Type is Drop All, the profile ignores this parameter. Default: 50
Termination Threshold
When the attack PPS rate drops below this threshold, the profile changes the attack from active mode to inactive mode. When the value for Tracking Type is Drop All, the DefensePro device ignores this parameter. Default: 50
Packet Report
Enables the sending of sampled attack packets to APSolute Vision for offline analysis. Default: Disabled The source IP address or network whose packets the profile does not inspect. Default: None
Exclude Source IP Address
166
Parameter
Exclude Destination IP Address Packet Trace
Description
The destination IP address or network whose packets the profile does not inspect. Default: None Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Quarantine Status Description Filters Table
(This parameter is for future use.) (Read-only) A description of the static signature. You cannot configure a description for a user-defined signature. Filters are components of a protection, each containing one specific attack signature, that scan and classify predefined traffic. Filters match scanned packets with attack signatures in the Signatures database. For each custom protection, you define custom filters. You cannot use filters from other protections when customizing protection definitions. To add a filter, right-click and select Add New Filter. To edit a filter, right-click and select Edit Filter. Note: For more information, see Table 84 - Signature Filter Parameters, page 167.
Attributes Table
The attributes that you select for the signature determine the attack characteristics used in the rule creation process. To add an attribute value, right-click in the table; and then, select Add New Attribute Value.
Table 84: Signature Filter Parameters
Parameter
Each filter has a specified name and specified protocol-properties parameters. Filter Name Protocol The name of the signature filter. The protocol used. Values: ICMP ICMPv6 IP Non IP TCP UDP
Default: IP
167
Parameter
Description
Select from the list of predefined Application Port Groups.
Source Application Port For UDP and TCP traffic only. Destination Application Port For UDP and TCP traffic only. Select from the list of predefined Application Port Groups.
Packet Parameters
Packet parameters are used to match the correct packet length in different layers. Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3, Layer 4 or Layer 7 content. Values: Packet Size Length L2The complete packet length is measured, including Layer 2 headers. L3The Layer 2 data part of the packet is measured (excluding the Layer 2 headers). L4The Layer 3 data part of the packet is measured (excluding the Layer 2/Layer 3 headers). L7The L4 data part of the packet is measured (excluding the Layer 2/Layer 3/Layer 4 headers). None
Default: None The range of values for packet length. Notes: The size is measured per packet only. The size is not applied on reassembled packets. Fragmentation of Layer 4Layer 7 packets may result in tails that do not contain the Layer 4Layer 7 headers. The check is bypassed, as no match with Type = L4L7 is detected.
OMPC Parameters
Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define rules for pattern lookups. The OMPC rules look for a fixed size pattern of up to four bytes that uses fixed offset masking. This is useful for attack recognition, when the attack signature is a TCP/IP header field or a pattern in the data/payload in a fixed offset. OMPC Condition The OMPC condition. Values: Equal Greater Than Not Applicable Less Than Not Equal
Default: Not Applicable
168
Parameter
OMPC Length
Description
The length of the OMPC (Offset Mask Pattern Condition) data: Values: Not Applicable 1 Byte 2 Bytes 3 Bytes 4 Bytes
Default: 1 Byte OMPC Offset The location in the packet from where data checking starts looking for specific bits in the IP/TCP header. Values: 01513 Default: 0 OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative. Values: OMPC Pattern None IP Header IP Data L4 Data L4 Header Ethernet
Default: None The fixed size pattern within the packet that OMPC rules attempt to find. Values: A combination of hexadecimal numbers (09, af). The value is defined by the OMPC Length parameter. The OMPC Pattern definition contain eight symbols. When the OMPC Length is less than four bytes, complete it with zeros. For example, when the OMPC Length is two bytes, the OMPC Pattern can be abcd0000. Default: 00000000 OMPC Mask The mask for the OMPC data. Values: A combination of hexadecimal numbers (09, af). The value is defined by the OMPC Length parameter. The OMPC Mask definition contains eight symbols. When the OMPC Length value is less than four bytes, complete it with zeros. For example, When the OMPC Length is two bytes, the OMPC Mask can be abcd0000. Default: 00000000
169
Parameter
Description Content Parameters
The Content parameters define the rule for a text/content string lookup for attack recognition, when the attack signature is a text/content string within the packet payload. The Content parameters are available only for TCP, UDP and ICMP protocols. Content Type Enables you to search for a specific content type, which you select from a long list. For the list of valid values, see Table 85 - Content Types, page 171. Default: N/AThe device will not filter the content based on type. Content Encoding Application Security can search for content in languages other than English, for case-sensitive or case-insensitive text, and hexadecimal strings. Values: Not Applicable Case Insensitive Case Sensitive Hex International
Default: Not Applicable Note: The value of this field corresponds to the Content Type parameter. Content The value of the content search, except for HTTP headers, cookies, and FTP commands. Values: <space> ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ? @ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd efghijklmnopqrstuvwxyz{|}~ Content Offset The location in the packet from which the content is checked. The offset location is measured from the beginning of the UDP or TCP header. Values: 065,535 Default: 0 Content Max Length The maximum length to be searched within the selected Content Type. Values: 065,535 Default: 0 Note: The Content Max Length value must be equal to or greater than the Offset value. Content Data Encoding Application Security can search for data in languages other than English, for case-sensitive or case-insensitive data, and hexadecimal strings. Values: Not Applicable Case Insensitive Case Sensitive HEX International
Default: Not Applicable Note: The value of this field corresponds to the Content Type parameter.
170
Parameter
Content Data
Description
The content type for the content search. Values: HTTP HeaderThe value of the HTTP Header. The header is defined by the Content field. CookieThe cookie value. The cookie is defined by the Content field. FTP CommandThe FTP command arguments. The FTP command is defined by the Content field.
Distance Range
A range that defines the allowable distance between two content characters. When the distance exceeds the specified range, it is recognized as an attack. Specifies whether the Content Data field value is formatted as a regular expression (and not as free text to search). You can set a regex search for all content types. Specifies whether the Content Data value is formatted as a regular expression (and not as free text to search).
Regular Expression Content Regular Expression Content Data
The following table describes the Content types that you can configure the device to examine as part of the attack signature.
Table 85: Content Types
Content Type
Cookie DCE-RPC File Type FTP Command FTP Content Header Field Host Name HTTP Reply Data HTTP Reply Header Mail Domain Mail From Mail Subject Mail To MM7 File Attachment MM7 Request
Description
The HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value. Distributed Computing Environment/Remote Procedure Calls. The requested file type in the HTTP GET command (JPG, EXE, and so on). Parses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes. Scans data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes. The HTTP Header field. The Content field includes the header field name, and the Content Data field includes the field value. In the HTTP header. The data of the HTTP reply. This is available only in devices with an SME. The header of the HTTP reply. This is available only in devices with an SME. In the SMTP header. In the SMTP header. In the SMTP header. In the SMTP header. The file associated with the MM7 request. The request for an MM7 Error message.
171
Table 85: Content Types
Content Type
Normalized URL
Description
To avoid evasion techniques when classifying HTTP requests, the URL content is transformed into its canonical representation, interpreting the URL the same way the server would. The normalization procedure supports the following: Directory referencing by reducing /./ into / or A/B/../ to A/. Changing backslash (\) to slash (/). Changing HEX encoding to ASCII characters. For example, the hex value %20 is changed to a space. Unicode support, UTF-8 and IIS encoding.
POP3 User RPC
The User field in the POP3 header. Reassembles RPC requests over several packets. RPC RFC 1831 standard provides a feature called Record Marking Standard (RM). This feature is used to delimit several RPC requests sent on top of the transport protocol. For a stream-oriented protocol (like TCP), RPC uses a kind of fragmentation to delimit between records. In spite of its original purpose, fragmentation may also divide records in the middle, not only at their boundaries. This functionality is used to evade IPS systems.
Text URI Length URL
Anywhere in the packet. The length, in bytes, of the URI packet. The HTTP Request URI. No normalization procedures are taken.
Configuring Signature Protection Attributes

Attributes are components of the protection rules set in the process of rule-based profile configuration. Attributes are organized according to types based on the various aspects taken into consideration when defining a new attack, such as environment, applications, threat level, risk levels and so on. Each signature is assigned with attributes in different types. The Radware Security Operation Center (SOC) assigns the attributes when creating the signature creation as a way to describe the signature in attribute types. You can use the existing attributes, add new attributes, or remove attributes from the list.
Note: You can view properties of attribute types, and for the attribute types Complexity, Confidence, and Risk you can also specify the Match Method (Minimum or Exact). For more information, see Viewing and Modifying Attribute Type Properties, page 174. Attributes are derived from the Signatures database and are added dynamically with any update. For information about attribute types and their system values, see Table 86 - Attribute Types, page 173.
172
To configure Signature Protection attributes

1. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Attributes. 2. To view attributes: To view all attributes, select All and click Go. To view attributes for a single attribute type, select the attribute type and click Go.
3. To add a new attribute: a. b. c. Click the (Add) button. Select the attribute type, and enter the attribute name. Click OK.
Table 86: Attribute Types
Attribute Type
Applications
Description
The applications that are vulnerable to this exploit. Examples: Web servers, mail servers, browsers The parameter is optional; that is, the attribute may or may not contain a value. There can be multiple values.
Complexity
The level of analysis performed as part of the attack lookup mechanism. There can be only a single value for the parameter. Values: LowThis signature has negligible impact on device performance. HighThis signature has stronger impact on the device performance.
Confidence
The level of certainty to which an attack can be trusted. The confidence level is the opposite of the false-positive level associated with an attack. For example, if an attacks confidence level is set to high, its falsepositive level is low. The parameter is mandatory. There can be only a single value for the parameter. Values: Low, High, Medium
Groups Platforms
Enables you to create customized attack groups. The operating systems that are vulnerable to this exploit. Examples: Windows, Linux, Unix The parameter is optional; that is, the attribute may or may not contain a value. There can be multiple values.
Risk
The risk associated with the attack. For example, attacks that impact on the network are very severe and are defined as high-risk attacks. The parameter is mandatory. There can be only a single value for the parameter. Values: Info, Low, Medium, High
173
Attribute Type
Services
Description
The protocol that is vulnerable to this exploit. Examples: FTP, HTTP, DNS The parameter is optional; that is, the parameter may or may not contain a value. There can be only a single value for the parameter.
Target Threat Type
The target of the threatclient side or server side. The threats that best describe the signature. Examples: floods, worms There can be multiple values.
Viewing and Modifying Attribute Type Properties

You can view the following properties of the attribute types that the device supports: Multiple Values in Attack Specifies whether the attribute type may contain multiple values in any one signature. Multiple Values in Rule Specifies whether the attribute type may contain multiple values in any one signature profile rule. Multiple Values in Static Specifies whether the attribute type may contain multiple values in signatures from the signature file. Match Method Relevant only for the attribute types Complexity, Confidence, and Risk, which have Attribute Values with ascending-descending levels. Values: MinimumSpecifies that the Attribute Value includes the results for the lower-level Attribute Values. For example, for the attribute type Risk with Match Method Minimum, the Attribute Value High includes the results for Info, Low, and Medium. Minimum is the default for Complexity, Confidence, and Risk. ExactSpecifies that the Attribute Value uses only its own results. For example, for the attribute type Risk with Match Method Exact, the Attribute Value High uses only for High-risk results.
You can change the Match Method for the attribute types Complexity, Confidence, and Risk.
To view attribute types that the device supports

In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Attributes > Attribute Type Properties.
To change the Match Method for Complexity, Confidence, and Risk attribute types
1. 2. 3. 4. In the Configuration perspective Network Protection tab navigation pane, select Signature Protection > Attributes > Attribute Type Properties. Double-click the attribute type. From the Match Method drop-down list, select Minimum or Exact. Click OK.
174
Configuring BDoS Profiles for Network Protection

When you configure Behavioral DoS profiles, you need to configure the bandwidth and quota settings. Setting the bandwidth and quota values properly and accurately is important, because initial baselines and attack detection sensitivity are based on these values. You can configure up to 50 BDoS Protection profiles on a DefensePro device. The default maximum is 10. You can configure the maximum in APSolute Vision (Configuration perspective Advanced Parameters tab navigation pane, Tuning Parameters > Security > Max. Number of BDoS Policies. Recommended settings for policies that include Behavioral DoS profiles are as follows: Configure rules containing Behavioral DoS profiles using Networks with source = Any, the public network, and destination = Protected Network. It is recommended to create multiple Behavioral DoS rules, each one protecting a specific servers segment (for example, DNS servers segment, Web server segments, Mail servers segments, and so on). This assures optimized learning of normal traffic baselines. It is not recommended to define a network with the Source and Destination set to Any, because the device collects statistics globally with no respect to inbound and outbound directions. This may result in lowered sensitivity to detecting attacks. When a rules Direction is set to One Way, the rule prevents incoming attacks only. When a rules Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal detection.
You can configure footprint bypass to bypass specified footprint types or values. For more information, see Configuring BDoS Footprint Bypass, page 136.
To configure a BDoS profile

1. In the Configuration perspective Network Protection tab navigation pane, select BDoS Profiles. 2. Do one of the following: To add a profile, click the (Add) button.
To edit a profile, double-click the entry in the table.
3. Configure the parameters; and then, and click OK.
175
Table 87: BDoS Profile Parameters
Parameter
Profile Name Enable Transparent Optimization
Description
The name of the BDoS profile. Specifies whether transparent optimization is enabled. Some network environments are more sensitive to dropping packets (for example, VoIP), therefore it is necessary to minimize the probability that legitimate traffic is dropped by the IPS device. This transparent optimization can occur during BDoSs closed-feedback iterations until a final footprint is generated. Note: When transparent optimization is enabled, the profile does not mitigate the attack until the final footprint is generated, which takes several seconds.
Flood Protection Settings

SYN Flood TCP ACK + FIN Flood TCP RST Flood TCP SYN + ACK Flood TCP Fragmentation Flood UDP Flood ICMP Flood IGMP Flood Select the network-flood protection types to apply.
Bandwidth Settings
Inbound Traffic The maximum inbound traffic bandwidth, in Kbit/s, expected on your links. DefensePro derives the initial baselines from the bandwidth and quota settings. Minimum: 1 Values: 02,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection. Outbound Traffic The maximum outbound traffic bandwidth, in Kbit/s, expected on your links. DefensePro derives the initial baselines from the bandwidth and quota settings. Minimum: 1 Values: 02,147,483,647 Caution: You must configure this setting to start Behavioral DoS protection.
176
Table 87: BDoS Profile Parameters
Parameter
Description Quota Settings
Radware recommends that you initially leave these fields empty so that the default values will automatically be used. To view default values after creating the profile, double-click the entry in the table. You can then adjust quota values based on your network performance. Caution: When you change the a bandwidth setting (Inbound Traffic or Outbound Traffic), the quota settings automatically change to the default values appropriate for the bandwidth. Note: The total quota values may exceed 100%, as each value represents the maximum volume per protocol. TCP UDP ICMP IGMP The maximum expected percentage of TCP traffic out of the total traffic. The maximum expected percentage of UDP traffic out of the total traffic. The maximum expected percentage of ICMP traffic out of the total traffic. The maximum expected percentage of IGMP traffic out of the total traffic.
Advanced Parameters
UDP Packet Rate Sensitivity (For certain versions, this parameter is labeled Level Of Regularization.) The packet-rate detection sensitivitythat is, to what extent the BDoS engine considers the UDP PPS-rate values (baseline and current). This parameter is relevant only for only for BDoS UDP protection. Values: Disable Low Medium High
Default: Low

Packet Report Specifies whether the profile sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Note: When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). Packet Trace Specifies whether the profile sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
177
Configuring Anti-Scanning Protection for Network Protection

Worm-propagation prevention and anti-scanning prevent zero-day self-propagating network worms, horizontal scans, and vertical scans. A self-propagating worm is an attack that spreads by itself using network resources. This worm uses a random-IP-address-generation technique (that is, network scanning) to locate a vulnerable host to infect. When a vulnerable host is identified, the worm immediately executes its code on this host, thereby infecting the computer with the worms malicious code. Then, the infected hosts initiate similar scanning techniques and infect other hosts propagating exponentially. There are several random IP address generation techniques, commonly characterized with horizontal scanning schemes. Prior to launching an attack, hackers try to identify what TCP and UDP ports are open on the victim machine. An open port represents a service, an application or a back door. Ports left open unintentionally can create serious security problems. These scanning techniques commonly utilize a vertical scanning scheme. The worm propagation activity is detected and prevented by DefensePros Anti-Scanning protection. Anti-Scanning profiles defend against the following threats: TCP Horizontal Scanning TCP Vertical Scanning TCP stealth scans UDP Horizontal Scanning UDP Vertical Scanning Ping Sweep
Note: In some cases, you may find that network elements legally perform scanning as part of their normal operation. It is recommended to place such elements in the White List to avoid interruption or network operation. Before you configure anti-scanning profiles, ensure the following: The Session table Lookup Mode is Full Layer 4. Anti-Scanning is enabled and the global parameters are configured. Anti-Scanning global parameters are defined for all profiles on the device.
Configuring Anti-Scanning Profiles

You can configure up to 20 Anti-Scanning profiles on a DefensePro device. The following describes the recommended settings for rules that include Anti-Scanning profiles: Configure policies containing Anti-Scanning profiles using Networks with Source = Any, the public networkand Destination = Protected Network. This ensures optimized attack detection sensitivity. You can set policies using a VLAN tag, MPLS RD, or physical ports. It is not recommended to define a network in which the Source and Destination are set to Any, because it results in lower detection sensitivity. When the Direction of a policy is set to One Way, DefensePro prevents incoming attacks only. When the Direction of a policy is set to Two Way, the device prevents both incoming and outgoing attacks. In either case, the device inspects incoming and outgoing traffic for connection scoring.
178
DefensePro User Guide Security Configuration Before you configure an Anti-Scanning profile, ensure the following: The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. Anti-scanning protection is enabled and the global parameters are configured. For more information, see Configuring Global Signature Protection, page 131.
To configure an Anti-Scanning profile

1. In the Configuration perspective Network Protection tab navigation pane, select Anti-Scanning Profiles. 2. To add or modify an Anti-Scanning profile, do one of the following: To add a profile, click the (Add) button.
3. Configure anti-scanning profile parameters and click OK.
Table 88: Anti-Scanning Profile Parameters
Parameter
Rule Name Enable TCP Protection Enable UDP Protection Enable ICMP Protection Type
Description
The name of the profile. Specifies whether the profile protects against horizontal and vertical TCP scans, including worm propagation activity, over TCP. Specifies whether the profile protects against horizontal and vertical UDP scans, including worm propagation activity, over UDP. Specifies whether the profile protects against ping sweeps. The type of traffic protected using the Anti-Scanning profile. Values: GWDetects incoming or outgoing scanning attempts, such as scanning worms. CarrierDetects large scale scanning worms for carrier links. InternalPrevents the spreading of worm activity in corporate LANs.
Detection Sensitivity Level
The level of sensitivity to scanning activities before the profile activates Anti-Scanning protection. High means few scanning attempts trigger the Anti-Scanning protection, whereas Very Low means a high number of scanning attempts trigger the Anti-Scanning protection. Values: High, Medium, Low, Very Low Default: Low
Accuracy
The accuracy level that determines the minimum number of parameters used in the footprint. The higher the accuracy, the more parameters required to appear in the footprint. If DefensePro is unable to find a footprint with the minimum number of parameters for the specified accuracy level, DefensePro does not block the attack. Higher accuracy means that more parameters are required to appear in the footprint. Values: High, Medium, Low Default: Medium
179
Table 88: Anti-Scanning Profile Parameters
Parameter
Single Port
Description
Specifies whether the DefensePro device only blocks scans that are done on a single L4 port. Scans on a single L4 port are usually network worms. When enabled, DefensePro does not block scans that are done from the same source on multiple L4 ports. Default: Disabled Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Packet Trace
Configuring Anti-Scanning Trusted Ports

You can configure a list of Layer 4 ports on which scanning is allowed. That is, when Anti-Scanning is enabled, there is no blocking of scans that target these ports. By default, DefensePro ignores port 113 activity.
To configure Anti-Scanning trusted ports

1. 2. 3. 4. 5. In the Configuration perspective Network Protection tab navigation pane, select Anti-Scanning Profiles > Anti-Scanning Trusted Ports. To view the trusted ports for a profile, select the profile and click Go. To add a trusted port for the selected profile, click the Click OK. (Add) button.
Enter the Layer 4 trusted port on which scanning is allowed. Values: 165,535.
Configuring Connection Limit Profiles for Network Protection

Connection Limit profiles defend against session-based attacks, such as half open SYN attacks, request attacks, and full connection attacks. You can configure up to 50 Connection Limit profiles on a DefensePro device. Connection Limit profiles contain attack definitions for groups of TCP or UDP application ports. DefensePro counts the number of TCP connections, or UDP sessions, opened per client, per server, or per client plus server combination, for traffic that matches a Connection Limit policy attack definition. Once the number of connections per second reaches the specified threshold, any session/ connection over the threshold is dropped, unless the action mode defined for this attack is Report Only. You can also define whether to suspend the source IP address, dropping traffic from this source for a number of seconds according to the Suspend table parameters.
180
DefensePro User Guide Security Configuration Recommended settings for policies that include Connection Limit profiles: Configure policies containing Connection Limit profiles using Networks only with source = Any, the public network, and destination = Protected Network. You can define segments using VLAN tag, MPLS RDs, and physical ports. It is not recommended to define networks when the Source and Destination are set to Any. Policies containing Connection Limit profiles can be configured with Direction set to either One Way or Two Way.
Before you configure a Connection Limit profile, ensure the following: Connection Limit protection is enabled (under the Security Settings tab). The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. (Recommended) The required Connection Limit protections are configured. For more information, see Configuring Connection Limit Protections, page 182.
To configure a Connection Limit profile

1. In the Configuration perspective Network Protection tab navigation pane, select Connection Limit Profiles. 2. To add or modify a profile, do one of the following: To add a profile, click the (Add) button. Enter the profile name and click OK.
3. To add Connection Limit protections to the profile, in the Edit Connection Limit Profile dialog box protections table: a. b. Right-click and select Add New Connection Limit Protection. Select the protection name and click OK.
4. To define additional Connection Limit protections for the profile, click Go To Protection Table. For more information, see Connection Limit Protection Parameters, page 182.
Note: A Connection Limit profile should include all the Connection Limit attacks that you want to apply in a network-policy rule.
181
Table 89: Connection Limit Profile Parameters
Parameter
Profile Name Connection Limit Protection Table
Description
(Read-only) The name of the Connection Limit profile. Lists the Connection Limit protection name and ID for each protection to be applied for the selected profile. To add a protection, in the table, right-click and select Add New Connection Limit Protection. Select the protection name and click OK. Note: In each rule, you can use only one Connection Limit profile. Therefore, ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule.
Go To Protection Table
Opens the Connection Limit Protection dialog box in which you can add and modify Connection Limit protections.
Configuring Connection Limit Protections

Configure Connection Limit protections to add to Connection Limit profiles for network protection.
Note: Connection Limit protections are sometimes referred to as Connection Limit Attacks.
To configure a Connection Limit protection

1. 2. In the Configuration perspective Network Protection tab navigation pane, select Connection Limit Profiles > Connection Limit Protections. To add or modify a protection, do one of the following: 3. To add a protection, click the (Add) button.
To edit a protection, double-click the entry in the table.
Table 90: Connection Limit Protection Parameters
Parameter
Protection ID Protection Name Application Port Group Name Protocol
Description
(Read-only) The ID number assigned to the Connection Limit protection. A descriptive name for easy identification when configuring and reporting. The group of Layer 4 ports that represent the application you want to protect. The Layer 4 protocol of the application you want to protect. Values: TCP, UDP Default: TCP
182
Parameter
Number of Connections
Description
The maximum number of new TCP connections, or new UDP sessions, per second, allowed for each source, destination or source-anddestination pair. All additional sessions are dropped. When the threshold is reached, attacks are identified and a security event generated. Default: 50 The counting rule for tracking sessions. Values: Source and Target CountSessions are counted per source IP and destination IP address combination. Source CountSessions are counted per source IP address. Target CountSessions are counted per destination IP address.
Tracking Type
Default: Source Count Note: When Tracking Type is Target Count, the Suspend Action can only be None. Action Mode The action when an attack is detected. Values: DropThe packet is discarded. Report-onlyThe packet is forwarded to the destination IP address. Reset SourceSends a TCP-Reset packet to the packet source IP address.
Default: Drop Risk The risk assigned to this attack for reporting purposes. Values: High, Info, Low, Medium Default: Medium
183
Parameter
Suspend Action
Description
Specifies which session traffic the device suspends for the attack duration. Values: NoneSuspend action is disabled for this attack. Source IPAll traffic from the IP address identified as the source of this attack is suspended. Source IP + Destination IPTraffic from the IP address identified as the source of this attack to the destination IP address under attack is suspended. Source IP + Destination PortTraffic from the IP address identified as the source of this attack to the application (Destination port) under attack is suspended. Source IP + Destination IP and PortTraffic from the IP address identified as the source of this attack to the destination IP address and port under attack is suspended. Source IP and Port + Destination IP and PortTraffic from the IP address and port identified as the source of this attack to the destination IP address and port under attack is suspended.
Default: None Note: When Tracking Type is Target Count, the Suspend Action can only be None.

Packet Report Specifies whether the device sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
184
Configuring SYN Profiles for Network Protection

SYN Profiles defend against SYN flood attacks. You can configure up to 50 SYN profiles on a DefensePro device. During a SYN flood attack, the attacker sends a volume of TCP SYN packets requesting new TCP connections without completing the TCP handshake, or completing the TCP handshake, but not requesting data. This fills up the server connection queues, which denies service to legitimate TCP users. Before you configure a SYN profile, ensure the following: The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. SYN Flood protection is enabled and the global parameters are configured. You can change the global settings. The SYN flood global settings apply to all the profiles on the device. For more information, see Configuring Global SYN Flood Protection, page 140.
To configure a SYN profile

1. In the Configuration perspective Network Protection tab navigation pane, select SYN Profiles. 2. To add or modify a profile, do one of the following: a. b. c. To add a profile, click the (Add) button. Enter the profile name and click OK.
To edit a profile, double-click the entry in the table. Right-click in the table and select Add New SYN Flood Protection. From the Profile Name drop-down list, select the protection. Click OK.
3. To add a SYN flood protection to the profile:
4. To define additional SYN flood protections for the profile, click Go To Protection Table.
Note: A SYN profile should contain all the SYN flood protections that you want to apply in a network-policy rule.
Table 91: SYN Profile Parameters
Parameter
Profile Name SYN Protection Table
Description
(Read-only) The name of the profile. Contains the protections to be applied for the selected profile. To add a protection, in the table, right-click and select Add New SYN Flood Protection. Select the protection name and click OK. Note: In each rule, you can use only one SYN profile. Therefore, ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule.
Go To Protection Table
Opens the Syn Protections dialog box in which you can add and modify SYN protections.
185
Defining SYN Flood Protections

After you define SYN flood protections, you can add them to SYN profiles.
To configure a SYN protection

1. 2. In the Configuration perspective Network Protection tab navigation pane, select SYN Profiles > SYN Protections. To add or modify a protection, do one of the following: 3. To add a protection, click the (Add) button.
To edit a protection, double-click the entry in the table.
Table 92: SYN Flood Protection Parameters
Parameter
Protection Name
Description
A name for easy identification of the attack for configuration and reporting. Note: Predefined SYN Protections are available for the most common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP, SMTP, and Telnet. The thresholds are predefined by Radware. You can change the thresholds for these attacks.
Protection ID
(Read-only) The ID number assigned to the protection.
Application Port Group The group of TCP ports that represent the application that you want to protect. Select from the list predefined port groups, or leave the field empty to select any port. Activation Threshold A number of SYN packets received per second at a certain destination above which DefensePro starts the mitigation actions.1 Values: 1150,000 Default: 2500 Termination Threshold A number of SYN packets received per second at a certain destination for specified Tracking Time2 below which DefensePro stops the mitigation actions.1 Values: 0150,000 Default: 1500 Risk The risk level assigned to this attack for reporting purposes. Values: Info, Low, Medium, High Default: Low Source Type (Read-only) Specifies whether the SYN protection is a predefined (static) or user-defined (user) protection.
1 The number that DefensePro uses depends on whether you use Transparent Proxy or Safe-Reset. 2 You can configure this value at Security Settings > SYN Flood Protection> Tracking Time.
186
Radware-Recommended Verification Type Values

Protocol
FTP_CNTL HTTP HTTPS IMAP POP3 RPC RTSP SMTP TELNET
Destination Port
21 80 443 143 110 135 554 25 23
Verification Type
ack request request ack ack ack request ack ack
Managing SYN Protection Profile Parameters

After you define a SYN Protection profile, you can configure the authentication parameters for it.
To configure SYN Protection profile parameters

1. In the Configuration perspective Network Protection tab navigation pane, select SYN Protection Profiles > Profiles Parameters. 2. Double-click the relevant profile. 3. Configure the parameters; and then, click OK.
Table 93: SYN Flood Protection Profile Parameters
Parameter
Profile Name
Description
(Read-only) The name of the profile.
187
Parameter
Authentication Method
Description
The Authentication Method that DefensePro uses at the transport layer. When DefensePro is installed in an ingress-only topology, select the Safe-Reset method. Values: Transparent ProxyWhen DefensePro receives a SYN packet, DefensePro replies with a SYN ACK packet with a cookie in the Sequence Number field. If the response is an ACK that contains the cookie, DefensePro considers the session to be legitimate. Then, DefensePro opens a connection with the destination and acts as transparent proxy between the source and the destination. Safe-ResetWhen DefensePro receives a SYN packet, DefensePro responds with an ACK packet with an invalid Sequence Number field as a cookie. If the client responds with RST and the cookie, DefensePro discards the RST packet, and adds the source IP address to the TCP Authentication Table. The next SYN packet from the same source (normally, a retransmit of the previous SYN packet) passes through DefensePro, and the session is approved for the server. DefensePro saves the source IP address for a specified time.
Default: Transparent Proxy Note: To configure Minimum Allowed SYN Retransmission Time and Maximum Allowed SYN Retransmission Time, in the Configuration perspective Security Settings tab navigation pane, and select SYN Flood Protection Settings.
HTTP Authentication
Use HTTP Authentication Specifies whether DefensePro authenticates the transport layer of HTTP traffic using SYN cookies and then authenticates the HTTP application layer using the specified HTTP Authentication Method. Values: EnabledDefensePro authenticates the transport layer of HTTP traffic using SYN cookies, and then, authenticates the HTTP application layer using the specified HTTP Authentication Method. DisabledDefensePro handles HTTP traffic using the specified TCP Authentication Method.
Default: Disabled
188
Parameter
HTTP Authentication Method
Description
The method that the profile uses to authenticate HTTP traffic at the application layer. Values: 302-RedirectDefensePro authenticates HTTP traffic using a 302Redirect response code. JavaScriptDefensePro authenticates HTTP traffic using a JavaScript object, which DefensePro generates.
Default: 302-Redirect Notes: Some attack tools are capable of handling 302-redirect responses. The 302-Redirect HTTP Authentication Method is not effective against attacks that use those tools. The JavaScript HTTP Authentication Method requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios. Limitations when using the JavaScript HTTP Authentication Method: If the browser does not support JavaScript calls, the browser will not answer the challenge. When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DefensePro JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:
<script> setTimeout(function(){ var js=document.createElement(script); js.src=http://mysite.site.com.domain/service/appMy.jsp?dlid=12345; document.getElementsByTagName(head)[0].appendChild(js); },1000); </script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
189
DefensePro Challenge Behavior for Various Configuration and Traffic Permutations

The following table describes DefensePro challenge actions and thresholds according to relevant configuration and traffic permutations.
Table 94: DefensePro Challenge Behavior for Various Configuration and Traffic Permutations
Authentication HTTP SSL Mitigation Method Authentication Is Enabled and Is Enabled Configured1
Safe-Reset Yes N/A
Traffic
Basis of Challenge Activation and Action Termination Thresholds (PPS)

SYN Safe-Reset, then HTTP Authentication Safe-Reset, then HTTP Authentication Safe-Reset Safe-Reset Transparent Proxy Transparent Proxy Transparent Proxy to client only, then HTTP Authentication Safe-Reset, then HTTP Authentication Transparent Proxy
HTTP
Safe-Reset
Yes
Yes
HTTPS
SYN
Safe-Reset Safe-Reset Transparent Proxy Transparent Proxy Transparent Proxy
Yes No No
N/A N/A N/A
Non-HTTP Any Clientinitiated data2 Serverinitiated data3 HTTP
SYN minus first ACK SYN minus ACK SYN minus data
No
N/A
SYN minus ACK
Yes
N/A
SYN
Transparent Proxy
Yes
Yes
HTTPS
SYN
Transparent Proxy
Yes
N/A
Non-HTTP SYN minus data with clientinitiated data2 Non-HTTP with serverinitiated data3 SYN minus ACK
Transparent Proxy
Yes
N/A
Transparent Proxy
1 That is, SSL Mitigation is enabled globally (Security Settings > Flood Protection Settings > Enable SSL Mitigation) and configured for the Network Protection policy. 2 Client-initiated data refers to protocols in which the client sends the first data (for example, HTTP, HTTPS, and RTSP). 3 Server-initiated data refers to protocols in which the server sends the first data.
190
Configuring SSL Mitigation Policies

DefensePro can mitigate SSL-flood attacks with SSL Mitigation policies. When SYN Protection is triggered for TCP port 443 protection and the SYN Protection profile is configured with the Use HTTP Authentication checkbox selected (Network Protection tab > SYN Protection Profiles > Profiles Parameters), an active SSL Mitigation policy challenges new SSL connections using a Safe-Reset method. To decrypt and re-encrypt the SSL packets during the challenge process, DefensePro uses the SSL engine of a specified Alteon device. DefensePro allows traffic from validated clients to pass through the DefensePro device to the protected server. The DefensePro SSL Mitigation mechanism works as follows: 1. The DefensePro device receives a SYN packet from a client on port 443. 2. DefensePro responds with an ACK packet with an invalid Sequence Number field as a cookie. 3. If the client responds with RST and the cookie, DefensePro discards the packet, and adds the source IP address to the TCP Authentication Table. 4. The DefensePro device passes the next SYN packet from the same source to the SSL engine of the specified Alteon device. 5. The Alteon device performs the SSL handshake with the client. 6. The DefensePro device passes the following HTTPS GET or POST request from the same source to the SSL engine of the Alteon device. 7. The Alteon device communicates with the DefensePro device to generate an encrypted challenge. 8. The DefensePro device sends the encrypted HTTPS challenge to the client. 9. The DefensePro device receives a valid response from the client and considers the connection to be legitimate. 10. The DefensePro device adds the source IP address to the HTTP Authentication Table. 11. The DefensePro device passes the encrypted HTTPS response to the SSL engine of the Alteon device. 12. The Alteon device communicates with the DefensePro device to generate an encrypted termination message. 13. The next SYN packet from the validated source passes through the DefensePro device to the server that is under attack, and DefensePro acts as a transparent proxy for the remainder of the session.
To configure an SSL mitigation policy

1. In the Configuration perspective Network Protection tab navigation pane, select SYN Protection Profiles > SSL Mitigation Policies Parameters. 2. To add or modify a policy, do one of the following: To add a policy, click the (Add) button.
To edit a policy, double-click the entry in the table.
Table 95: SSL Mitigation Policy Parameters
Parameter
Name SSL VIP
Description
The name of the policy. The IPv4 VIP address on the Alteon device.
191
Table 95: SSL Mitigation Policy Parameters
Parameter
VIP MAC Network Policy Name State
Description
The MAC address of the Alteon device. The name of the existing Network Protection Rule. Specifies whether the policy is active. Values: active, inactive Default: active
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon device.
Configuring DNS Protection Profiles for Network Protection

When you configure DNS Protection profiles, you need to configure the query and quota settings. Setting the query and quota values properly and accurately is important, because initial baselines and attack detection sensitivity are based on these values. You can configure up to 100 DNS Protection profiles on a DefensePro device. The default maximum is 10. You can configure the maximum in APSolute Vision (Configuration perspective Advanced Parameters tab navigation pane, Tuning Parameters > Security > Max. Number of DNS Policies DNS Protection profiles can be used only in one-way policies. It is recommended to configure policies that include DNS Protection profiles using Networks with source = Any, the public network, and destination = Protected Network. You can configure footprint bypass to bypass specified footprint types or values.
To configure a DNS Protection profile

1. 2. In the Configuration perspective Network Protection tab navigation pane, select DNS Protection Profiles. Do one of the following: 3. To add a profile, click the (Add) button.
Configure the parameters; and then, and click OK.
Table 96: DNS Protection Profile Parameters
Parameter
Name
Description
The name of the profile.
192
Parameter
Description Query Protections and Quotas
Radware recommends that you initially leave these fields empty so that the default values will automatically be used. To view default values after creating the profile, double-click the entry in the table. You can then adjust quota values based on your network performance. Caution: DefensePro does not support DNS queries of type ANY. Note: The total quota values may exceed 100%, as each value represents the maximum volume per protocol. A Query MX Query PTR Query AAAA Query Text Query SOA Query NAPTR Query SRV Query Other Queries Get Default Quotas Expected DNS Query Rate Configures all the quotas with the hard-coded default values after you have specified the Expected DNS Query Rate. The expected rate, in queries per second, of DNS queries. For each DNS query type to protect, specify the quotathe maximum expected percentage of DNS traffic out of the total DNS trafficand select the checkbox in the row.
Manual Triggers
Use Manual Triggers Specifies whether the profile uses user-defined DNS QPS thresholds instead of the learned baselines. Default: Disabled Activation Threshold The minimum number of queries per secondafter the specified Activation Periodon a single connection that causes DefensePro to consider there to be an attack. When DefensePro detects an attack, it issues an appropriate alert and drops the DNS packets that exceed the threshold. Packets that do not exceed the threshold bypass the DefensePro device. Values: 04,000,000 Default: 0 Activation Period The number of consecutive seconds that the DNS traffic on a single connection exceeds the Activation Threshold that causes DefensePro to consider there to be an attack. Values: 130 Default: 3 Termination Threshold The maximum number of queries per secondafter the specified Termination Periodon a single connection that cause DefensePro to consider the attack to have ended. Values: 04,000,000 Default: 0 Note: The Termination Threshold must be less than or equal to the Activation Threshold.
193
Parameter
Termination Period
Description
The time, in seconds, that the DNS traffic on a single connection is continuously below the Termination Threshold, which causes DefensePro to consider the attack to have ended. Values: 130 Default: 3
Max QPS
The maximum allowed rate of DNS queries per second. Values: 04,000,000 Default: 0
Escalation Period
The time, in seconds, that DefensePro waits before escalating to the next specified mitigation action. Values: 030 Default: 3
Advanced Report Settings

Packet Report Specifies whether DefensePro sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Note: When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Action and Escalation

Note: The device implements the parameters in this group box only when the Manual Triggers option is not enabled. Profile Action The action that the profile takes on DNS traffic during an attack. Values: Block & Report, Report Only Default: Block & Report Max allowed QPS The maximum allowed rate of DNS queries per second, when the Manual Triggers option is not enabled. Values: 04,000,000 Default: 0 Note: When the Manual Triggers option is enabled, the Max QPS value specified in the Manual Triggers group box takes precedence. Signature Rate-limit Target The percentage of the DNS traffic that matches the real-time signature that the profile will not mitigate above the baseline. Values: 0100 Default: 0
194
Configuring Out of State Protection Profiles for Network Protection

Out of State Protection profiles detect out-of-state packets to provide additional protection against application-level attacks. You can configure up to 50 Out of State Protection profiles on a DefensePro device.
Caution: In cases of overlapping network policies configured with Out-of-State profiles, attacks triggered on both policies are reported twice, once per policy. As a consequence, in traffic monitoring, there might be some inconsistencies in the value for discarded traffic value, because the value is the sum of all detected attacks.
To configure an Out of State Protection profile

1. In the Configuration perspective Network Protection tab navigation pane, select Out of State Protection Profiles. 2. Do one of the following: To add a profile, click the (Add) button.
3. Configure the parameters; and then, and click OK.
Table 97: Out of State Protection Profile Parameters
Parameter
Profile Name Activation Threshold
Description
The name of the profile. The rate, in PPS, of out-of-state packets above which the profile considers the packets to be part of a flood attack. When DefensePro detects an attack, it issues an appropriate alert and drops the out-ofstate packets that exceed the threshold. Packets that do not exceed the threshold bypass the DefensePro device. Values: 1250,000 Default: 5000
Termination Threshold
The rate, in PPS, of out-of-state packets below which the profile considers the flood attack to have stopped; and DefensePro resumes normal operation. Values: 1250,000 Default: 4000
Profile Risk
The riskfor reporting purposesassigned to the attack that the profile detects. Values: Info, Low, Medium, High Default: Low
195
Table 97: Out of State Protection Profile Parameters
Parameter
Allow SYN-ACK
Description
Values: EnabledThe DefensePro device opens a session and processes a SYN-ACK packet even when the DefensePro has identified no SYN packet for the session. This option supports asymmetric environments, when the first packet that DefensePro receives is the SYN-ACK. DisabledWhen the DefensePro device receives a SYN-ACK packet and has identified no SYN packet for the session, DefensePro passes through the SYN-ACK packet (unprocessed) if the packet is below the specified activation threshold, and DefensePro drops the packet if it is above the specified activation threshold.
Default: Enabled Enable Packet Trace Specifies whether the profile sends out-of-state packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies. Enable Packet Reporting Specifies whether the profile reports out-of-state packets. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). In addition, a change to this parameter takes effect only after you update policies. Profile Action The action that the profile takes when it encounters out-of-state packets. Values: Block and Report, Report Only Default: Block and Report
Managing the Server Protection Policy

The Server Protection policy protects servers against targeted attacks. Each rule in the policy contains Server Protection profiles to defend a specific server against network and application attacks. You can specify an HTTP flood profile and a Server Cracking profile for each rule. These profiles are activated when DefensePro identifies an attack on the corresponding protected server. Before you configure rules and profiles for the Server Protection policy, ensure that you have enabled all the required protections and configured the corresponding global protection parameters under the Security Settings tab.
196
DefensePro User Guide Security Configuration This section contains the following topics: Configuring the Server Protection Policy, page 197 Configuring Server Cracking Profiles for Server Protection, page 205 Configuring HTTP Flood Mitigation Profiles for Server Protection, page 209
Configuring the Server Protection Policy

The Server Protection policy defines the protected servers in your network, and the actions that DefensePro takes when an attack on a protected server is detected.
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it does not download your configuration changes to the device. To apply changes onto the device, you must activate the configuration changes.
To configure the Server Protection policy

1. In the Configuration perspective Server Protection tab navigation pane, select Server Protection Policy. 2. Do one of the following: To add an entry, click the (Add) button.
To edit an entry, double-click the entry in the table.
3. Configure the parameters; and then, click OK. 4. To activate your changes on the device, click Activate Latest Changes.
Table 98: Server Protection Policy Parameters
Parameter
Server Name IP Range
Description
The name of the server. The IP address or IP-address range of the protected server. You can assign an HTTP profile to a server definition that contains one discrete IP address. You can assign a Server Cracking profile to ranges, networks, and discrete IP addresses. Specifies whether the protection is enabled. The HTTP Flood profile to be activated against an attack. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles.
Enabled HTTP Flood Profile
197
Parameter
Server Cracking Profile
Description
The Server Cracking profile to be activated against an attack. Each DefensePro device supports up to 20 Server Cracking profiles. Note: You can click the adjacent button to open the dialog box in which you can add and modify profiles.
VLAN Tag Group
The VLAN Tag Group of the traffic. Note: You can click the adjacent button to open the dialog box in which you can add and modify VLAN Tag groups.
Policy
The name of the Network Protection policy to which this Server Protection policy belongs.

Packet Reporting Specifies whether the device sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting). Packet Reporting Configuration on Policy Takes Precedence Specifies whether the configuration of the Packet Reporting feature here, on this policy rule takes precedence over the configuration of the Packet Reporting feature in the associated profiles. Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies. Packet Trace Configuration on Policy Takes Precedence Specifies whether the configuration of the Packet Trace feature here, on this policy rule, takes precedence over the configuration of the Packet Trace feature in the associated profiles. Caution: A change to this parameter takes effect only after you update policies.
Packet Trace
Server Cracking Protection

Server Cracking Protection provides application-level protection that monitors error responses from various applications and blocks hacking attempts from suspicious sources while allowing legitimate traffic to pass.
Note: When a Server Cracking attack occurs, you can view it in the APSolute Vision Security Dashboard and the Current Attacks table view. From both locations, you can drill down and view attack details. For more information, see Real-Time Security Reporting, page 287.
198
DefensePro User Guide Security Configuration This section contains the following main topics: Server Cracking Protection Network Topography, page 199 Server Cracking Attack Types, page 199 Server Protection Policies/Rules, Profiles, and Protections, page 200 Server Cracking Threats and Server Cracking Protection Strategies, page 201 Server Cracking Mitigation with Server Cracking Protection, page 201 Server Cracking Protection Technology, page 201 Errors that Server Cracking Protection Monitors, page 204 Server Cracking Protection Limitations, page 205 Configuring Server Cracking Profiles for Server Protection, page 205 Viewing Radware-defined Server Cracking Protections, page 208
Server Cracking Protection Network Topography

Server Cracking protection requires a symmetric environment. Tracking requires inspection of server responses. Blocking requires inspection or source request.
Figure 29: Server Cracking Protection
Server Cracking Attack Types

This section describes the following server-cracking attack types: Cracking, Brute Force, and Dictionary Attacks, page 200 Application-Vulnerability Scanning, page 200 SIP Scanning, page 200 SIP Brute-Force Attacks, page 200
199
Cracking, Brute Force, and Dictionary Attacks

Cracking, brute force, and dictionary attacks use scripts or other tools to try to break into an application by guessing user names and passwords from known lists. The risk associated with these types of attacks is clear: once a useful username and password are obtained, the attacker has free access to a service, information, or even to the server itself. Additional risks are denial of service, by triggering built-in protections in the application that lock users, or by consuming system resources during the authentication attempts.
Application-Vulnerability Scanning
Scanning attacks try to find services that are known to be vulnerable or actual vulnerabilities at the application level. The attacker later exploits the vulnerable server or application vulnerability. The scanners, which can be automatic or manual, send a legitimate request to the server. The request is used to expose the existence of the vulnerability. As such, the scan will not trigger an IPS-based signature. In most cases, the server will not be vulnerable and will respond with an error message. Application scanning attempts are usually precursors to more serious exploitation attempts. Scanning attempts generate a higher than normal error-response rate from the application. Blocking such attempts helps prevent the vulnerabilities from being disclosed.
SIP Scanning
In Session Initiation Protocol (SIP) scanning, the attacker's aim is slightly different. While it is possible to find vulnerable SIP implementations, the actual advantage of SIP scanning is to obtain a list of SIP subscribers, which can be used to send SPIT (SPAM over Internet Telephony). An attacker can use scripts to send SPIT messages to a guessed list of subscribers and harvest the existing subscribers according to the received replies. SPIT can annoy subscribers and even disrupt service if carried out in high volumes.
SIP Brute-Force Attacks

A register brute force attack is an attempt to gain access to a user account, and through it, to the service, thus allowing the attacker to exploit a service without paying for it, causing revenue loss, reputation loss, and increased bill-verification activities.
Server Protection Policies/Rules, Profiles, and Protections

Each Server Protection policy/rule can include one Server Cracking Protection profile. Depending on the configuration of the specific DefensePro device, DefensePro supports between 100 to 1000 Server Protection policies/rules. The default is 350. Each DefensePro device supports up to 20 different profiles. You can use Server Cracking profiles for multiple Server Protection policies/rules. A Server Cracking Protection profile specifies the protections that DefensePro applies to protect application servers in your network against cracking attempts and other vulnerability scans. For information on the default configuration of each protection, see Viewing Radware-defined Server Cracking Protections, page 208. DefensePro supports the following protections: Brute Force DNS Brute Force FTP Brute Force IMAP Brute Force LDAP Brute Force MSSQL Brute Force MySQL Brute Force POP3 Brute Force SIP (TCP)
200
DefensePro User Guide Security Configuration Brute Force SIP (UDP) Brute Force SIP DST (TCP) Brute Force SIP DST (UDP) Brute Force SMB Brute Force SMTP Brute Force Web SIP Scan (TCP) SIP Scan (UDP) SIP Scan DST (TCP) SIP Scan DST (UDP) SMTP Scan Web Scan
Server Cracking Threats and Server Cracking Protection Strategies

DefensePro identifies attackers using source tracking and a fuzzy-logic decision engine. The detection mechanism uses the frequency and quantity of server-based error responses, and uniquely identifies them per protected application. The analysis is done per source IP address and protected server. DefensePro sends these parameters to the Fuzzy Inference System (FIS), which calculates the degree of attack (DoA). Application scanning and authentication brute-force attempts are usually precursors to more serious exploitation attempts. The attacker sends a list of legitimate-looking requests and analyzes the responses in order to discover a known vulnerability or gain access to restricted parts of the application. Both cracking and scanning attempts are characterized by higher-than-normal rates of error responses from the application to specific users, in terms of frequency and quantity. Blocking such attempts helps prevent more severe attacks.
Server Cracking Mitigation with Server Cracking Protection

DefensePro adds a source identified as an attacker to the Suspend table even when the protection action is set to Report Only. The data in the Suspend table is affected by the specific protection configuration. The data can include several combinations of source IP address and destination details, such as, IP address and/or port. When DefensePro detects an attack, the first blocking period is a random value between 10 to 30 seconds. Upon inserting the source IP address into the Suspend table, the system keeps tracking the source for the duration of the blocking period and an additional expiration time, which is defined by the Sensitivity set for the specific attack (see Sensitivity Parameter, page 202). If the source keeps attacking the network during the monitoring interval, DefensePro blocks it again using a new blocking period, which is more than twice the last blocking periodup to the maximal blocking period, which is 120 seconds.
Server Cracking Protection Technology

This section describes the following aspects of the Server Cracking Protection technology: DefensePro in the Network, page 202 The Detection Mechanism and Available Protections, page 202 Behavioral Parameters and States/Degrees of Attack, page 202 Sensitivity Parameter, page 202
201
DefensePro in the Network

DefensePro is a hardware appliance that is placed in-line with network traffic, typically between the clients and the protected servers. A symmetric network environment is mandatory because Server Cracking protection is done by inspecting server responses.
The Detection Mechanism and Available Protections

The detection mechanism is based on the analysis of server error-code replies. The codes are identified by matching server response signatures. The signatures are part of the signature file, which the Radware SOC team updates.
Behavioral Parameters and States/Degrees of Attack

An exponential moving average mechanism derives behavioral parameters (frequency and quantity of code replies) per source IP address and protected server. These parameters are further analyzed through a Fuzzy Logic Inference System that generates a degree of attack (DoA), which, in turn, determines the DoA of each source IP address: Attack state The user (source) is blocked using the Suspend table. Suspect state The system continues to follow the user for a predefined duration (suspect monitoring interval time-out). Normal state The system continues to follow the user for a predefined duration (that is, the normal monitoring interval time-out, which is lower than the suspect state monitoring interval time-out).
During the Attack state, the user is added to the Suspend table (a block list). When the user is released from block, the monitoring interval is set again.
Sensitivity Parameter
The Sensitivity parameter of each Server Cracking protection defines thresholds for the quantity and frequency of server-side error messages. DefensePro tracks server-side error messages to trigger attack detection. High sensitivity means that only a few cracking attempts trigger the protection, while Minor means that a very high number of attempts trigger the protection. The default is Medium. During the Attack state, the attacker is added to the Suspend table, which is the list of blocked sources. When the user is released from the Suspend table, the monitoring interval is set again.
Table 99: Degree-of-Attack States and Sensitivity Values
State
Normal state Suspect state Attack state1
SensitivityMonitoring Interval in Seconds High

20 40 60
Medium
15 30 45
Low
10 15 20
Minor
5 10 15
1 In the Attack state, the user is added to the block list, and the monitoring interval is set when the user is released from block.
202
DefensePro User Guide Security Configuration There may be cases where you need to tune the value of the Sensitivity parameter. For example, if you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error replies at an abnormal rate, which the device will falsely identify as an attack. In such a case, set the sensitivity to Low.
Note: Application-scanning and brute-force attempts are usually generated through multiple L4 connections. If the attack attempts are using the same L4 connection (that is, a TCP or UDP connection), the detection sensitivity will be automatically set to a higher value than those that are specified in the above table. Thus, the quantity and frequency of attempts needed to trigger the protection action will be lower.
Table 100: Sensitivity Levels for Brute-Force Indications
Sensitivity
High Medium Low Minor
Counter (Request Trigger)

20 40 60 80
Frequency (Requests/Second)
5 10 15 20
Table 101: Sensitivity Levels for Cracking Indications (Single Layer 4 Connections)
Sensitivity

5 10 15 20
1 2 4 6
Table 102: Sensitivity Levels for Scanning Indications
Sensitivity

10 30 25 45
0.5 1 3 30
203
Errors that Server Cracking Protection Monitors

The following table lists that protocol errors that Server Cracking Protection monitors to identify various server-cracking attacks.
Table 103: Protocol Errors and Server Cracking Protections
Error Code Error

0xc000006a STATUS_WRONG_PAS SWORD 0xc000006d STATUS_LOGON_FAIL URE 0xc0000022 STATUS_ACCESS_DE NIED 48 49 50 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 420 421 423 Inappropriate Authentication Invalid Credentials Insufficient Access Rights Bad Request Unauthorized Payment Required Forbidden Not Found Method Not Allowed Not Acceptable Proxy Authentication Required Request Timeout Conflict Gone Length Required Precondition Failed Request Entity Too Large Request-URI Too Large Unsupported Media Type Unsupported URI Scheme Unknown ResourcePriority Bad Extension Extension Required Interval Too Brief
Web Scan SIP/Web Brute Force
SIP Scan Additional Server Cracking Protection

Brute Force SMB Brute Force SMB Brute Force SMB Brute Force LDAP Brute Force LDAP Brute Force LDAP
204
Table 103: Protocol Errors and Server Cracking Protections
Error Code Error

481 483 485 486 488 530 535 Call/Transaction Does Not Exist Too Many Hops Ambiguous Busy Here Not Acceptable Here User not logged in Authentication unsuccessful/Bad username or password Mailbox Unavailable Access denied for user Response, No such name Login Failed General POP3 error No - generic error code
Web Scan SIP/Web Brute Force
SIP Scan Additional Server Cracking Protection

Brute Force FTP Brute Force SMTP
550 1045 8003 18456 -ERR
SMTP Scan Brute Force MySQL Brute Force DNS Brute Force MSSQL Brute Force POP3 Brute Force IMAP
Server Cracking Protection Limitations

Server Cracking Protection has the following known limitations: Server Cracking protection relies on generic protocol error messages The signatures of Server Cracking protection are based on these messages, which are defined in protocol RFCs. Server Cracking Protection can identify traffic using these generic errors, but Server Cracking Protection might miss cracking attempts of applications and services that do not use generic protocol error messages. Web servers that respond with error messages inside the HTTP content or use HTTP 200 OK might not be inspected, and malicious attempts will not be detected and blocked. Web authentication When the authentication is done at the application level without using HTTP error codes, the Server Cracking module will not be able to detect the attack. Web scans When the server replies with HTTP 200 OK to requests, the Server Cracking module will not be able to detect the attack. While this practice is not recommended by the RFC, it is sometimes used by Web server administrators. Support for such customized error pages is planned.
Configuring Server Cracking Profiles for Server Protection

Server Cracking profiles defend the applications in your network against server flooding, authorization hacking, vulnerability scanning, and application floods. Each protection protects against one specific cracking activity. You configure Server Cracking profiles with Radware-defined protections.
205
DefensePro User Guide Security Configuration Each DefensePro device supports up to 20 Server Cracking profiles. Before you configure a Server Cracking profile, ensure the following: The Session table Lookup Mode is Full Layer 4. For more information, see Configuring Session Table Settings, page 101. IPS protection is enabled and the global parameters are configured. For more information, see Configuring Global Signature Protection, page 131.
To configure a Server Cracking profile

1. 2. In the Configuration perspective Server Protection tab navigation pane, select Server Cracking Profiles. To add or a profile: a. b. c. 3. a. b. Click the (Add) button. Enter a name for the profile and click OK. Configure the actions and protections for the profile and click OK. Double-click the entry in the table. Modify the actions and protections of the profile; and then, and click OK.
To modify a profile:
Table 104: Server Cracking Profile Parameters
Parameter
Profile Name Action
Description
(Read-only) The name of the Server Cracking profile. The action that the device takes when an attack that matches the configured protection occurs. Values: Block and Report, Report Only Default: Report Only
Packet Trace
Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Server Cracking Protection table
Contains the protections to be applied if there is an attack on the server. To configure a protection, see Configuring Server Cracking Protections for a Server Cracking Profile, page 207. Note: In each Server Cracking policy/rule, you can use only one Server Cracking profile. Therefore, ensure that all the protections that you want to apply to a rule are contained in the profile specified for that rule.
206
Configuring Server Cracking Protections for a Server Cracking Profile

In each Server Cracking policy/rule, you can use only one Server Cracking profile. Therefore, ensure that all the Server Cracking protections that you want to apply to a rule are contained in the profile specified for that rule.
To configure a Server Cracking protection for a Server Cracking profile

1. In the table of the Server Cracking Profile dialog box (Configuration perspective Server Protection tab navigation pane > Server Cracking Profiles > click the entry in the table), do one of the following: (Add) or double-click
To add a protection, right-click in the table and select Add New Server Cracking Protection. To modify the configuration of an already specified protection, double-click the entry.
Table 105: Server Cracking Protection Parameters
Parameter
Profile Name Server Cracking Protection Name
Description
(Read-only) The name of the Server Cracking profile. (Read-only when modifying the configuration) The name of the Server Cracking protection. Notes: You can view the default configuration of each protection in Server Cracking Protections pane (see Viewing Radware-defined Server Cracking Protections, page 208). For more information on the Server Cracking protections, see Server Protection Policies/Rules, Profiles, and Protections, page 200 and Server Cracking Protection Technology, page 201.
Sensitivity
The detection sensitivity of module. The sensitivity level defines thresholds for the number and frequency of server-side error messages. Values: High, Medium, Low, Minor Default: Medium Note: For more information, see Sensitivity Parameter, page 202.
Risk
The risk assigned to this attack for reporting purposes. Values: Info, Low, Medium, High
207
Viewing Radware-defined Server Cracking Protections

You can view the default configurations of the Radware-defined Server Cracking protections.
To view Radware-defined Server Cracking protections

In the Configuration perspective Server Protection tab navigation pane, select Server Cracking Profiles > Server Cracking Protections. The Server Cracking Protections table is displayed with the read-only Radware-defined Server Cracking protections.
Table 106: Radware-defined Server Cracking Protection Parameters
Parameter
Protection ID Protection Name Risk Sensitivity
Description
The unique identifying number. The name for the Protection. The Protection Name is used when DoS Shield sends information about attack status changes. The risk assigned to this attack for reporting purposes. Values: Info, Low, Medium, High The detection sensitivity of module. The sensitivity level defines thresholds for the number and frequency of server-side error messages. These messages are tracked for attack detection. High sensitivity specifies that the protection needs few cracking attempts to trigger the protection. Minor sensitivity specifies that the device needs a very high number of attempts. Values: High, Medium, Low, Minor Default: Medium Note: If you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error replies at an abnormal rate, which the device will falsely identify as an attack. In such a case, set the sensitivity to Low.
Action Mode
The action that the device takes when an attack is detected.
208
Table 106: Radware-defined Server Cracking Protection Parameters
Parameter
Direction
Description
The direction of the traffic to inspect. A protection may include attacks that should be searched only for traffic from client to server or only on traffic from server to client. Values: InboundThe Protection inspects traffic from policy Source to policy Destination. OutboundThe Protection inspects traffic from policy Destination to policy Source Inbound & OutboundThe Protection inspects all traffic between policy Source to policy Destination
Suspend Action
Specifies what traffic to suspend for a period of time. Values: NoneSuspend action is disabled for this attack. SrcIPAll traffic from the IP address identified as the source of the attack is suspended. SrcIP, DestIPTraffic from the IP address identified as the source of the attack to the destination IP address under attack is suspended. SrcIP, DestPortTraffic from the IP address identified as source of the attack to the application (destination port) under attack is suspended. SrcIP, DestIP, DestPortTraffic from the IP address identified as the source of the attack to the destination IP address and port under attack is suspended. SrcIP, DestIP, SrcPort, DestPortTraffic from the IP address and port identified as the source of the attack to the destination IP address and port under attack is suspended.
Configuring HTTP Flood Mitigation Profiles for Server Protection

HTTP Flood Mitigation profiles defend the applications in your network against server flooding. Server flood attacks are aimed at specific servers causing denial of service at the server level. These types of attacks disrupt a server by sending more requests than the server can handle, thereby preventing access to a service. Server attacks differ from network-flood attacks either in the attack volume or in the nature of the requests used in the attack. Server flood attacks use legitimate requests that cannot be distinguished from regular customer requests.
209
DefensePro User Guide Security Configuration Before you configure an HTTP Flood Mitigation profile, ensure that HTTP mitigation is enabled and the global parameters are configured. For more information, see Configuring Global HTTP Flood Protection, page 142.
To configure an HTTP Flood profile

1. 2. In the Configuration perspective Server Protection tab navigation pane, select HTTP Flood Profiles. Do one of the following: 3. To add a profile, click the (Add) button. Enter the profile name and click OK.
Table 107: HTTP Flood Profile Parameters
Parameter
Profile Name Sensitivity Level

The name of the profile. When User-Defined Attack Triggers are not used, this parameter specifies how sensitive the profile is to deviations from the baseline. High specifies that the profile identifies an attack when the device detects only a small deviation from the baselines. Values: Minor Low Medium High
Default: Medium Action The action that the profile takes when the profile detects suspicious traffic. Values: Block and ReportBlocks and reports on the suspicious traffic. Report OnlyReports the suspicious traffic.
Default: Block and Report
Automatic Attack Triggers

GET and POST Request Specifies whether the profile identifies an HTTP flood attack when the rate Rate of GET and POST requests exceeds the learned baseline. Default: Enabled
210
Parameter
Other Request-Type Request Rate
Description
Specifies whether the profile identifies an HTTP flood attack when the rate of requests that are not GET or POST requests exceeds the learned baseline. Default: Enabled Caution: If Outbound HTTP Bandwidth is enabled and Other RequestType Request Rate is disabled, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP Bandwidth is enabled and Other Request-Type Request Rate is enabled too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP Bandwidth mechanism to consider the attack to be an anomaly, and the profile will not mitigate it.
Outbound HTTP Bandwidth Requests-per-Source Rate Requests-perConnection Rate
Specifies whether the profile identifies an HTTP flood attack when the outbound HTTP bandwidth exceeds the learned baseline. Default: Enabled Specifies whether the profile identifies an HTTP flood attack when the rate of requests per source exceeds the learned baseline. Default: Enabled Specifies whether the profile identifies an HTTP flood attack when the rate of requests per connection exceeds the learned baseline. Default: Enabled
User-Defined Attack Triggers

Use the following thresholds to identify HTTP flood attacks Specifies whether the profile uses static, user-defined thresholds to identify when an attack is in progress or checks the server traffic and compares the traffic behavior to the baseline to identify when an attack is in progress. Default: Disabled Get and POST Request- The maximum number of GET and POST requests allowed, per server per Rate Trigger second. Values: 0The profile ignores the threshold. 14,294,967,296
Default: 0
211
Parameter
Other Request-type Request-Rate Trigger
Description
The maximum number of requests that are not GET or POST (for example, HEAD, PUT, and so on) allowed, per server per second. Values: 0The profile ignores the threshold. 14,294,967,296
Default: 0 Caution: If Outbound HTTP BW Trigger is enabled and Other Requesttype Request-Rate Trigger is disabled, an attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption. An attack consisting of other (that is, not GET or POST) requests may cause high outbound HTTP bandwidth consumption also if Outbound HTTP BW Trigger is enabled and Other Request-type Request-Rate Trigger is enabled too but the rate does not exceed the threshold. The high outbound HTTP bandwidth consumption may cause the Outbound HTTP BW Trigger mechanism to consider the attack to be an anomaly, and the profile will not mitigate it. Outbound HTTP BW Trigger The maximum allowed bandwidth of HTTP responses in kilobits per second. Values: Requests-per-Source Trigger 0The profile ignores the threshold. 14,294,967,296
Default: 0 The maximum number of requests allowed per source IP per second. Values: Requests-perConnection Trigger 0The profile ignores the threshold. 14,294,967,296
Default: 5 The maximum number of requests allowed from the same connection. Value: 0The profile ignores the threshold. 14,294,967,296
Default: 5
Suspicious Source Characterization Thresholds

Request-Rate Threshold The number of HTTP requests per second from a source that causes the profile to consider the source to be suspicious. Values: 165,535 Default: 5 Requests-perConnection Threshold The number of HTTP requests for a connection that causes the profile to consider the source to be suspicious. Values: 165,535 Default: 5
212
Parameter
Packet Report
Description
Specifies whether the profile sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting).
Packet Trace
Specifies whether the profile sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings >Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Mitigation Settings
When the protection is enabled and the profile detects that a HTTP-flood attack has started, the device implements the mitigation actions in escalating orderin the order that they appear in the group box. If the first enabled mitigation action does not mitigate the attack satisfactorily, after a certain escalation period, the device implements the next more-severe enabled mitigation action and so on. Escalation periods are not configurable. Challenge Suspects Specifies whether the profile challenges HTTP sources that match the realtime signature. Default: Enabled Challenge All Specifies whether the profile challenges all HTTP traffic toward the protected server. Default: Enabled
213
Parameter
Block Suspects Challenge Mode
Description
Specifies whether the profile blocks all traffic from the suspect sources. Default: Enabled Specifies how the profile challenges suspect HTTP sources. Values: 302 RedirectThe device authenticates HTTP traffic using a 302Redirect response code. JavaScriptThe device authenticates HTTP traffic using a JavaScript object generated by the device.
Default: 302 Redirect Notes: Some attack tools are capable of handling 302-redirect responses. The 302-Redirect Challenge Mode is not effective against attacks that use those tools. The JavaScript Challenge Mode requires an engine on the client side that supports JavaScript, and therefore, the JavaScript option is considered stronger. However, the JavaScript option has some limitations, which are relevant in certain scenarios. Limitations when using the JavaScript Challenge Mode: If the browser does not support JavaScript calls, the browser will not answer the challenge. When the protected server is accessed as a sub-page through another (main) page only using JavaScript, the user session will fail (that is, the browser will not answer the challenge.) For example, if the protected server supplies content that is requested using a JavaScript tag, the DefensePro JavaScript is enclosed within the original JavaScript block. This violates JavaScript rules, which results in a challenge failure. Example: The request in bold below accesses a secure server:
<script> setTimeout(function(){ var js=document.createElement(script); js.src=http://mysite.site.com.domain/service/appMy.jsp?dlid=12345; document.getElementsByTagName(head)[0].appendChild(js); },1000); </script>
The returned challenge page contains the <script> tag again, which is illegal, and therefore, it is dropped by the browser without making the redirect.
214
Configuring White Lists

The White List determines the traffic that is exempt from security inspection. For each protection, you can set different White List rules.
Configuring White Lists in Defense Pro

The configuration of White Lists in DefensePro depends on the device version. In Defense Pro, a White List rule can use explicit values or predefined classes to classify the traffic. The classes are displayed in the Classes tab. For more information, see Managing Classes, page 231. You can configure a White List rule from a specified source Network class or source IP address to bypass (that is, be exempt from) specific protection modulesfor example, Server Cracking. When you specify specific protection modules in a White List rule, the device uses only the source Network class or explicit source IP address.
Note: Since networks on the White List are not inspected, certain protections are not applied to sessions in the opposite direction. For example, with SYN protection, this can cause servers to not be added to known destinations due to ACK packets not being inspected.
To configure a white list

1. In the Configuration perspective ACL tab navigation pane, select White List. 2. To add or modify a white list rule, do one of the following: To add a rule, click the (Add) button.
To edit a rule, double-click the entry in the table.
3. Configure white list rule parameters. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Table 108: White List Rule Parameters
Parameter
Name Description Enable
Description Identification
The name of the rule up to 50 characters. The user-defined description of the rule. When selected, the rule is active.
215
Parameter
Bypass All Modules
Description Module Bypass

Specifies whether the rule includes all specific protection modules. Values: EnabledThe specified Classification criteria determine the traffic that is exempt from security inspection. The checkboxes for the protection modules are unavailable. DisabledThe specified source (that is, the source Network class or source IP address) and specified protection modules determine the traffic that is exempt from security inspection. The checkboxes for the protection modules are available.
Default: Enabled Note: Performance is better when Bypass All Modules is enabled (Bypass All Modules checkbox is selected) rather than having the having the modules enabled individually. Bypass SYN Protection When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses SYN Protection inspection. Default: Enabled Bypass Anti Scanning When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Anti-Scanning inspection. Default: Enabled Bypass Signature Protection When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Signature Protection inspection. Default: Enabled Bypass HTTP Flood When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses HTTP Flood inspection. Default: Enabled Bypass Server Cracking When enabled, traffic from the specified source (that is, the source Network class or source IP address) bypasses Server Cracking inspection. Default: Enabled
Classification
Source Network The source of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address any
216
Parameter
Source Port
Description
The source Application Port class or application-port number that the rule uses. Values: An Application Port class displayed in the Classes tab An application-port number None
Destination Network
The destination of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address any
Destination Port
The destination Application Port class or application-port number that the rule uses. Values: An Application Port class displayed in the Classes tab An application-port number None
Physical Ports
VLAN Tag
The VLAN Tag class that the rule uses. Values: A VLAN Tag class displayed in the Classes tab None
Protocol
The protocol of the traffic that the rule uses. Values: Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP L2TP GTP IP in IP
Default: Any
217
Parameter
Direction
Description
The direction of the traffic to which the rule relates. Values: One-directionalThe protection applies to sessions originating from sources to destinations that match the network definitions of the policy. Bi-directionalThe protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One-directional
Action
Action (Read-only) The action for a White List rule is always Bypass.
Configuring Black Lists

The Black List comprises the traffic that the device always blocks without inspection. You use the Black List as policy exceptions for security policies. This feature is not supported on management interfaces.
Enabling and Disabling the Packet Trace Feature for Black List Rules
You enable or disable the Packet Trace feature for all the Black List rules on the device. When the Packet Trace feature is enabled for Black Lists, the DefensePro device sends blacklisted packets to the specified physical port.
Notes When this feature is enabled, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for all the Black List rules on the device
1. 2. In the Configuration perspective ACL tab navigation pane, select Black List. Select or clear the Packet Trace checkbox; and then, click (Submit) to submit the changes.
218
Configuring Black List Rules

The Black List module supports the Packet Trace feature. You enable or disable the feature globally that is, for all the of the associated Black List rules.
To configure a Black List rule

1. In the Configuration perspective ACL tab navigation pane, select Black List. 2. To add or modify a black list rule, do one of the following: To add a rule, click the (Add) button.
3. Configure the parameters; and then, click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Table 109: Black List Rule Parameters
Parameter
Name
The name of the rule. Maximum characters: 29 Note: If a Security Group configured this Black List rule, the rule name is in the format <SecurityGroupName> hhmm $$$$, where hhmm is the time (hour and minutes) that Security Group configured the rule and $$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.
Description Enable
The user-defined description of the rule. When selected, the rule is active. Default: Enabled
219
Parameter
Source Network
Description Classification
The source of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address None any
Default: any Caution: If Traffic Exclusion is enabled, when you specify a Network class for Source Network, use the IP Mask Entry type. If Traffic Exclusion is enabled, when you specify a Network class for Source Network, DefensePro cannot block black list entries defined with the IP Range Entry type. Source Port The source Application Port class or application-port number that the rule uses. Values: Destination Network An Application Port class displayed in the Classes tab An application-port number None
The destination of the packets that the rule uses. Values: A Network class displayed in the Classes tab An IP address None any
Default: any Caution: If Traffic Exclusion is enabled, when you specify a Network class for Destination Network, use the IP Mask Entry type. If Traffic Exclusion is enabled, when you specify a Network class for Source Destination Network, DefensePro cannot block black list entries defined with the IP Range Entry type. Destination Port The destination Application Port class or application-port number that the rule uses. Values: Physical Ports An Application Port class displayed in the Classes tab An application-port number None
220
Parameter
VLAN Tag
Description
The existing VLAN Tag class for the rule. Values: A VLAN Tag class displayed in the Classes tab None
Protocol
The protocol of the traffic that the policy inspects. Values: Any GRE ICMP ICMPv6 IGMP SCTP TCP UDP IP in IP
Default: Any Direction The direction to which the rule relates. Values: One-directionalThe protection applies to sessions originating from sources to destinations that match the network definitions of the policy. Bi-directionalThe protection applies to sessions that match the network definitions of the policy regardless of their direction.
Default: One-directional
Dynamic Rule Parameters

Dynamic Specifies whether the rule implements the Expiration Timer. Default: Disabled Note: Changing the configuration of this option takes effect only after you update policies (click Activate Latest Changes). Entry Expiration Timer Specifies the hours and minutes remaining for the rule. Notes: The maximum Expiration Timer is two hours. The Expiration Timer can be used only with dynamic Black List rules. The Expiration Timer for a static Black List rule must be set to 0 (zero hours and zero minutes). When the rule expires (that is, when the Entry Expiration Timer elapses), the rule disappears from the Black List Policy table when the table refreshes.
221
Parameter
Detector Security Module
Description
A DefensePro security module that can identify the root cause of the black list rule. This parameter has no affect on the device operation. If a Security Group configured this Black List rule, the Detector Security Module value displays the DefensePro security module of the Security Group Sender. Values: AdminThe default value in the context of a user-defined, dynamic Black List rule. Server CrackingDisplays if a Security Group configured this Black List rule and it was the Server Cracking module of the Security Group Sender that detected the threat. Anti-ScanDisplays if a Security Group configured this Black List rule and it was the Anti-Scanning module of the Security Group Sender that detected the threat. Vision Reporter Connection Limit Application Security Syn Protection HTTP Flood Behavioral DoS DNS Flood
Default: Admin Note: For more information on Security Groups, see Managing DefensePro Security Groups, page 55. Detector An IP address that can identify the root cause of the black list rule identify. This parameter has no affect on the device operation. If a Security Group configured this Black List rule, the Detector value displays the IP address of the Security Group Sender. Note: For more information on Security Groups, see Managing DefensePro Security Groups, page 55.
Action
Action Report Packet Report (Read-only) The action for a Black List rule is always Drop. Specifies whether the device issues traps for the rule. Specifies whether the device sends sampled attack packets to APSolute Vision for offline analysis. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Reporting).
222
Managing the ACL Policy

The Access Control List (ACL) module is a stateful firewall that enables you to configure a flexible and focused stateful access-control policy. You can modify and view the active ACL policy. You can also view ACL report summaries and the ACL log analysis. ACL in DefensePro does not work on the physical management ports (MNG 1 and MNG 2). When enabled and activated, the relevant ACL configuration takes precedence over the Session Table Aging parameter. For more information, see Configuring Session Table Settings, page 101. To operate correctly, ACL needs to determine the direction of session packets. ACL determines packet direction as follows: TCP direction According to the first SYN packet that creates a session. UDP direction According to the first packet in the flow. ICMP direction According to the ICMP message type (that is, reply or request type). Non-TCP, Non-UDP and Non-ICMP session direction According to the first L3 (IP) packet in the flow. Non-IP direction According to the first packet in the flow.
When ACL is enabled and activated, the device learns about the existing sessions for a specified amount of time (by default, 10 minutes). During this learning period, the device accepts all sessions regardless of any unknown direction. However, for the certain cases, ACL treats the session according to the configured policies. ACL treats the session according to the configured policies in the following cases: A new TCP session starts with a SYN packet. A new ICMP session starts with a request packet.
Configuring the ACL feature involves the following steps: 1. Configuring Global ACL Policy Settings, page 223. 2. Configuring ACL Policy Rules, page 226.
Note: Enabling an ACL policy requires a device reboot.
Configuring Global ACL Policy Settings

Before you configure an ACL policy, ensure that the ACL feature is enabled.
Caution: In a high-availability (HA) setup, when you enable ACL on the primary device, you must reboot the device immediately. If you do not reboot, the secondary device may synchronize its configuration and reboot automatically, causing traffic sent to the secondary device to be blocked in the event of a switchover.
Notes Enabling ACL requires a device reboot. When the ACL feature is disabled, you cannot view or configure ACL policies.
223
To configure global ACL settings

1. In the Configuration perspective ACL tab navigation pane, select ACL Policy > Global Settings. Configure the parameters; and then, click (Submit) to submit the changes.
2.
Table 110: Global ACL Parameters
Parameter
Enable ACL
Description Global Settings

Specifies whether the ACL feature is enabled. When you change this setting, the device requires an immediate reboot. Default: Disabled Caution: The default configuration of the Default ACL policy drops (that is, blocks) all traffic. Use the Default Policy Action parameter to specify the action of the Default ACL policy when the device reboots.
Default Policy Action
The action of the Default ACL policy when the device reboots after selecting the Enable ACL checkbox. (This parameter is available only when the ACL feature Values: is disabled.) Accept When the device reboots after selecting the Enable ACL checkbox, the Default ACL policy accepts all traffic. DropWhen the device reboots after selecting the Enable ACL checkbox, the Default ACL policy drops all traffic. CurrentWhen the device reboots after selecting the Enable ACL checkbox, the Default ACL policy uses the Action option that is currently specified.
Default: Current Note: After clearing the Enable ACL checkbox and rebooting, the Default Policy Action option reverts to Current. Learning Period The time, in seconds, the device takes to learn existing sessions before starting the protection. During the learning period, the device accepts all sessions regardless of any unknown direction. However, for the following cases, ACL will treat the session according to the configured policies: TCP Handshake Timeout A new TCP session that starts with a SYN packet A new ICMP session that starts with a request packet 0The protection starts immediately 14,294,967,295
Values:
Default: 600 The time, in seconds, the device waits for the three-way handshake to complete before the device drops the session.
224
Parameter
TCP Timeout in Established State
Description
The time, in seconds, an idle session remains in the Session table. If the device receives packets for a timed-out, discarded session, the device considers the packets to be out-of-state and drops them. Values: 607200 Default: 3600
TCP FIN Timeout
The time, in seconds, the session remains in the Session table after the device receives a FIN packet from both sides (from the client and from the server). Values: 1600 Default: 10
TCP RST Timeout
The time, in seconds, the session remains in the Session table after the device receives a TCP RST packet for the session. Values: 1600 Default: 30
TCP Mid Flow Mode
Specifies what the device does with out-of-state packets. Values: Drop, Allow Default: Drop
TCP Reset Validation Mode
Specifies the action that the device takes when RST packet validation fails (that is, the packet sequence number is not within the permitted range). Values: Drop, Allow, Report Only Default: Drop
UDP Timeout
The time, in seconds, that the device keeps an idle UDP session open. After the timeout, the session is removed from the Session table. Values: 13600 Default: 180
Unsolicited ICMP ICMP Timeout
Specifies whether the ACL module permits unsolicited ICMP reply messages. The time, in seconds, that the device keeps an idle ICMP session open. After the timeout, the session is removed from the Session table. Values: 1300 Default: 60
GRE Timeout
The time, in seconds, that the device keeps an idle GRE session open. After the timeout, the session is removed from the Session table. Values: 17200 Default: 3600
SCTP Timeout
The time, in seconds, that the device keeps an idle SCTP session open. After the timeout, the session is removed from the Session table. Values: 17200 Default: 3600
225
Parameter
Other IP Protocols Timeout
Description
The time, in seconds, that the device keeps an idle session of other IP protocols (not UDP, not ICMP) open. After the timeout, the session is removed from the Session table. Values: 17200 Default: 600
Report and Trace Settings

Interval for Sending Summary Reports The frequency, in seconds, that the device produces ACL reports. Values: 1600 Default: 60 Send Reports Using SRP When enabled, that the device sends ACL policy reports to the APSolute Vision server. Note: The Statistics Reporting Protocol (SRP) management host IP address must be configured to send ACL policy reports. For more information, see Configuring Advanced Settings, page 85. Max Number of Report Traps The maximum number of detailed reports that the device generates per second. Values: 1100 Default: 10 Packet Trace Specifies whether the DefensePro device sends attack packets to the specified physical port. Default: Disabled Caution: When this feature is enabled here, for the feature to take effect, the global setting must be enabled (Configuration perspective, Advanced Parameters > Security Reporting Settings > Enable Packet Trace on Physical Port). In addition, a change to this parameter takes effect only after you update policies.
Configuring ACL Policy Rules

Configure ACL policy rules to create a flexible and focused stateful access-control policy. You can activate and deactivate rules using predefined event schedules. For more information about configuring event schedules, see Configuring the Device Event Scheduler, page 105. Before you configure ACL rules, ensure that you have configured classes for the networks, physical port groups, and VLAN tag groups that you want to use in the rules. For more information, see Managing Classes, page 231.
226
To configure an ACL policy rule

1. In the Configuration perspective ACL tab navigation pane, select ACL Policy> Modify Policy. 2. To add or modify a policy rule, do one of the following: To add a rule, click the (Add) button.
3. Configure the parameters. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Table 111: ACL Rule Parameters
Parameter
Rule Name Rule Index
The name of the rule. Maximum characters: The index number for the rule. DefensePro examines policy rules according to the ascending order of index numbers. Values: 14,294,967,295 When selected, the rule is active. The user-defined description of the rule. The predefined event schedule that activates the policy. Default: None The predefined event schedule that de-activates the policy. Default: None Specifies whether the device issues traps for the rule.
Enabled Description Activate Schedule De-activate Schedule Report
227
Parameter
Protocol
Description Classification
The protocol of the traffic that the policy inspects. Values: Any TCP UDP GRE L2TP GTP IPinIP SCTP ICMP Other
Default: Any Source The existing source Network class of the packets that the policy inspects. Values: Destination The Network classes displayed in the Classes tab any any_ipv4 any_ipv6 None
Default: any The existing destination Network class of the packets that the policy inspects. Values: Physical Port Group The Network classes displayed in the Classes tab any any_ipv4 any_ipv6 None
Default: any The Physical Port class or physical port that the rule uses. Values: A Physical Port class displayed in the Classes tab The physical ports on the device None
228
Parameter
VLAN Tag Group
Description
The existing VLAN Tag class for the rule. Values: The VLAN Tag classes displayed in the Classes tab None
Default: None Service (This parameter is available only when TCP or UDP is selected for the Protocol parameter.) Action The Service for the rule. Services characterize traffic based on Layer-37 criteria. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). You can choose from a long list of predefined basic filters. The action that the policy takes on packets that match the classification. Values: Accept Drop Drop + RST Source
Default: Accept
ICMP Flags
Source Quench TIME STAMP Information Address Mask Alternate Host Address Domain Router Advertisement Router Solicitation Destination Unreachable REDIRECT Time Exceeded Parameter Problem Echo Packet Too Big Home Agent The ICMP flags in the packets that the policy inspects. DefensePro inspects only the packets with the selected flags. You can specify ICMP flags only when ICMP is the specified protocol.
229
Viewing Active ACL Policy Rules

You can view the active rules in the ACL policy configured on the device.
To view the active ACL rule configuration

In the Configuration perspective Classes tab navigation pane, select ACL Policies > Active Policy. The table displays details of the current ACL rules configured on the device. For information about ACL rule parameters, see Configuring ACL Policy Rules, page 226.
230
Chapter 6 Managing Classes

This chapter contains the following sections: Configuring Network Classes, page 231 Configuring Service Classes, page 233 Configuring Application Classes, page 240 Configuring Physical Port Classes, page 242 Configuring VLAN Tag Classes, page 242 Configuring MAC Address Classes, page 243 Viewing Active Class Configurations, page 244 Configuring MPLS RD Groups, page 246
Classes define groups of elements of the same type of entity. You can configure classes based on the following: Networks to classify traffic in a Network Protection policy/rule. Services to classify traffic based on criteria for Layers 37. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). Application ports to define or modify applications based on Layer 4 destination ports. Physical device ports to classify traffic in a network-protection rule. VLAN tags to classify traffic in a Network Protection policy/rule. MAC addresses to classify traffic whose source or destination is a transparent network device. MPLS RDs to classify traffic in a Network Protection policy/rule.
After you create or modify a class, the configuration is saved in the APSolute Vision database. You must activate the configuration to download it to the device. You can also view the current class configurations on your device. After creation, you cannot modify the name of a class, or the configuration of application, MAC, or physical port classes.
Configuring Network Classes

A network class is identified by a name and defined by a network address and mask, or by a range of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2 can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2 can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration. Using classes allows you to define a network comprised of multiple subnets and/or IP ranges, all identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and 10.1.1.1 to 10.1.1.7.
231
DefensePro User Guide Managing Classes You can use network classes in the following: Black lists White lists Network-protection policies/rules to match source or destination traffic
Note: APSolute Vision often uses the term rule (or rules), whereas DefensePro uses the term policy (or policies).
To configure a network class

1. 2. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Networks. To add or modify a network class, do one of the following: 3. 4. To add a class, click the (Add) button.
To edit a class, double-click the entry in the table.
Configure the network class parameters. To activate your configuration changes on the device, click Activate Latest Changes.
Table 112: Network Class Parameters
Parameter
Network Name
Description
The name of the network class. The network name is case-sensitive. The network name cannot be an IP address.
Network Type Entry type
Values: IPv4, IPv6 Specifies whether the network is defined by a subnet and mask, or by an IP range. Values: IP Mask, IP Range The network address. The mask of the subnet, which you can enter in either of the following ways: A subnet mask in dotted decimal notationfor example, 255.0.0.0 or 255.255.0.0. An IP prefix, that is, the number of mask bitsfor example, 8 or 16.
Network Address (For an IP Mask entry only) Mask (For an IP Mask entry only)
232
DefensePro User Guide Managing Classes
Table 112: Network Class Parameters
Parameter
From IP (For an IP Range entry only) To IP (For an IP Range entry only)
Description
The first IP address in the range. The last IP address in the range.
Configuring Service Classes

The ACL module can use Services to filter traffic. Services classify traffic based on criteria for Layers 37. A Service is a configuration of a basic filter, which may combine with logical operators to achieve more sophisticated filters (AND Group filters and OR Group filters). The ACL module supports a long list of predefined basic filters. A basic filter includes attributes that specify parameters such as protocol, application port, and content type. When the protocol of a basic filter is TCP or UDP, the filter can include a text string. You can configure Services separately from policies. When you configure a policy, you can associate it with an existing Service. This section contains the following topics: Configuring Basic Filters, page 233 Configuring AND Group Filters, page 239 Configuring OR Group Filters, page 239
Configuring Basic Filters

The ACL module supports an extensive list of predefined basic filters (see Predefined Basic Filters, page 234). You can also configure your own basic filters. A basic filter includes the following components: Protocol The specific protocol that the packet should carry. The choices are IP, TCP, UDP, ICMP, NonIP, ICMPV6, and SCTP. If the specified protocol is IP, all IP packets (including TCP and UDP) will be considered. When configuring TCP or UDP protocol, the following additional parameters are available: Destination Port (From-To)Destination port number for that protocol. For example, for HTTP, the protocol would be configured as TCP and the destination port as 80. The port configuration can also allow for a range of ports to be configured. Source Port (From-To)Similar to the destination port, the source port that a packet should carry in order to match the filter can be configured.
Offset Mask Pattern Condition (OMPC) The OMPC is a means by which any bit pattern can be located for a match at any offset in the packet. This can aid in locating specific bits in the IP header, for example. TOS and Diff-serv bits are perfect examples of where OMPCs can be useful. It is not mandatory to configure an OMPC per filter. However, if an OMPC is configured, there should be an OMPC match in addition to a protocol (and source/destination port) match. In other words, if an OMPC is configured, the packet needs to match the configured protocol (and ports) and the OMPC. Content Specifications When the protocol of a basic filter is TCP or UDP, you can search for any text string in the packet. Like OMPCs, a text pattern can be searched for at any offset in the packet. HTTP URLs are perfect examples of how a text search can help in classifying a session.
233
DefensePro User Guide Managing Classes You can choose from the many types of configurable contentfor example, URL, hostname, HTTP header field, cookie, mail domain, mail subject, file type, regular expression, text, and so on. When the content type is URL, for example, the module assumes the session to be HTTP with a GET, HEAD, or POST method. The module searches the URL following the GET/HEAD/POST to find a match for the configured text. In this case, the configured offset is meaningless, since the GET/HEAD/POST is in a fixed location in the HTTP header. If the content type is text, the module searches the entire packet for the content text, starting at the configured offset. By allowing a filter to take actual content of a packet/session into account, the module can recognize and classify a wider array of packets and sessions. Like OMPCs, Content Rules are not mandatory to configure. However, when a Content Rule exists in the filter, the packet needs to match the configured protocol (and ports), the OMPC (if one exists) and the Content Rule.
Predefined Basic Filters

DefensePro supports an extensive list of predefined basic filters. You cannot modify or delete predefined basic filters. For the list of predefined basic filters, see Appendix C - Predefined Basic Filters, page 337.
Configuring a Basic Filter
To configure a basic filter

1. 2. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Services > Basic Filters. Do one of the following: 3. To add an entry to the table, click the (Add) button.
Table 113: Basic Filter Parameters
Parameter
Name Protocol
Description
The name of the filter. Values: IP TCP UDP ICMP NonIP ICMPV6 SCTP
Default: IP
234
Parameter
Source App. Port
Description
The Layer-4 source port for TCP, UDP, or SCTP traffic. Values: dcerpc dns ftp h225 http https imap irc ldap ms-sql-m ms-sql-s msn my-sql oracle ntp pop3 priviledged-services radius rexec rshell rtsp sccp (skinny) sip smb smtp snmp ssh ssl sunrpc telnet tftp
Destination App. Port
The Layer-4 destination port for TCP, UDP, or SCTP traffic. Values: dcerpc dns ftp h225 http https imap irc ldap ms-sql-m ms-sql-s msn my-sql oracle ntp pop3 priviledged-services radius rexec rshell rtsp sccp (skinny) sip smb smtp snmp ssh ssl sunrpc telnet tftp
235
Parameter
Description
Values: None IPv4 Header IPv6 Header IP Data L4 Data ASN1 Ethernet L4 Header
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
OMPC Offset
The location in the packet where the data starts being checked for specific bits in the IP or TCP header. Values: 01513 The mask for OMPC data. The value must be defined according to the OMPC Length parameter. Values: Must comprise eight hexadecimal symbols Default: 00000000
OMPC Mask
OMPC Pattern
The fixed-size pattern within the packet that the OMPC rule attempts to find. The value must be defined according to the OMPC Length parameter. The OMPC Pattern must contain eight hexadecimal symbols. If the value for the OMPC Length parameter is smaller than Four Bytes, you need to pad the OMPC Pattern with zeros. For example, if OMPC Length is two bytes, the OMPC Pattern can be abcd0000. Values: Must comprise eight hexadecimal symbols Default: 00000000
OMPC Condition
Values: None Equal Not Equal Greater Than Less Than
Default: None OMPC Length Values: Content Offset None One Byte Two Bytes Three Bytes Four Bytes
Default: None The location in the packet at which the checking of content starts. Values: 01513
236
Parameter
Content
Description
The value of the content search. Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; <=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_` abcdefghijklmnopqrstuvwxyz{|}~.
Content Type
The specific content type to search for. Values: None URLA URL in the HTTP request URI. TextText anywhere in the packet. Normalized URLA normalized URL in the HTTP request URI. POP3 UserThe POP3 User field in the POP3 header. URI LengthFilters according to URI length. FTP CommandParses FTP commands to commands and arguments, while normalizing FTP packets and stripping Telnet opcodes. FTP ContentScans the data transmitted using FTP, normalizes FTP packets and strips Telnet opcodes. Generic UrlThe generic URL in the HTTP Request URI. No normalization procedures are taken. GET/HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic HeaderIn the HTTP Request URI. No normalization procedures are taken. GET/ HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on. Generic CookieIn the HTTP Request URI. No normalization procedures are taken. GET/ HEAD/POST is not required when this type is selected. This is applicable for protocols like SIP, BitTorrent, and so on.
HostnameA hostname in the HTTP header. The host names in the Hostname List of an L7 Policy are not algorithmically related to a host name configured for a basic filter. Header FieldA header field in the HTTP header. ExpressionText anywhere in the packet represented by a regular expression specified in the Content field. Mail DomainThe Mail Domain in the SMTP header. Mail ToThe Mail To SMTP header. Mail FromThe Mail From SMTP header. Mail SubjectThe Mail Subject SMTP header. File TypeThe type of the requested file in the HTTP GET command (for example, JPG, EXE, and so on). CookieThe HTTP cookie field. The Content field includes the cookie name, and the Content Data field includes the cookie value.
Default: None Content End Offset Content Data Values: 01513
The location in the packet at which the checking of content ends. Refers to the search for the content within the packet.
237
Parameter
Content Coding
Description
The encoding type of the content to search for (as specified in the Content field). Values: None Case Insensitive Case Sensitive HEX International
Default: None Note: The value of this field corresponds to the Content Type parameter. Content Data Coding The encoding type of the content data to search for (as specified in the Content Data field). Values: None Case Insensitive Case Sensitive HEX International
Default: None Note: The value of this field corresponds to the Content Type parameter. Description Session Type A description of the filter. The specific session type to search for. Values: Session Type Direction None Ftp Control Ftp Data Ftp All Tftp Control Tftp Data Tftp All Rshell Control Rshell Data Rshell All Rexec Control Rexec Errors Rexec All H225 Control H245 session H225 All SIP Signal SIP Media Control SIP Audio SIP All
Default: None The specific direction of the specified session type to search for. Values: All, Request, Reply Default: None
238
Configuring AND Group Filters

An AND Group filter is a combination of basic filters with a logical AND between them. The ACL module supports a set of predefined, static and AND Groups. You can use APSolute Vision to configure your own AND Group filters. You cannot modify or delete predefined AND Groups.
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3).
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy, you need to activate the latest changes.
To configure an AND Group filter

1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Services > AND Groups. 2. Do one of the following: To add an entry to the table, click the (Add) button.
Table 114: AND Group. Parameters
Parameter
AND Group Name Basic Filter Name AND Group Type
Description
The name of the AND Group. The basic filter for this AND Group. (Read-only) Values: StaticThe AND Group is predefined. RegularThe AND Group is user-defined.
Configuring OR Group Filters

An OR Group Filter is a combination of basic filters and/or AND filters with a logical OR between them. The ACL module supports a set of predefined, static OR Groups. The predefined OR Group Filter are based on the predefined basic filters. You can use APSolute Vision to configure OR Groups using basic filters or AND Groups. You cannot modify or delete predefined OR Groups.
239
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as: AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6. Use the Modify OR Groups Table pane to create, modify, and delete the OR Group filters.
Note: You cannot modify or delete predefined OR Groups.
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy, you need to activate the latest changes.
To configure an OR Group filter

1. 2. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Services > OR Groups. Do one of the following: 3. To add an entry to the table, click the (Add) button.
Table 115: OR Group Parameters
Parameter
OR Group Name Filter Name Filter Type OR Group Type
Description
The name of the OR Group. The filter for this OR Group, which can be a Basic filter or an AND Group. Value: Basic Filter, AND Group (Read-only) Values: StaticThe OR Group is predefined. RegularThe OR Group is user-defined.
Configuring Application Classes

Application classes are groups of Layer-4 ports for UDP and TCP traffic. Each class is identified by its unique name, and you can define multiple Layer-4 ports in a single class. You cannot modify the predefined application classes for standard applications; however, you can add entries for the class. You can add and modify user-defined classes to the Application Port Group table.
240
To configure an application class

1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Applications. 2. To add or modify an application class, do one of the following: To add a class, click the (Add) button.
3. Configure application class parameters. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Table 116: Application Class Parameters
Parameter
Ports Group Name
Description
The name of the Application Port Group. To associate a number of ranges with the same port group, use the same name for all the ranges that you want to include in the group. Each range appears as a separate row with the same name in the Application Port Group table.
Type of Entry From L4 Port To L4 Port
(Read-only) Values: System Defined, User Defined The first port in the range. The last port in the range. To define a group with a single port, set the same value for the From L4 Port and To L4 Port parameters.
241
Configuring Physical Port Classes

You can define network segments using definitions of physical ports. Use physical port classes to classify traffic according to physical ports in security policy rules.
To configure a physical port class

1. 2. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > Physical Port Groups. To add or modify a physical port class, do one of the following: 3. 4. 5. To add a class, click the (Add) button.
Enter a name for the physical port class, and select the inbound port to be associated with it. Click OK. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation.For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
Configuring VLAN Tag Classes

You can define network segments using VLAN tags. Use VLAN tag classes (groups) to classify traffic according to VLAN tags in security policy rules. Each DefensePro device supports a maximum 64 VLAN Tag groups. Each VLAN Tag group can contain a maximum 32 discrete tags and 32 ranges. That is, in effect, each managed device supports up to 642 definitions.
To configure a VLAN tag class

1. 2. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > VLAN Tags. To add or modify a VLAN tag group class, do one of the following: 3. 4. To add a class, click the (Add) button.
Configure VLAN tag group class parameters. To activate your configuration changes on the device, click Activate Latest Changes.
242
Table 117: VLAN Tag Group Class Parameters
Parameter
VLAN Tags Group Name Group Mode
Description
The name of the VLAN group. The VLAN mode. Values: DiscreteAn individual VLAN tag, as defined in the interface parameters of the device. RangeA group of sequential VLAN tag numbers, as defined in the interface parameters of the device.
VLAN Tag (Discrete mode only) VLAN Tag From (for Range mode only) VLAN Tag To (for Range mode only)
The VLAN tag number. The first VLAN tag in the range. You cannot modify this field after creating the VLAN group. The last VLAN tag in the range.
Configuring MAC Address Classes

MAC groups identify traffic whose source or destination is a transparent network device.
To configure a MAC address class

1. In the Configuration perspective Classes tab navigation pane, select Modify Configuration > MAC Addresses. 2. To add or modify a MAC address class, do one of the following: To add a class, click the (Add) button.
3. Enter a name for the MAC group and the MAC address associated with the group. Click OK. 4. To activate your configuration changes on the device, click Activate Latest Changes.
Tip: You can update all configuration policies on the device in a single operation.For more information, see Updating Policy Configurations on a DefensePro Device, page 256.
243
Viewing Active Class Configurations

You can view the active class configurations that are configured on the device. This section contains the following topics: Viewing the Active Network Class Configuration, page 244 Viewing the Active Service Class Configurations, page 244 Viewing the Active Application Class Configuration, page 245 Viewing the Active MAC Address Class Configuration, page 246 Viewing the Active Physical Port Class Configuration, page 246 Viewing the Active VLAN Tag Class Configuration, page 246
Viewing the Active Network Class Configuration

You can view the active network classes that are configured on the device.
To view the active network class configuration

In the Configuration perspective Classes tab navigation pane, select Active Configuration > Networks. The table displays details of the current configuration of all the network classes on the device. For information about network class parameters, see Configuring Network Classes, page 231.
Viewing the Active Service Class Configurations

You can view active Services and the configuration of each.
Viewing the Active Basic Filter Configuration
To view the active configuration of a basic filter

1. In the Configuration perspective Classes tab navigation pane, select Active Configuration > Services > Basic Filters. The table displays some details of the current configuration of all the basic filters. To view the entire configuration, double-click the row.
2.
Note: For information about basic filters, see Configuring Basic Filters, page 233.
244
Viewing the Active AND Group Configuration
To view the active configuration of an AND Group

1. In the Configuration perspective Classes tab navigation pane, select Active Configuration > Services > AND Groups. The table displays some details of the current configuration of all the AND Groups. 2. To view the entire configuration, double-click the row.
Note: For information about AND Groups, see Configuring AND Group Filters, page 239.
Viewing the Active OR Group Configuration
To view the active configuration of an OR Group

1. In the Configuration perspective Classes tab navigation pane, select Active Configuration > Services > OR Groups. The table displays some details of the current configuration of all the OR Groups. 2. To view the entire configuration, double-click the row.
Note: For information about OR Groups, see Configuring OR Group Filters, page 239.
Viewing the Active Application Class Configuration

You can view the active Application Port Group classes that are configured on the device.
To view the active application class configuration

In the Configuration perspective Classes tab navigation pane, select Active Configuration > Applications. The table displays details of the current configuration of all the Application Port Groups on the device. For information about Application Port Group parameters, see Configuring Application Classes, page 240.
245
Viewing the Active Physical Port Class Configuration

You can view the active physical port group classes that are configured on the device.
To view the active physical port group class configuration

In the Configuration perspective Classes tab navigation pane, select Active Configuration > Physical Port Groups. The table displays details of the current configuration of all the physical port groups on the device.
Viewing the Active VLAN Tag Class Configuration

You can view the active VLAN tag classes that are configured on the device.
To view the active VLAN tag class configuration

In the Configuration perspective Classes tab navigation pane, select Active Configuration > VLAN Tags. The table displays details of the current configuration of all the VLAN tag classes on the device. For information about VLAN tag class parameters, see Configuring VLAN Tag Classes, page 242.
Viewing the Active MAC Address Class Configuration

You can view the active MAC address classes that are configured on the device.
To view the active MAC Address class configuration

In the Configuration perspective Classes tab navigation pane, select Active Configuration > MAC Addresses. The table displays details of the current configuration of all the MAC address classes on the device.
Configuring MPLS RD Groups

To achieve faster switching in VPNs over Multi-protocol Label Switching (MPLS) networks, a route distinguisher (RD) is used for each packet. If a DefensePro device is installed on a link where it can listen to Border Gateway Protocol (BGP) and LDP signaling, you can configure policies on the device using MPLS RDs. An RD is an address qualifier used only within a single Internet Network Protection policy/rules providers Multi-Protocol Label Switching (MPLS) network. It is used to uniquely define MPLS Virtual Routing and Forwarding (VRF) and to distinguish the distinct Virtual Private Network (VPN) routes of separate customers who connect to the provider.
246
DefensePro User Guide Managing Classes You can define the segment that you want to protect using MPLS RDs. DefensePro detects the MPLS RD values when installed between P (provider) and PE (provider edge) routers in the providers MPLS backbone. Only the packets that match the MPLS RD value of this segment are inspected by the policy.
Note: To use MPLS RD, you must enable MPLS RD and configure the MPLS RD groups.
To configure MPLS RD groups

1. In the Configuration perspective Classes tab navigation pane, select MPLS RD. 2. Do one of the following: To add an MPLS RD group, click the (Add) button.
To edit an MPLS RD group, double-click the group name.
3. Configure the MPLS RD group parameters and click OK.
Table 118: MPLS RD Group Parameters
Parameter
Group Name MPLS RD Type
Description
A user-defined name for the MPLS RD group. The MPLS RD value manually based on the type. Describes the MPLS RD format. Values: 2 Bytes : 4 Bytes 4 Bytes : 2 Bytes IP Address : 2 Bytes
247
248
Chapter 7 Managing Device Operations and Maintenance

Use the APSolute Vision Monitoring perspective for the following operation and maintenance tasks for managed devices: Rebooting a DefensePro Device, page 249 Shutting Down a DefensePro Device, page 250 Viewing and Setting Device Date and Time, page 250 Upgrading Device Software, page 250 Downloading a Devices Log File to the APSolute Vision Client, page 252 Updating a Radware Signature File or RSA Signature File, page 252 Downloading a Technical Support File to the APSolute Vision Client, page 253 Managing DefensePro Device Configurations, page 254 Updating Policy Configurations on a DefensePro Device, page 256 Checking Device Memory Availability, page 256 Resetting the Baseline for DefensePro, page 257 Enabling and Disabling Interfaces, page 257 Scheduling APSolute Vision and Device Tasks, page 258
Rebooting a DefensePro Device

Some configuration changes on the device require a device reboot for the configuration to take effect. This is indicated by a Reboot required notification in the Properties pane. You can activate the device reboot from APSolute Vision.
Note: You can schedule device reboots in the APSolute Vision scheduler. For more information, see Configuring Tasks in the Scheduler, page 259.
To reboot a DefensePro device

1. 2. In the Monitoring perspective system pane, right-click the device name and select Reboot. Click Yes in the Confirmation Required dialog box.
249
DefensePro User Guide Managing Device Operations and Maintenance
Shutting Down a DefensePro Device

You can activate a device shutdown from APSolute Vision.
To shut down a DefensePro device

1. 2. In the Monitoring perspective system pane, right-click the device name and select Shutdown. Click Yes in the Confirmation Required dialog box.
Viewing and Setting Device Date and Time

You can view the current date and time on a DefensePro device and you can change its date and time setting. The following procedure does not apply to Alteon devices.
To view the date and time on a DefensePro device

In the Monitoring perspective system pane, right-click the device name and select Show Date & Time.
Note: The date and time display is a snapshot only. It does not change if the dialog box is left open.
To change the date and time on a DefensePro device

1. 2. In the Monitoring perspective system pane, right-click the device name and select Set Date and Time. Set the date and/or time as required, and click OK.
Upgrading Device Software

You can upgrade the software version on DefensePro devices from APSolute Vision. A device upgrade enables the new features and functions on the device without altering the existing configuration. In exceptional circumstances, new software versions are incompatible with legacy configuration files from earlier software versions. This most often occurs when attempting to upgrade from a very old version to the most recently available version.
250
DefensePro User Guide Managing Device Operations and Maintenance The software version file must be located on the APSolute Vision client system. APSolute Vision automatically transfers it to the APSolute Vision server and uploads it to the device. New software versions require a password, which can be obtained from the Radware corporate Web site. For a maintenance-only upgrade, the password is not required. After the device upgrade is complete, you must reboot the device.
Caution: Before upgrading to a newer software version, do the following: Back up the existing configuration file. For more information, see Downloading a Devices Configuration File, page 255. Ensure that you have configured on the device the authentication details for the protocol used to upload the file.
The following procedure does not apply to Alteon devices.
To update the device software version

1. In the Monitoring perspective system pane, right-click the device name and select Manage Software Versions. 2. Configure software upgrade parameters, and click OK. 3. When the device upgrade is complete, reboot the device.
Table 119: Software Upgrade Parameters
Parameter
Upload Via
Description
(Read-only in APSolute Vision 2.10 and later) The protocol used to upload the software file from APSolute Vision to the device. Value: HTTPS The name of the file to upload. The software version number as specified in the new software documentation. Enter the password received with the new software version, and verify. The password is case sensitive.
File Name Software Version Password
251
Downloading a Devices Log File to the APSolute Vision Client

You can download a DefensePro devices log file to the APSolute Vision client system. The log file is automatically generated by the device and contains a report of configuration errors. The log file can be used for debugging. The following procedure does not apply to Alteon devices.
To download a device log file

1. 2. In the Monitoring perspective system pane, right-click the device name and select Export Log File. Configure download parameters, and click OK.
Table 120: Device Log File Download Parameters
Parameter
Download Via
Description
(Read-only in APSolute Vision 2.10 and later) The protocol used to download the log file. Value: HTTPS Save the downloaded log file as a text file on the client system. Enter or browse to the location of the saved log file, and select or enter a file name.
Save As
Updating a Radware Signature File or RSA Signature File

You can upload an updated Radware signature file or RSA signature file to a DefensePro device. You can upload an updated Radware signature file to a DefensePro device from the following sources: Radware.com or the proxy file server that is configured in the Vision Server Connection configuration The Alerts pane displays a success or failure notification and whether the operation was performed using a proxy server. APSolute Vision client system The name of the signature file on the must be DEVICE-
MAC-ADDRESS.sig.
Note: You can schedule Signature File updates in the APSolute Vision scheduler. For more information, see Configuring Tasks in the Scheduler, page 259.
252
To update the signature file of a device

1. In the Monitoring perspective system pane, right-click the device name and select Update Security Signature. 2. Configure the parameters, and click OK.
Table 121: Update Device Signature File Parameters
Parameter
Signature Type
Description
The type of the signature file to upload to the device. Values: Radware Signatures RSA Signatures
Update From
The location of the signature file to upload. Values: Radware.comAPSolute Vision uploads the signature file directly from Radware.com or from the proxy server that is configured in the Vision Server Connection configuration. ClientAPSolute Vision uploads the signature file from the APSolute Vision client system. This option is only available for Radware signatures.
Upload Via File Name (This parameter is displayed only when Update From Client is selected)
The protocol used to upload the signature file. Values: HTTP, HTTPS, TFTP Name of the signature file on the client system.
Downloading a Technical Support File to the APSolute Vision Client

For debugging purposes, a DefensePro device can generate a TAR file containing the technical information that Radware Technical Support requires. The file includes output of various CLI commands; for example, a printout of the Client table. You can download a DefensePro devices technical support file to the APSolute Vision client system and send it to Radware Support. The following procedure does not apply to Alteon devices.
Note: If you encounter problem with APSolute Vision server or APSolute Vision client (as opposed to the DefensePro device), see the APSolute Vision User Guide.
253
To download a devices technical support file

1. 2. In the Monitoring perspective system pane, right-click the device name and select Export Tech Support File. Configure download parameters, and click OK.
Table 122: Device Technical Support File Download Parameters
Parameter
Download Via
Description
(Read-only in APSolute Vision 2.10 and later) The protocol used to download the technical support file. Value: HTTPS Save the downloaded technical support file as a text file on the client system. Enter or browse to the location of the saved file, and select or enter a file name.
Save As
Managing DefensePro Device Configurations

This section describes how to manage configurations of the DefensePro devices that are configured in the APSolute Vision server.
Configuration File Content

The configuration file content is divided into two sections: Commands that require rebooting the device These include Application Security status, Device Operation Mode, tuning parameters, and so on. Copying and pasting a command from this section takes effect only after the device is rebooted. The section has the heading: The
following commands will take effect only once the device has been rebooted!
Commands that do not require rebooting the device Copying and pasting a command from this section takes effect immediately after pasting. The commands in the section are not bound to SNMP. The section has the heading: The following commands take effect
immediately upon execution!

The commands are printed within each sectionin the order of implementation. At the end of the file, the device prints the signature of the configuration file. This signature is used to verify the authenticity of the file and that it has not been corrupted. The signature is validated each time the configuration file is uploaded to the device. If the validity check fails, the device accepts the configuration, but a notification is sent to the user that the configuration file has been tampered with and there is no guarantee that it works. The signature looks like File Signature: 063390ed2ce0e9dfc98c78266a90a7e4.
254
Downloading a Devices Configuration File

You can download a devices configuration file from the device to APSolute Vision for backup. If you choose to download to the APSolute Vision server, a copy is always saved in the APSolute Vision database. By default, you can save up to five (5) configuration files per device on the APSolute Vision server. You can change this parameter in the APSolute Vision Setup page up to a maximum of 10. When the limit is reached, you are prompted to delete the oldest file.
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more information, see Configuring Tasks in the Scheduler, page 259.
To download a devices configuration file

1. In the Monitoring perspective system pane, right-click the device name and select Export Configuration File from Device. 2. Configure the download parameters; and then, click Save.
Table 123: Device Configuration File Download Parameters
Parameter
Download to Download Via Save As
Description
Where to back up the device configuration file. Values: Client, Server (Read-only) The protocol used to download the configuration file. Values: HTTPS Save the downloaded configuration file as a text file on the client system. On the server, the default name is a combination of the device name and backup date and time. You can change the default name.
Include Private Keys
When enabled, the certificate private key information is included in the downloaded file. You must include the private key information to restore the private keys; otherwise, the device reverts to default keys.
Restoring a Devices Configuration

You can restore a DefensePro devices configuration file from a backup configuration file on the APSolute Vision server or client system to the DefensePro device. When you upload the configuration file to the device, it overwrites the existing device configuration. After the restore operation is complete, you must reboot the device.
To restore a devices configuration

1. In the Monitoring perspective system pane, right-click the device name and select Import Configuration File to Device. 2. Configure upload parameters, and click OK. 3. When the upload completes, reboot the device.
255
Table 124: Device Configuration File Upload Parameters
Parameter
Upload from Upload Via
Description
The location of the backup device configuration file to send. Values: Client, Server (Read-only in APSolute Vision 2.10 and later) The protocol used to upload the configuration file. Value: HTTPS When uploading from the client system, enter or browse to the name of the configuration file to upload. When uploading from the server, select the configuration to upload.
File Name
Updating Policy Configurations on a DefensePro Device

You can apply the following configuration changes to a managed device in a single operation: Network security policy Server security policy ACL policy White list Black list (relevant for DefensePro only) Classes
To update policy configurations on a managed device

1. 2. In the Monitoring perspective system pane, right-click the device name and select Update Policies. Click Yes in the Confirmation dialog box.
Checking Device Memory Availability

You can check whether a DefensePro device has enough memory before you change any tuning parameters, including NAT tuning.
To check device memory availability

In the Monitoring perspective system pane, right-click the device name and select Check Available Memory. A message box is displayed, which notifies you whether there is enough memory on the device, or, if not, how much memory is required.
256
Resetting the Baseline for DefensePro

Resetting baseline-learned statistics clears the baseline traffic statistics and resets default normal baselines. Reset the baseline statistics only when the characteristics of the protected network have changed entirely and bandwidth quotas need to be changed to accommodate the network changes. You can reset the baseline for all the network policy rules that contain a BDoS or DNS Protection profile, or for a selected network policy rule that contains a BDoS or DNS Protection profile.
To reset BDoS baseline statistics

1. In the Monitoring perspective system pane, right-click the device name and select Reset BDoS Baseline. 2. Select whether to reset the baseline for all network policy rules that contain a BDoS profile, or for a specific network-protection rule that contains a BDoS profile; and then, click OK.
To reset DNS baseline statistics

1. In the Monitoring perspective system pane, right-click the device name and select Reset DNS Baseline. 2. Select whether to reset the baseline for all network policy rules that contain a DNS profile, or for a specific network-protection rule that contains a DNS profile, then click OK.
Enabling and Disabling Interfaces

You can enable and disable interfaces from the Monitoring perspective. In DefensePro, you can enable and disable device ports and trunks.
To change the administrative status of a port or trunk

1. In the Monitoring perspective, select the Ports tab in the content pane. 2. In the navigation pane, select Ports and Trunks. The Ports Table is displayed. 3. Right-click the row with the relevant port, and select Disable Admin Status (for a port currently Up) or Enable Admin Status (for a port currently Down).
257
Scheduling APSolute Vision and Device Tasks

The following topics describe how to schedule operations in the APSolute Vision Scheduler: Overview of Scheduling, page 258 Configuring Tasks in the Scheduler, page 259 Task Parameters, page 260
Note: For information on how to schedule operations in the APSolute Vision server, see the APSolute Vision User Guide or APSolute Vision online help.
Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled operations are called tasks. The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be performed next. When you configure a task for multiple devices, the task runs on each device sequentially. After the task completes on one device, it begins on the next. If the task fails to complete on a device, the Scheduler will activate the task on the next listed device. Scheduled tasks run according to the time as configured on the APSolute Vision client.
Caution: If the APSolute Vision client time zone differs from the time zone of the APSolute Vision server or the managed device, take the time offset into consideration. When you define a task, you can choose whether to enable or disable the task. All configured tasks are stored in the APSolute Vision database. You can define the following types of DefensePro-related scheduled tasks: Back up APSolute Vision Reporter data Back up a device configuration Reboot a device Update RSA signature file onto a DefensePro device from Radware.com or the proxy server Update the Radware signature file onto a DefensePro device from Radware.com or the proxy server Update the APSolute Vision Attack Description file from Radware.com or the proxy server
Note: You can perform the operations manually, from the Monitoring perspective. For more information see: Updating the Attack Description File, page 54 Rebooting a DefensePro Device, page 249 Updating a Radware Signature File or RSA Signature File, page 252 Downloading a Devices Configuration File, page 255
258
Configuring Tasks in the Scheduler

The Scheduler window is the starting point for viewing and configuring tasks, which are scheduled operations. The Tasks table displays the following information for each configured task.
Parameter
Name Task Type Enabled Schedule Current Status Last Execution Status Last Execution Time Next Execution Time Description
Description
The name of the configured task. The type of task to be performed. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task is saved in the database. The frequency at which the task runs; for example, daily or weekly. The schedule start date is displayed, if it has been defined. The current status of the task. Values: Waiting, In progress Whether the last task run was successful. When the task is disabled or has not yet started, the status is Never Executed. The date and time of the last task run. When the task is disabled or has not yet started, this field is empty. The date and time of the next task run. When the task is disabled, this field is empty. The user-defined description of the task.
To configure a task schedule

1. In the Configuration perspective main toolbar, click the displays information for each scheduled task. 2. To add or edit a task: To add a new task, click the (Add) button. Select the type of task, and click OK. The dialog box for the selected task type is displayed. To edit a task, double-click the entry in the table. (Scheduler) button. The Tasks table
3. Configure task parameters, and click OK. All task configurations include basic parameters and scheduling parameters. Other parameters depend on the type of task selected. For more information, see the description of the relevant Task Parameters.
To run an existing task

1. In the Configuration perspective or Monitoring perspective main toolbar, click the (Scheduler) button. The Tasks table displays information for each scheduled task. 2. Right-click the required task, and click Run Task.
259
Task Parameters
Set the following parameters to configure tasks in the Scheduler: APSolute Vision Reporter Backup Task, page 260 Device Configuration Backup Parameters, page 262 Device Reboot Parameters, page 264 Update RSA Signature Files for a Device, page 265 Update Radware Security Signature Files for a Device, page 267 Update APSolute Vision Attack Description File Parameters, page 268
APSolute Vision Reporter Backup Task

The APSolute Vision Reporter Backup task creates a backup of the APSolute Vision Reporter data and exports it to a specified destination. The backup includes all the APSolute Vision Reporter data.
Notes For information on managing the backups using CLI, see the APSolute Vision User Guide. APSolute Vision stores up to three iterations of the APSolute Vision Reporter data in the storage location. After the third reporter-backup, the system deletes the oldest one. The storage location is, by default, a hard-coded location in the APSolute Vision server. The backup filenames in the storage location are the first five characters of the specified filename plus a 10-character timestamp. When the task exports the backup file, the filename is as specified in the task configuration. The backup file in the storage location includes the hard-coded description Scheduler-
generated. Table 125: APSolute Vision Reporter Backup Task Parameters
Parameter
Name

A name for the task. Default: The selected task type name. If there are existing tasks that use this name, n is appended to the name, where n is the next available sequential number.
Description Enabled
A user-defined description of the task. When selected, the task runs according to the defined schedule. Disabled tasks are not activated, but the task configuration is saved in the database.
260
Parameter
Frequency
Description Schedule
The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute Vision client. Time1 Date2 Minutes3 The time at which the task runs. The date on which the task runs. The interval, in minutes, at which the task runs.
Schedule Period
Run Always4 Specifies whether the task always runs or only during the defined period. Values: EnabledThe task is activated immediately and runs indefinitely, with no start or end time. It runs at the first Time configured with the Frequency in the Schedule group box. DisabledThe task runs (at the Time and Frequency specified in the Schedule group box) from the specified Start Date at the Start Time until the End Date at the End Time.
Default: Enabled Start Date5 Start Time5 End Date5 End Time5 1 2 3 4 This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared. The date and time after which the task no longer runs. The date and time at which the task is activated.
261
Parameters
Protocol The protocol that APSolute Vision uses for this task. Values: FTP SCP SFTP SSH
Default: FTP
Destination
IP Address Directory Backup File Name User Password Verify Password The IP address of the server. The path to the export directory with no spaces. Only alphanumeric characters and underscores (_) are allowed. The name of the backup, up to 15 characters, with no spaces. Only alphanumeric characters and underscores (_) are allowed. The username. The user password. The user password.
Device Configuration Backup Parameters

The Device Configuration Backup task saves a configuration backup of the specified devices.
Note: By default you can save up to five (5) configuration files per device on the APSolute Vision server. You can change this parameter in the APSolute Vision Setup tab. For more information, see the APSolute Vision User Guide.
Table 126: Device Configuration Backup Task Parameters
Parameter
Name

Description Enabled
262
Parameter
Frequency
Schedule Period
Devices
The configurations of devices in the Selected Devices list will be backed up.
263
Device Reboot Parameters

The Device Reboot task reboots the specified devices.
Table 127: Device Reboot Task Parameters
Parameter
Name

Description Enabled
Schedule
Frequency The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Schedule Period
Default: Enabled Start Date5 Start Time5 The date and time at which the task is activated.
264
Parameter
End Date5 End Time5 1 2 3 4
Description
The date and time after which the task no longer runs.
This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared.
Devices
The devices in the Selected Devices list will be rebooted.
Update RSA Signature Files for a Device

The Update RSA Security Signature task updates the RSA security signature on the selected DefensePro devices.
Note: The frequency range for the Update RSA Security Signature task is 1060 minutes. The default interval is 60 minutes.
Table 128: Update RSA Security Signature Task Parameters
Parameter
Name

Description Enabled
265
Parameter
Frequency
Schedule Period
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the DefensePro devices with Fraud Protection enabled. The Selected Devices list displays the DefensePro devices whose RSA signature files this task update.
266
Update Radware Security Signature Files for a Device

The Update Security Signature Files task updates the Radware security signature files on the selected DefensePro devices.
Table 129: Security Signature Files Task Parameters
Parameter
Name

Description Enabled
Schedule
Frequency The frequency at which the task runs. Select a frequency, then configure the related time and day/date parameters. The available values depend on the specified task. Values: OnceThe task runs one time only at the specified date and time. MinutesThe task runs at intervals of the specified number of minutes between task starts. DailyThe task runs daily at the specified time. WeeklyThe task runs every week on the specified day or days, at the specified time.
Schedule Period
Default: Enabled Start Date5 Start Time5 The date and time at which the task is activated.
267
Parameter
End Date5 End Time5 1 2 3 4
Description
The date and time after which the task no longer runs.
This parameter is displayed only when the specified Frequency is Once, Daily, or Weekly. This parameter is displayed only when the specified Frequency is Once. This parameter is displayed only when the specified Frequency is Minutes. This parameter is displayed only when the specified Frequency is Minutes, Daily, or Weekly. 5 This parameter is displayed only when the Run Always checkbox is cleared.
Communication Parameters
Upload Protocol The protocol used to upload the updated signature file from APSolute Vision to the device. Values: HTTPS, HTTP, TFTP Default: HTTPS
Devices
The signature files for DefensePro devices in the Selected Devices list will be updated.
Update APSolute Vision Attack Description File Parameters

The Update Visions Attack Description File task updates the attack description file on the APSolute Vision server.
Table 130: Update Vision's Attack Description File Task Parameters
Parameter
Name

Description Enabled
268
Parameter
Frequency
Schedule Period
269
270
Chapter 8 Monitoring DefensePro Devices and Interfaces

APSolute Visions online monitoring can serve as part of a Network Operating Center (NOC) that monitors and analyzes the network and connected devices for changes in conditions that may impact network performance. The following topics describe: Monitoring DefensePro Devices, page 271 Monitoring and Controlling Device Interfaces, page 284
To view monitoring information for a physical device or interface, you must first select the device or interface in the Monitoring perspective navigation pane System tab.
Monitoring DefensePro Devices

You can monitor the following statistics and information for each managed DefensePro device: Monitoring General DefensePro Device Information, page 271 Monitoring DefensePro High Availability, page 272 Monitoring the DefensePro Suspend Table, page 274 Monitoring DefensePro CPU Utilization, page 274 Monitoring and Clearing DefensePro Authentication Tables, page 275 Monitoring Session Table Information, page 279 Monitoring DefensePro SNMP Statistics, page 276 Monitoring DME Utilization According to Configured Policies, page 277 Monitoring DefensePro Syslog Information, page 278 Monitoring DefensePro IP Statistics, page 281 Monitoring Routing Table Information, page 282 Monitoring DefensePro ARP Table Information, page 283 Monitoring MPLS RD Information, page 284
Select the DefensePro device to monitor in the Monitoring perspective system pane.
Monitoring General DefensePro Device Information

The Overview tab displays general device information including the information about the software version on the device and the hardware version of the device.
To display general device information for a selected device

In the Monitoring perspective, select the Overview tab in the content pane.
271
DefensePro User Guide Monitoring DefensePro Devices and Interfaces
Table 131: DefensePro General Device Information
Parameter
Operational Status Device is Monitored Management IP Hardware Platform Uptime Base MAC Address

Whether the device is currently up or down. Whether APSolute Vision monitoring is currently enabled for the device. The IP address of the device used for management. Type of hardware platform for this device. System up time in days, hours, minutes, and seconds. MAC address of the first port on the device.
Signature Update
Radware Signature File Version RSA Signatures Last Update The version of the Radware Signature File installed on the device. When RSA is enabled, this parameter can display the timestamp of the last update of RSA signatures, received from Radware.com and downloaded to the DefensePro device. Values: The timestamp, in DDD MMM DD hh:mm:ss yyyy z format displayed according to the timezone of your APSolute Vision client No Feeds Received Since Device Boot
Software
Software Version APSolute OS Version Build Version Status The version of the product software installed on the device. Version of the APSolute OS installed on the devicefor example, 10.3103.01:2.06.08. The build number of the current software version. State of this software version. Values: OpenNot yet released FinalReleased version
Hardware
Hardware Version RAM Size Flash Size The hardware version; for example, B.5. Amount of RAM, in megabytes. Size of flash (permanent) memory, in megabytes.
Monitoring DefensePro High Availability

You can view the status of parameters related to the high availability of a selected DefensePro device.
Note: When you issue the Switch Over command on the cluster node in the Monitoring perspective, the active device switches over. To switch modes, in the Monitoring perspective system pane, rightclick the cluster node; and then select Switch Over.)
272
To view the parameters related to the high availability of a selected DefensePro device
In the Monitoring perspective, select the High Availability tab in the content pane.
Table 132: DefensePro High-Availability Monitoring Parameters
Parameter
Device Role
Description
Values: Stand AloneThe device is not configured as a member of a highavailability cluster. PrimaryThe device is configured as the primary member of a highavailability cluster. SecondaryThis device is configured as the secondary member of a high-availability cluster. ActiveThe device is in the active state. The device may be a standalone device (not part of a high-availability cluster) or the active member of a high-availability cluster. PassiveThe device is the passive member of a high-availability cluster. Base-Line still not synched on this deviceEither high availability is not enabled on the device or high availability is enabled on the device but the baselines for security protections are still not synchronized. The timestamp, in DDD MMM DD hh:mm:ss yyyy format, of the last synchronization of the baseline between the active and passive device. Pair not definedThe device is not configured as a member of a highavailability cluster. DisconnectedThe device is disconnected from the other member of the high-availability cluster. NegotiateThe device is negotiating with the other member of the high-availability cluster. SynchronizingThe device is synchronizing with the other member of the high-availability cluster. In SyncThe members of the high-availability cluster are synchronized. Hold onThe device is waiting for information from the other member of the high-availability cluster.
Device State
Values:
Last Baseline Sync.
Values:
Cluster State
Values:
Cluster Node in Use
The IP address of the selected device.
Peer Clustered Node in The IP address of the other cluster member. Use
273
Monitoring the DefensePro Suspend Table

When DefensePro detects an attack, some protections, such as Anti-Scanning, Server Cracking, and Connection Limit, add the source IP of the attacker to the Suspend table. All traffic from the attacker to the protected server is then handled according to the Suspend Action for a defined time period.
To view the real-time Suspend table for a selected DefensePro device

In the Monitoring perspective, select the Suspend Table tab in the content pane.
Table 133: DefensePro Suspend-Table Monitoring Parameters
Parameter
Source IP Destination IP Destination Port Protocol Module Expiration Type Expiration Time
Description
The IP address from which traffic was suspended. The IP address to which traffic was suspended (0.0.0.0 means traffic to all destinations was suspended). The application port to which traffic was suspended (0 means all ports). The Network protocol of the suspended traffic. The security module that activated the traffic suspension: Signature Protection, Anti Scanning, SYN Protection. The method of determining the expiration: On Request, Fixed Timeout, Dynamic Timeout. The number of seconds until the entry is removed from the Suspend table.
Monitoring DefensePro CPU Utilization

You can view statistics for the devices average resource utilization and the utilization for each accelerator.
To monitor device utilization for a selected DefensePro device

1. 2. In the Monitoring perspective, select the Resource Utilization tab in the content pane. In the navigation pane, select CPU Utilization.
Table 134: DefensePro CPU-Utilization Monitoring Parameters
Parameter
Resource Utilization Instance 0 Resource Utilization Instance 1 RS Resource Utilization Instance 0 RS Resource Utilization Instance 1
Description CPU Utilization

The percentage of the devices instance-0 CPU currently utilized. The percentage of the devices instance-1 CPU currently utilized. The percentage of the devices instance-0 routing services (RS) resource currently utilized. The percentage of the devices instance-1 routing services (RS) resource currently utilized.
274
Table 134: DefensePro CPU-Utilization Monitoring Parameters
Parameter
RE Resource Utilization Instance 0 RE Resource Utilization Instance 1 Last 5 sec. Average Utilization Instance 0 Last 5 sec. Average Utilization Instance 1
Description
The percentage of the devices instance-0 routing engine (RE) resource currently utilized. The percentage of the devices instance-1 routing engine (RE) resource currently utilized. The average utilization of instance-0 resources in the last 5 seconds. The average utilization of instance-1 resources in the last 5 seconds.
Last 60 sec. Average Utilization The average utilization of instance-0 resources in the last 60 Instance 0 seconds. Last 60 sec. Average Utilization The average utilization of instance-1 resources in the last 60 Instance 1 seconds.
Accelerator Utilization
Instance Accelerator Type The internal hardware instance of the device. The name of the accelerator. The accelerator named Flow_Accelerator_0 is one logical accelerator that uses several CPU cores. The accelerator named HW Classifier is the stringmatching engine (SME). The CPU number for the accelerator. The percentage of CPU cycles used for traffic processing. The percentage of CPU resources used for other tasks such as aging and so on. The percentage of free CPU resources.
CPU ID Forwarding Task Other Tasks Idle Task
Monitoring and Clearing DefensePro Authentication Tables

You can view statistics for the devices Authentication Tables. You can also clear the contents of each table.
To monitor Authentication Tables for a selected DefensePro device

1. In the Monitoring perspective, select the Resource Utilization tab in the content pane. 2. Select Authentication Tables.
Table 135: DefensePro Authentication-Tables Monitoring Parameters
Parameter
Table Size Table Utilization Aging Time
Description TCP Authentication Table

The number of source addresses that the table can hold. Percent of the table that is currently utilized. The aging time, in seconds, for the table.
275
Table 135: DefensePro Authentication-Tables Monitoring Parameters
Parameter
Table Size
Description HTTP Authentication Table

The number of source-destination couples for protected HTTP servers. For example, if there are two attacks towards two HTTP servers and the source addresses are the same, for those two servers, there will be two entries for the source in the table. Percent of the table that is currently utilized. The aging time, in seconds, for the table. Values: 603600 Default: 1200
Table Utilization Aging Time
DNS Authentication Table

Table Size Table Utilization Aging Time The number of source addresses that the table can hold. Percent of the table that is currently utilized. The aging time, in minutes, for the table.
To clear an Authentication Table for a selected DefensePro device

1. 2. 3. In the Monitoring perspective, select the Resource Utilization tab in the content pane. Select Authentication Tables. In the relevant group box (that is, TCP Authentication Table, HTTP Authentication Table, or DNS Authentication Table), click Clear Table.
Monitoring DefensePro SNMP Statistics

You can view statistics for the SNMP layer of the device.
To monitor DefensePro SNMP statistics

1. 2. In the Monitoring perspective, select the Resource Utilization tab in the content pane. In the navigation pane, select SNMP Statistics.
Table 136: DefensePro SNMP Statistics
Parameter
Number of SNMP Received Packets Number of SNMP Sent Packets Number of SNMP Successful 'GET' Requests
Description
The total number of messages delivered to the SNMP entity from the transport service. The total number of SNMP messages passed from the SNMP protocol entity to the transport service. The total number of MIB objects retrieved successfully by the SNMP protocol entity as the result of receiving valid SNMP GET-Request and GET-Next PDUs.
276
Table 136: DefensePro SNMP Statistics
Parameter
Number of SNMP Successful 'SET' Requests Number of SNMP 'GET' Requests Number of SNMP 'GET-Next' Requests Number of SNMP 'SET' Requests Number of SNMP Error Too Big Received Number of SNMP Error No Such Name Received Number of SNMP Error Bad Value Received Number of SNMP Error Generic Error Received Number of SNMP 'GET' Responses Sent Number of SNMP Traps Sent
Description
The total number of MIB objects modified successfully by the SNMP protocol entity as the result of receiving valid SNMP SET-Request PDUs. The total number of SNMP GET-Request PDUs accepted and processed by the SNMP protocol entity. The total number of SNMP GET-Next Request PDUs accepted and processed by the SNMP protocol entity. The total number of SNMP SET-Request PDUs accepted and processed by the SNMP protocol entity. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status field is tooBig. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status is noSuchName. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status field is badValue. The total number of SNMP PDUs generated by the SNMP protocol entity for which the value of the error-status field is genErr. The total number of SNMP Get-Response PDUs generated by the SNMP protocol entity. The total number of SNMP Trap PDUs generated by the SNMP protocol entity.
Monitoring DME Utilization According to Configured Policies

You can view statistics relating the user-defined policies to the utilization of the DoS Mitigation Engine (DME). The values that the device exposes are the calculated according to the configured valueseven before running the Update Policies command.
Note: If the device is not equipped with the DME, 0 (zero) values are displayed.
To monitor DME utilization according to configured policies

1. In the Monitoring perspective, select the Resource Utilization tab in the content pane. 2. In the navigation pane, select Policies.
277
Table 137: DME-Utilization Monitoring Parameters
Parameter
Description Policies Resources Utilization
If any of the values in this group box is close to the maximum, the resources for the device are exhausted. Total Policies The total number of policies in the context of the DME, which is double the number of network policies configured in the device. x420 supports 50 configured network policies. The percentage of resource utilization from the HW entries in the context of the DME. The percentage of DME resource utilization from the entries of subpolicies. In the context of the DME, a sub-policy is a combination of the following: Source-IP-address range Destination-IP-address range VLAN-tag range
HW Entries Utilization Sub-Policies Utilization
Policies Table
Policy Name Direction The name of the policy. The direction of the policy. Values: HW Entries Sub-Policies Inbound Outbound
The number of DME hardware entries that the policy uses. The number of DME sub-policy entries that the policy uses.
Monitoring DefensePro Syslog Information

You can view information relating to the syslog mechanism.
To monitor DefensePro syslog information

1. 2. In the Monitoring perspective, select the Resource Utilization tab in the content pane. In the navigation pane, select Syslog Monitor.
278
Table 138: DefensePro Syslog Monitoring Parameters
Parameter
Syslog Server Status
Description
The name of the syslog server. The status of the syslog server. Values: ReachableThe server is reachable. UnreachableThe server is unreachable. N/RSpecifies not relevant, because traffic towards the Syslog server is over UDPas specified (Configuration perspective Setup tab > Syslog Server > Protocol > UDP).
Messages in Backlog
The number of messages in the backlog to the syslog server.
Monitoring Session Table Information

Each DefensePro device includes a Session table to keep track of sessions bridged and forwarded by the device. By default, the Session table is enabled. The size of the table makes it difficult to view. To generate reliable and useful reports and prevent system failures, use filters to define the Session Table information to display. Information that matches any enabled Session table filter is displayed.
Notes The filtered Session table is not automatically refreshed periodically. The information is loaded when you select to display the Session Table pane and when you manually refresh the display. DefensePro issues alerts for high utilization alerts of the Session table. DefensePro sends alerts to APSolute Vision when table utilization reaches 90% and 100%.
To view Session table information

1. In the Monitoring perspective, in the Session Table navigation pane, select Session Table. 2. If required, in the Display field, change the number of entries to display. The number of entries that match configured session table filters is displayed. The following table describes the parameters in the Filtered Session Table.
Table 139: Filtered Session-Table Monitoring Parameters
Parameter
Source IP Destination IP Source L4 Port Destination L4 Port Protocol Physical Interface
Description
The source IP address within the defined subnet. The destination IP address within the defined subnet. The session source port. The session destination port. The session protocol. The physical port on the device at which the request arrives from the client.
279
Table 139: Filtered Session-Table Monitoring Parameters
Parameter
Lifetime (Sec.) Aging Type SYN Flood Status
Description
The time, in seconds, following the arrival of the last packet, that the entry will remain in the table before it is deleted. The reason for the Lifetime value (for example, application or session end). Whether the entry is currently protected against SYN attacks.
Configuring DefensePro Session Table Filters

The full Session table is very large; therefore, it is recommended to filter the information. Use Session table filters to define the information you want to display.
To configure Session table filters

1. 2. In the Monitoring perspective Session Table navigation pane, select Session Table Filters. To add or modify a filter, do one of the following: 3. To add a filter, click the (Add) button.
To edit a filter, double-click the entry in the table.
Configure filter parameters and click OK.
Table 140: DefensePro Session-Table Filter Monitoring Parameters
Parameter
Filter Name Physical Interface
Description
The unique name of the filter. The physical port on the device at which the request arrives from the client. Default: Any The source IP address within the defined subnet. Select IPv4 or IPv6; and then, enter the address. The source IP address used to define the subnet that you want to present in the Session Table. Select IPv4 or IPv6; and then, enter the mask. The destination IP address within the defined subnet. Select IPv4 or IPv6; and then, enter the address. The destination IP address used to define the subnet that you want to present in the Session Table. Select IPv4 or IPv6; and then, enter the mask. The session source Layer 4 port. The session destination Layer 4 port.
Source IP Address Source IP Mask
Destination IP Address Destination IP Mask
Source L4 Port Destination L4 Port
280
Monitoring DefensePro IP Statistics

You can monitor statistics for the IP layer of the device, including the number of packets discarded and ignored. This enables you to quickly summarize the state of network congestion from a given interface.
To display IP statistics information for a selected DefensePro device

In the Monitoring perspective, select the IP Statistics tab in the content pane.
Table 141: DefensePro IP-Statistics Parameters
Parameter
Number of IP Packets Received Number of IP Header Errors
Description IP Statistics
The total number of input datagrams received from interfaces, including those received in error. The number of input datagrams discarded due to errors in their IP headers, including bad checksums, version number mismatch, other format errors, time-to-live exceeded, errors discovered in processing their IP options, and so on. Total number of input datagrams discarded. This counter does not include any datagrams discarded while awaiting re-assembly. The total number of input datagrams successfully delivered to IP user-protocols (including ICMP). The total number of IP datagrams which local IP user-protocols, including ICMP supplied to IP in requests for transmission. This counter does not include any datagrams counted in the Number of IP Packets Forwarded.
Number of Discarded IP Packets Number of Valid IP Packets Received Number of Transmitted Packets (Inc. Discards)
Number of Discarded Packets The number of output IP datagrams for which no problem was on TX encountered to prevent their transmission to their destination, but which were discarded, for example, the lack of buffer space. This counter includes any datagrams counted in the Number of IP Packets Forwarded if those packets meet this (discretionary) discard criterion.
Router Statistics
Number of IP Packets Forwarded The number of input datagrams for which this entity was not their final IP destination, as a result of which an attempt was made to find a route to forward them to that final destination. In entities that do not act as IP Gateways, this counter includes only those packets which were Source - Routed via this entity, and the Source - Route option processing was successful. The number of locally addressed datagrams received successfully but discarded because of an unknown or unsupported protocol.
Number of IP Packets Discarded Due to Unknown Protocol
281
Table 141: DefensePro IP-Statistics Parameters
Parameter
Number of IP Packets Discarded Due to No Route
Description
The number of IP datagrams discarded because no route could be found to transmit them to their destination. Note: This counter includes any packets counted in the Number of IP Packets Forwarded that meet the no-route criterion. This includes any datagrams which a host cannot route because all of its default gateways are down.
Number of IP Fragments Received Number of IP Fragments Successfully Reassembled Number of IP Fragments Failed Reassembly
The number of IP fragments received which needed to be reassembled at this entity. The number of IP datagrams successfully re-assembled. The number of failures detected by the IP re-assembly algorithm, such as timed out, errors, and so on. Note: This is not necessarily a count of discarded IP fragments since some algorithms (notably the algorithm in RFC 815) can lose track of the number of fragments by combining them as they are received. The number of IP datagrams that have been successfully reassembled at this entity. The number of IP datagrams that have been discarded because they needed to be fragmented at this entity but could not be, for example, because their Dont Fragment flag was set. The number of IP datagram fragments that have been generated as a result of fragmentation at this entity. Number of valid routing entries discarded.
Number of IP Datagrams Successfully Reassembled Number of IP Datagrams Discarded Due to Fragmentation Failure Number of IP Datagrams Fragments Generated Valid Routing Entries Discarded
Monitoring Routing Table Information

The Routing table stores information about destinations and how they can be reached. By default, all networks directly attached to the DefensePro device are registered in this table. Other entries can be statically configured or dynamically created through the routing protocol.
Note: The Routing table is not automatically refreshed periodically. The information is loaded when you select to display the Routing Table pane, and when you manually refresh the display.
To display Routing Table information for a selected device

In the Monitoring perspective, select the Routing tab in the content pane.
Table 142: Routing-Table Monitoring Parameters
Parameter
Destination Network Netmask
Description
The destination network to which the route is defined. The network mask of the destination subnet.
282
Table 142: Routing-Table Monitoring Parameters
Parameter
Next Hop Via Interface Type
Description
The IP address of the next hop toward the Destination subnet. (The next hop always resides on the subnet local to the device.) The local interface or VLAN through which the next hop of this route is reached. This can be the port name, trunk name, or VLAN ID. This field is displayed only in the Static Routes table. The type of routing. Values: LocalThe subnet is directly reachable from the device. RemoteThe subnet is not directly reachable from the device.
Metric
The metric value defined or calculated for this route.
Monitoring DefensePro ARP Table Information

You can view the devices ARP table, which contains both static and dynamic entries. You can change an entry type from dynamic to static.
Note: The ARP table is not automatically refreshed periodically. The information is loaded when you select to display the ARP Table pane, and when you manually refresh the display.
To display ARP Table information for a selected DefensePro device

In the Monitoring perspective, select the ARP tab in the content pane.
Table 143: DefensePro ARP-Table Monitoring Parameters
Parameter
Port IP Address MAC Address Type
Heading
The interface number where the station resides. The stations IP address. The stations MAC address. The entry type. Values: OtherNot Dynamic or Static DynamicEntry is learned from ARP protocol. If the entry is not active for a predetermined time, the node is deleted from the table. StaticEntry has been configured by the network management station and is permanent.
283
To change an entry type from dynamic to static

In the ARP table, right-click the entry, and select Change Entry to Static.
Monitoring MPLS RD Information

You can monitor MPLS RD information and configure an MPLS RD. Each MPLS RD is assigned two tags for the link on which the device is installed, an upper tag and a lower tag. On a different link, the same MPLS RD can be assigned with different tags.
To display MPLS RD information for a selected DefensePro device

1. In the Monitoring perspective, select the MPLS RD tab in the content pane. The MPLS RD table displays current MPLS RD information. 2. 3. To add an MPLS RD, click the (Add) button.
Table 144: MPLS RD Parameters
Parameter
MPLS RD Type
Description
The MPLS RD name. Describes the MPLS RD format. Values: 2 Bytes : 4 BytesAS (16 bit): Number (32 bit) 4 Bytes : 2 BytesAS (32 bit): Number (16 bit) IP Address : 2 BytesIP: Number (16 bit)
Upper Tag Lower Tag
The upper tag for the link on which the device is installed. The lower tag for the link on which the device is installed.
Monitoring and Controlling Device Interfaces

A Layer 2 interface is defined as any interface that has its own MAC address, physical port, trunk, and VLAN. You can monitor status and interface statistics for ports and trunks on all DefensePro devices. You can also change the administrative status of a port, from Up to Down or vice versa.
284
To change the administrative status of a port or trunk

1. In the Monitoring perspective, select the Ports tab in the content pane. 2. In the navigation pane, select Ports and Trunks. The Ports Table is displayed. 3. Right-click the row with the relevant port, and select Disable Admin Status (for a port currently Up) or Enable Admin Status (for a port currently Down).
To display L2 interface statistics for a selected device

1. In the Monitoring perspective, select the Ports tab in the content pane. 2. In the navigation pane, select Ports and Trunks. The Ports Table is displayed. 3. To view the statistics for a specific port all in one dialog box, double-click the row.
Table 145: L2 Interface Statistics
Parameter
Port Name Port Description Type Port Speed MAC Address Admin Status Operational Status Last Change Time

The interface name or index number. A description of the interface. The interface type number assigned by the Internet Assigned Numbers Authority (IANA). The interfaces current bandwidth, in megabits per second. The MAC address of the interface. The administrative status of the interface, Up or Down. The operational status of the interface, Up or Down. The value of System Up time at the time the interface entered its current operational state. If the current state was entered prior to the last re-initialization of the local network management subsystem, then this value is zero.
Statistics
Incoming Bytes Incoming Unicast Packets The number of incoming octets (bytes) through the interface including framing characters. The number of packets delivered by this sub-layer to a higher sublayer, which were not addressed to a multicast or broadcast address at this sub-layer. The number of packets delivered by this sub-layer to a higher sublayer, which were addressed to a multicast or broadcast address at this sub-layer. The number of inbound packets chosen to be discarded even though no errors had been detected to prevent their being deliverable to a higher-layer protocol. One possible reason for discarding such a packet could be to free up buffer space.
Incoming Non-Unicast Packets Incoming Discards
285
Table 145: L2 Interface Statistics
Parameter
Incoming Errors
Description
For packet-oriented interfaces, the number of inbound packets that contained errors preventing them from being deliverable to a higherlayer protocol. For character-oriented or fixed-length interfaces, the number of inbound transmission units that contained errors preventing them from being deliverable to a higher-layer protocol. The total number of octets (bytes) transmitted out of the interface, including framing characters. The total number of packets that higher-level protocols requested be transmitted, and which were not addressed to a multicast or broadcast address at this sub-layer, including those that were discarded or not sent. The total number of packets that higher-level protocols requested be transmitted, and which were addressed to a multicast or broadcast address at this sub-layer, including those discarded or not sent. The number of outbound packets which were chosen to be discarded even though no errors had been detected to prevent their being transmitted. One possible reason for discarding such a packet could be to free up buffer space. For packet-oriented interfaces, the number of outbound packets that could not be transmitted because of errors. For character-oriented or fixed-length interfaces, the number of outbound transmission units that could not be transmitted because of errors.
Outgoing Bytes Outgoing Unicast Packets
Outgoing Non-Unicast Packets Outgoing Discards
Outgoing Errors
286
Chapter 9 Real-Time Security Reporting

You can use the Security Monitoring perspective to observe and analyze the attacks that the device detected and the countermeasures that the device implemented. APSolute Vision displays real-time network traffic and statistical parameters. The DefensePro device calculates a traffic baseline, and uses this to identify abnormalities in traffic levels.
Note: When calculating the real-time network traffic and statistical parameters, the DefensePro device does not include traffic that exceeded the throughput license. The following topics describe monitoring traffic and attacks in APSolute Vision: Risk Levels, page 287 Viewing the Security Dashboard, page 288 Viewing and Managing Current Attack Information, page 290 Viewing Real-Time Traffic Statistics, page 306 Monitoring Attack SourcesGeographical Map, page 311 Protection Monitoring, page 313 HTTP Reports, page 319
Risk Levels
The following table describes the risk levels that DefensePro supports to classify security events.
Note: For some protections, the user can specify the risk level for an event. For these protections, the descriptions in the following table are recommendations, and the risk level is the user's responsibility.
Table 146: Risk Levels
Risk Level
Info Low Medium
Description
The risk does not pose a threat to normal service operation. The risk does not pose a threat to normal service operation, but may be part of a preliminary action for malicious behavior. The risk may pose a threat to normal service operation, but is not likely to cause complete service outage, remote code execution, or unauthorized access. The risk is very likely to pose a threat to normal service availability, and may cause complete service outage, remote code execution, or unauthorized access.
High
287
DefensePro User Guide Real-Time Security Reporting
Viewing the Security Dashboard

The Security Dashboard provides a graphical representation of current and recent attacks.
Figure 30: Security Dashboard
Use the Security Dashboard to analyze activity and security events in the network, identify security trends, and analyze risks. You can view Security Dashboard information for individual devices, all devices in a site, or all devices in the network. The dashboard monitoring display automatically refreshes providing ongoing real-time analysis of the system. You can configure the following Security Dashboard parameters: Scope Whether the Security Dashboard shows information according to: Devices/Physical Ports The selected physical ports. Devices/Policies The selected Network Protection Policies/Rules.
Display Last How long, in minutes, an attack continues to be displayed after the attack has ended. Statistics Refresh Interval for Real-Time Security Monitoring Perspective The display refresh rate. The default is 15 seconds.
288
DefensePro User Guide Real-Time Security Reporting The Security Dashboard displays an attacks radar, and Drop Intensity indicator. The attacks radar displays current and recent attacks: Each arrowhead in the radar represents a separate attack. A flashing arrowhead represents an ongoing attack. The color of the arrowhead indicates the attack category. The category represents the type of protection that the attack violates. When you double-click an arrowhead, the corresponding attack-characteristics-and-information dialog box is displayed. The categories in the Security Dashboard are as follows: DDoSRepresents attacks identified by the following protection types: Behavioral DoS, SYN Flood, and DoS Shield. Server CrackingRepresents attacks identified by Server Cracking Protection. IntrusionRepresents attacks identified by Intrusion Protection. Application DDoSRepresents attacks identified by HTTP Flood Protection. Stateful ACLRepresents attacks identified by Stateful ACL Protection. Packet AnomaliesRepresents attacks identified by Packet Anomaly Protection. Network ScansRepresents attacks identified by Anti-Scanning Protection. Black ListRepresents traffic identified by Black List Protection.
The position of the attack in the radar indicates the attack risk. Each band in the radar, moving inwards from the outer edge, represents increasing riskinfo, low, medium, and high (see Risk Levels, page 287). You can display summary information for an attack by clicking on the corresponding arrowhead, and you can view additional attack details by double-clicking the arrowhead.
Note: The summary information displayed in the attacks radar is also presented in the Current Attacks table. The Drop Intensity counter provides an indication of the level of discarded traffic during attacks, relative to the maximum bandwidth of the device (per license).
To display Security Dashboard information

1. In the Security Monitoring perspective navigation pane Security tab, select the DefensePro device, or site, for which to display data. 2. Select the Security Dashboard tab. 3. From the Scope drop-down list, select one of the following: Devices/Physical Ports The dashboard displays selected physical ports. Devices/Policies The dashboard displays selected Network Protection Policies/Rules.
4. If you selected Devices/Physical Ports from the Scope drop-down list, select the ports for which to display data as follows: a. b. Click Select Ports. Data is displayed for ports in the Selected Ports list. Move ports to and from the Selected Ports list, as required.
289
DefensePro User Guide Real-Time Security Reporting 5. If you selected Devices/Policies from the Scope drop-down list, select the Network Protection Policies/Rules for which to display data as follows: a. b. 6. 7. Click Select Policy. Data is displayed for Network Protection Policies/Rules in the Selected Policies list. Move policies to and from the Selected Policies list, as required.
To control the amount of data displayed, change the number of minutes in the Display Last list. To view additional information for a displayed attack: Right-click the corresponding arrowhead in the radar to display summary information for the attack. Double-click the corresponding arrowhead in the radar to display detailed information for the attack. For more information, see Attack Details, page 294.
Viewing and Managing Current Attack Information

When an attack is detected, the DefensePro device creates and reports a security event that includes the information relevant to the specific attack. You can configure filter settings to display a subset of the current attack data. Filter conditions are joined using a logical AND operator. That is, only attacks that match all the filter conditions are displayed. The Current Attacks table displays summary information for current and recent attacks. You can export the contents of the Current Attacks table to a CSV file. You can view additional information for a specific attack, including the attack footprint. You can view information about a security event or a group of security events that belong to the same attack.
To display a summary of current attack information

1. 2. 3. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Current Attacks tab. To filter the displayed data, set the filter options as required, and click Go. Information is displayed in the Current Attacks table for the attacks that match all filter conditions.
Note: The attack details contained in the table columns that are hidden by default are displayed in the Attack Details window for individual attacks.
To save the contents of the Current Attacks table to a CSV file

1. 2. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Current Attacks tab.
290
3. Above the table, click
(CSV).
4. Specify the save location and file name; and then, click Save.
Table 147: Current Attacks Filter Settings
Parameter
Risk Category
Description
The risk of the attack (see Risk Levels, page 287). The threat type to which the attack belongsfor example, Intrusions, DoS, Anti-Scanning, and so on. Values: All ACL Anti-Scanning Behavioral DoS DoS HTTP Flood Intrusions Server Cracking SYN Flood Anomalies Stateful ACL DNS Flood Bandwidth Management
Default: All Select Ports Source Address Destination Address Add the ports for which to display attack data to the Selected Ports list. The source address of the attack. The string can be any legal IPv4 or IPv6 address, and can include a wildcard (*). The destination address of the attack. The string can be any legal IPv4 or IPv6 address, and can include a wildcard (*).
Table 148: Current Attacks Summary Information
Parameter
Start Time Category Status
Description
The date and time of the attack start. The threat type to which this attack belongs. The last-reported status of the attack. Values: StartedAn attack containing more than one security event has been detected (some attacks contain multiple security events, such as DoS, Scans, and so on). Occurred (Signature-based attacks)Each packet matched with signatures was reported as an attack and dropped. OngoingThe attack is currently taking place, the time between Started and Terminated (for attacks that contain multiple security events, such as DoS, Scans, and so on). TerminatedThere are no more packets matching the characteristics of the attack, and the device reports that the attack has ended.
291
Parameter
Risk
Description
The predefined attack severity level (see Risk Levels, page 287). Values: High Medium Low Info
Attack Name Source Address
The name of the detected attack. The source IP address of the attack. If there are multiple IP sources for an attack, this field displays Multiple. The multiple IP addresses are displayed in the Attack Details window. The destination IP address of the attack. The destination port of the attack. The name of the configured network-protection policy rule or serverprotection policy rule that was violated by this attack. To view or edit the rule for a specific attack, right-click the attack entry and select Go to Rule.
Destination Address Destination L4 Port Rule Name
RDW ID Direction Action Type
The unique attack identifier issued by device. The direction of the attack, inbound or outbound. The reported action against the attack. Values: ForwardThe packet is forwarded to its destination. DropThe packet is discarded. Reset SourceA TCP Reset packet is sent to the attackers source IP address. Reset DestinationA TCP Reset packet is sent to the attackers destination IP address.
Device IP Protocol
1
The IP address of the attacked device. The transmission protocol used to send the attack.: Values: TCP UDP ICMP IP
Source L4 Port Physical Port1

1
The Layer 4 source port of the attack. The port on the device to which the attacks packets arrived. The number of identified attack packets from the beginning of the attack. For most protections, this value is the volume of the attack, in kilobits, from when the attack started. For SYN protection (SYN cookies), this value is the number of SYN packets dropped, multiplied by 60 bytes (the SYN packet size).
Packet Count Bandwidth
292
Parameter
VLAN1 MPLS RD1
Description
A VLAN tag value is used to generate reports for each customer. The value of N/A or 0 in this field indicates that the VLAN tag is not available. The Multiprotocol Label Switching Route Distinguisher. This value is used to generate reports for each customer. The value of N/A or 0 in this field indicates that the MPLS RD is not available.
1 This column is not displayed by default in the Current Attacks tab. To display the column, right-click on any column heading, and select the column name from the pop-up menu.
To view details of a specific attack

1. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. 2. Select the Current Attacks tab. 3. In the Current Attacks table, double-click the attack entry. The attack details are displayed in a separate window.
Note: For more information about attack details, see Attack Details, page 294.
To save a CSV file with details of a specific attack

1. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. 2. Select the Current Attacks tab. 3. In the Current Attacks table, double-click the attack entry. The attack details are displayed in a separate window.
Note: For more information about attack details, see Attack Details, page 294.
4. At the top left of the window, click
(CSV).
5. Specify the save location and file name; and then, click Save.
To export information in Ethereal format for packet analysis

1. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. 2. Select the Current Attacks tab.
293
DefensePro User Guide Real-Time Security Reporting 3. 4. In the Current Attacks table, right-click the attack entry and select Export Packets To Ethereal Format. Enter a file name in the file selection dialog box.
Notes You can send the CAP file to a packet analyzer. Up to 255 bytes of packet information is saved in the CAP file. That is, DefensePro exports full packets but APSolute Vision trims them to 255 bytes. The file is available only as long as it is displayed in the Current Attacks table. The file is created only if packet reporting is enabled in the protection configuration for the profile that was violated. DefensePro exports only the last packet in a sequence that matches the filter. Furthermore, if traffic matches a signature that consists of more than one packet, the reported packet will not include the whole expression in the filter.
To go to the policy that identified a specific attack

1. 2. 3. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Current Attacks tab. In the Current Attacks table, right-click the attack entry and select Go To Policy.
Attack Details
An Attack Information window is displayed when you double-click an attack in the Security Dashboard or in the Current Attacks table.
Tip: To export the information in the in the Attack Information window to a CSV file, at the top left of the window, click (CSV).
The Attack Description displays the information from the Attack Descriptions file. An attack description is displayed only if the Attacks Description file has been uploaded on the APSolute Vision server. For information about uploading the Attacks Description file, see Updating the Attack Description File, page 54. The following attack details are also displayed for the following attacks: BDoS Attack Details, page 295 DoS Attack Details, page 297 Anti-Scan Attack Details, page 297 Server Cracking Attack Details, page 299 SYN Flood Attack Details, page 300
294
DefensePro User Guide Real-Time Security Reporting HTTP Flood Attack Details, page 301 DNS Flood Attack Details, page 304
Note: The Attack Characteristics information that are displayed in these windows is also available in the hidden columns of the Current Attack Summary table.
BDoS Attack Details

Parameter
Attack Characteristics
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count Bandwidth [Kbits] VLAN MPLS RD Device IP TTL L4 Checksum TCP Sequence Number IP ID Number Fragmentation Offset Fragmentation FlagA value of 0 indicates that fragmentation is allowed, 1 indicates that fragmentation is not allowed. Flow Label (IPv6 only) ToS Packet Size ICMP Message Type Displayed only if the protocol is ICMP. Source IP Destination IP Source Ports Destination Ports DNS ID DNS Query DNS Query Count
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values.
295
Parameter
Attack Info
Description
The attack information comprises the following parameters: Packet Size Anomaly RegionDisplays the statistical region of the attack packets. The formula for the packet-size baseline for a policy is
{(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/NormalPPS)}
Values: Large PacketsThe attack packets are approximately 15% larger than the normal packet-size baseline for the policy. Normal PacketsThe attack packets are within approximately 15% either side of the normal packet-size baseline for the policy. Small PacketsThe attack packets are approximately 15% smaller than the normal packet-size baseline for the policy. Footprints AnalysisBehavioral DoS Protection has detected an attack and is currently determining an attack footprint. BlockingBehavioral DoS Protection is blocking the attack based on the attack footprint created. Through a closed feedback loop operation, the Behavioral DoS Protection optimizes the footprint rule, achieving the narrowest effective mitigation rule. Non-attackNothing was blocked because the traffic was not an attackno footprint was detected or the blocking strictness level was not met.
StateThe state of the protection process:
Sampled Data
Opens the Sampled Data dialog box, which contains a data on sampled attack packets.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the Behavioral DoS Protection, which provides the narrowest effective blocking rule against the flood attack.
Attack Statistics Table

This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black indicates the learned normal traffic baselines. Table columns are displayed according to the protocols: TCP (includes all flags), UDP, or ICMP.
Attack Statistics Graph

The graph displays a snapshot of the relevant traffic type for the 15-second period during which the attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line represents the normal adapted traffic baseline.
Attack Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute Vision server.
296
DoS Attack Details

Parameter
Description Global
The attack characteristics comprise the following parameters: Protocol Physical Port Packet Count VLAN MPLS RD Device IP
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values. Attack Info The attack information comprises the following parameters: Sampled Data ActionThe protection Action taken. Attacker IPThe IP address of the attacker. Protected HostThe protected host. Protected PortThe protected port. Attack DurationThe duration of the attack. Current Packet RateThe current packet rate. Average Packet RateThe average packet rate.
Attack Description
Anti-Scan Attack Details

Parameter
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits]
297
Parameter
Attack Info
Description
Protection-action information, blocking details, and scan statistics. The attack information comprises the following parameters: ActionThe protection Action taken. Action ReasonDescribes the difference between the configured action and the actual action. Blocking DurationThe blocking duration, in seconds, of the attacker source IP address. Estimated Release Time (Local)The estimated release time of attacker in local time. Avg. Time Between ProbesThe average time between scan events in seconds. Number of ProbesThe number of scan events from the time the attack started.
Footprint
Footprint Blocking Rule The footprint blocking rule generated by the antiscanning attack protection, which provides the narrowest effective blocking rule against the scanning attack.
Scan Details
DST IP DST L4 Port TCP Flag (This is displayed only for TCP traffic.) ICMP Message Type (This is displayed only for ICMP traffic.) The ICMP message type. The destination IP address of the scan. The destination port of the scan. The TCP packet type.
Attack Description
298
Server Cracking Attack Details

Parameter
Description Global
The attack characteristics comprise the following parameters: Protocol Source L4 Port Physical Port Packet Count Bandwidth [Kbits] VLAN MPLS RD Device IP
Attack Info
Displays protection action information, blocking details and attack statistics. The attack information comprises the following parameters: Blocking DurationThe blocking duration, in seconds, of the attacker source IP address. Estimated Release TimeThe estimated release time of attacker in local time. Avg. Time Between ProbesThe average time between scan events in seconds. Number of ProbesThe number of scan events from the time the attack started.
Sampled Data
Application Requests
When a server-cracking attack is detected, DefensePro sends, to the management system, sample suspicious attacker requests in order to provide more information on the nature of the attack. The sample requests are sent for the protocols or attacks. Values: Web ScanSample HTTP requests. Web CrackingUsername and Password. SIPSIP user (SIP URI). FTPUsername (if sent in the same request) and Password. POP3Username (if sent in the same request) and Password.
299
SYN Flood Attack Details

Parameter
Description Global
The attack characteristics comprise the following parameters: Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits]
Attack Info
The information is displayed when the protection action is blocking mode. The attack information comprises the following parameters: Average Attack RateThe average rate of spoofed SYNs and data connection attempts per second, calculated every 10 seconds. Attack ThresholdThe configured attack trigger threshold, in half connections per second. Attack VolumeThe number of packets from spoofed TCP connections during the attack life cycle (aggregated). These packets are from the sessions that were established through the SYN-cookies mechanism or were passed through the SYN protection trusted list. Attack DurationThe duration, in hh:mm:ss format, of the attack on the protected port. TCP ChallengeThe Authentication Method that identified the attack: Transparent Proxy or Safe-Reset. HTTP ChallengeThe HTTP Authentication Method that identified the attack: 302-Redirect or JavaScript.
Authentication Lists Utilization
The Authentication Lists Utilization group comprises the following parameters: TCP Auth. ListThe current utilization, in percent, of the TCP Authentication table. HTTP Auth. ListThe current utilization, in percent, of the Table Authentication table.
Attack Description
300
HTTP Flood Attack Details

Parameter
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits]
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values.
301
Parameter
Attack Info
Description
The attack information comprises the following parameters: Protection StateThe state of the protection process: CharacterizationThe protection module is analyzing the attack footprint. MitigationThe protection module is mitigating the attack according to the profile configuration. Suspicious ActivitiesThe protection module identified the attack but cannot mitigate it. Mitigation FlowThe configuration of the mitigation flow for the profile: DefaultThe mitigation flow for the profile is configured to use all three mitigation actions, which are selected by default: 1-Challenge Suspects, 2-Challenge All, 3-Block Suspects. CustomizedThe mitigation flow for the profile is not configured to use all three mitigation actions. ActionThe current action that protection module is using to mitigate the attack: Challenge Suspected AttackersThe protection module is challenging HTTP sources that match the real-time signature. Challenge All SourcesThe protection module is challenging all HTTP traffic toward the protected server. Block Suspected AttackersThe protection module is blocking all HTTP traffic from the suspect sources (that is, sources that match the signature). No MitigationThe protection module is in the Suspicious Activities state and is not mitigating the attack. Challenge MethodThe user-specified Challenge Method, 302 Redirect or JavaScript. Suspicious SourcesThe number of sources that the protection module suspects as being malicious. Challenged SourcesThe number of sources that the protection module has identified as being attackers and is now challenging them. Blocked SourcesThe number of sources that the protection module has identified as being attackers and is now blocking them. HTTP Authentication Table Utilization [%]The percentage of HTTP Authentication Table that is full.
Sampled Data
302
Parameter
Source IP address
Description Blocked Users

The source IP addresses mitigated as attackers. Up to 40 different IP addresses can be viewed. Note: When the HTTP flood attack is widely distributed, meaning more than 1000 source IP addresses, the system does not use any source IP addresses in the blocking rule. This mitigation occurs only if the URI Only blocking mode option is enabled.
Request URI Bypassed/Blocked
The HTTP request URIs that took part in the HTTP flood attack and were mitigated. Usually the value that is displayed is Blocked. Only when one of HTTP request URIs was configured to be bypassed, is the value Bypassed.
Attack Statistics Table

This table displays normal and actual traffic information. Normal values represent the learned normal traffic baselines. Real-time values will display the actual values when an attack is triggered.

The graph displays the HTTP request URI size distribution. The y-axis shows the number of HTTP requests per second that refers to GET and POST request methods, and the x-axis shows the Request URI size in bytes. The blue line represents the normal expected HTTP request rates and the orange line represents the real-time rate values identified when the attack was triggered.
Attack Description
303
DNS Flood Attack Details

Parameter
Description Global
The attack characteristics comprise the following parameters: Source L4 Port Protocol Physical Port Packet Count VLAN MPLS RD Device IP Bandwidth [Kbits] TTL IP ID Number Destination IP DNS ID DNS Query Count L4 Checksum Packet Size Destination Ports DNS Query DNS An Query Count
Note: Some fields can display multiple values, when relevant and available. The values displayed depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a specific value or values appear in all the attack traffic), the Attack Characteristics field displays the relevant value or values. Attack Info The attack information comprises the State parameter and the Mitigation Action parameter. The State parameter indicates the state of the protection process. The Mitigation Action parameter indicates the mitigation action. Values for State: Footprints AnalysisBehavioral DoS Protection has detected an attack and is currently determining an attack footprint. BlockingBehavioral DoS Protection is blocking the attack based on the attack footprint created. Through a closed feedback loop operation, the Behavioral DoS Protection optimizes the footprint rule, achieving the narrowest effective mitigation rule. Non-attackNothing was blocked because the traffic was not an attackno footprint was detected or the blocking strictness level was not met. signature-challenge signature-rate-limit collective-challenge collective-rate-limit
Values for Mitigation Action: Sampled Data
Footprint
Footprint Blocking Rule The footprint blocking rule that the Behavioral DoS Protection generated. The footprint blocking rule provides the narrowest effective blocking rule against the flood attack.
304
Parameter
Description Attack Statistics Table
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black indicates the learned normal traffic baselines. Table columns are displayed according to the DNS query types: A, MX, PTR, AAAA, Text, SOA, NAPTR, SRV, Other. Caution: DefensePro does not support DNS queries of type ANY.

The graph displays a snapshot of the relevant traffic type for the 15-second period during which the attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line represents the normal adapted traffic baseline.
Attack Description
Sampled Data Dialog Box

The Sampled Data dialog box contains a table with data on sampled attack packets. Each row in the table displays the data for one sampled attack packet. The title bar includes the category of the datafor example, Behavioral DoS. The table in the Sampled Data dialog box comprises the following columns: Time Source Address Source L4 Port Destination Address Destination L4 Port Protocol VLAN MPLS RD Physical Port
To display the Sampled Data dialog box

1. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. 2. Select the Current Attacks tab. 3. In the Current Attacks table, right-click the attack entry and select Sampled Data.
305
DefensePro User Guide Real-Time Security Reporting You can export some rows of the table in the Sampled Data dialog box to a CSV file.
To save sampled data to a CSV file

1. 2. 3. 4. 5. 6. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Current Attacks tab. In the Current Attacks table, right-click the attack entry and select Sampled Data. Select the row with which you want the data rows in the file to start. Click (CSV).
Specify the location and file name; and then, click Save.
Viewing Real-Time Traffic Statistics

You can view real-time traffic statistics over time for the IP traffic passing through the managed DefensePro devices on selected port pairs. The information includes data on overall IP traffic, protocol mix, and packet discards. You can display the data in graph or table format. You can also view graphs of connection rates and concurrent connections based on data from the Session Table. By default, all traffic is presented in these graphs and tables. In each graph, you can filter the display by protocol or traffic direction, but not for concurrent connections. The Connection Statistics are displayed only when the device is operating in Full Layer 4 Session Table Lookup mode. You can monitor the following traffic information in the Traffic Monitoring tab: Viewing Traffic Utilization Statistics, page 307 Viewing Connection Rate Statistics, page 310 Viewing Concurrent Connections Statistics, page 311
306
Viewing Traffic Utilization Statistics

APSolute Vision can display traffic utilization statistics for the following: Statistics Graph Displays information for selected port pairs as a graph. The graph contains information for a selected protocol or the total for all protocols over a period of time. There is a curve on the graph for each the following: Inbound IP traffic Outbound IP traffic Discarded inbound traffic Discarded outbound traffic Excluded inbound traffic Excluded outbound traffic
The graph displays excluded inbound traffic and excluded outbound traffic only when the Traffic Exclusion option is enabled. When the Traffic Exclusion option is enabled, the device passes through all traffic that matches no network policy configured on the deviceregardless of any other protection configured. For more information, see Configuring the Basic Network Parameters, page 124.
Caution: When the value of the Scope parameter is Devices/Policies (see Table 149 - Traffic Utilization Display Settings for Graph and Table, page 308), during the Update Policies process, the Statistics Graph momentarily displays Traffic Utilization as 0 (zero). Last Sample Statistics Displays the last reading for each protocol and provides totals for all protocols. Traffic Authentication Statistics (Challenge/Response) Displays statistics for the Challenge-Response mechanism when the relevant option is enabled in the protection modules that support the Challenge-Response mechanism. For more information, see Configuring Global DNS Flood Protection, page 149 and Configuring HTTP Flood Mitigation Profiles for Server Protection, page 209.
Tip: To get the current traffic rate in packets or bytes per second (calculated as the average rate in 15 seconds), you can use the following CLI command on the DefensePro device:
dp rtm-stats get [port number]
To display traffic utilization statistics

1. In the Security Monitoring perspective navigation pane, select the DefensePro device or site for which to display data. 2. Select the Traffic Monitoring tab. By default, the Traffic Utilization pane displayed. 3. Change display settings for the graph and table, as required, and click Go. 4. For the Statistics Graph and Last Sample Statistics, set filter options for the displayed traffic data, as required. The displayed information refreshes automatically.
307
Table 149: Traffic Utilization Display Settings for Graph and Table
Parameter
Scope
Description
The scope of the graph view. Values: Devices/Physical PortsThe graph shows traffic according to physical ports on the specified device. Devices/PoliciesThe graph shows traffic according to Network Protection policies/rules on the specified device. Default: Devices/Physical Ports
Units
The units for the traffic rate. Values: KbpsKilobits per second Packet/SecPackets per second
Select Port Pair (This button is displayed only when the Scope is Devices/Physical Ports.)
Opens the Select Port Pairs dialog box. Select the port pairs relevant for the network topology by moving the required port pairs to the Selected Port Pairs list. All other port pairs should be in the Available Port Pairs list. Note: You can select port pairs for each direction; however, Radware recommends that you select a port pair in one direction only, and display traffic for both directions, if required. If you select port pairs in both directions, and traffic for both directions, the graph will display the same traffic twice. Opens the Select Policies dialog box. Select the Network Protection Policies/ Rules relevant for the network topology by moving the required policies the Selected Policies list.
Select Policies (This button is displayed only when the Scope is Devices/Policies.)
Table 150: Traffic Utilization Filter Parameters for the Graph
Parameter
Show Traffic
Description
The traffic that the graph shows. Values: InboundShow inbound traffic. OutboundShow outbound traffic. BothShow inbound and outbound traffic. Data for inbound and outbound are displayed as separate lines, not as totals.
Note: The direction of traffic between a pair of ports is defined by the In Port setting in the port pair configuration.
308
Table 150: Traffic Utilization Filter Parameters for the Graph
Parameter
Protocol
Description
The traffic protocol to display. Values: TCPShow the statistics of the TCP traffic. UDPShow the statistics of the UDP traffic. ICMPShow the statistics of the ICMP traffic. IGMPShow the statistics of the IGMP traffic. SCTPShow the statistics of the SCTP traffic. OtherShow the statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or SCTP. AllShow total traffic statistics.
Table 151: Last Sample Statistics Parameters
Parameter
Protocol
Description
The traffic protocol. Values: TCP UDP ICMP IGMP SCTP OtherThe statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or SCTP. AllTotal traffic statistics.
Inbound Outbound Discarded Inbound Discarded Outbound Discards % Excluded Inbound Excluded Outbound
The amount of inbound traffic for the protocol identified in the row. The amount of outbound traffic for the protocol identified in the row. The amount of discarded inbound traffic for the protocol identified in the row. The amount of discarded outbound traffic for the protocol identified in the row. The percentage of discarded traffic for the protocol identified in the row. The amount of excluded inbound traffic for the protocol identified in the row. The amount of excluded outbound traffic for the protocol identified in the row.
Table 152: Traffic Authentication Statistics (Challenge/Response) Parameters
Parameter
Protocol Current Attacks Challenges Rate
Description
The protocol for the statistics displayed in the row. Values: TCP, HTTP, DNS The number of attacks currently in the device. The rate, in PPS, that the device is sending challenges.
Authentication Table Utilization % The percentage of the Authentication Table that is full.
309
DefensePro User Guide Real-Time Security Reporting You can export some rows of the Last Sample Statistics table to a CSV file.
To save last sample statistics to a CSV file

1. 2. 3. 4. 5. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Traffic Monitoring tab. Select the Traffic Utilization node. In the Last Sample Statistics group box, click (CSV).
Viewing Connection Rate Statistics

You can display a graph showing connection rate statistics of inbound and outbound traffic for selected port pairs. You can display the information for a selected protocol or the total for all protocols over the last 30 minutes.
To display connection rate statistics

1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Traffic Monitoring tab. In the navigation pane, select Connections Rate. Change display settings for the graph as required, and click Go.
Table 153: Connection Rate Display Settings
Parameter
Scope
Description
The scope of the graph view. Values: Devices/Physical PortsThe graph shows traffic according to physical ports on the specified device. Devices/Network PoliciesThe graph shows traffic according to Network Protection policies/rules on the specified device.
Default: Devices/Physical Ports Show Traffic Select inbound traffic, outbound traffic, or both. When you select both, data for inbound and outbound are displayed as separate lines, not as totals. Note: The direction of traffic between a pair of ports is defined by the In Port setting in the port pair configuration. Protocol Select the traffic protocol to display. When you select All, total traffic statistics are displayed.
310
Table 153: Connection Rate Display Settings
Parameter
Select Port Pair (This button is displayed only when the Scope is Devices/Physical Ports.)
Description
Opens the Select Port Pairs dialog box. Select the port pairs relevant for the network topology by moving the required port pairs to the Selected Port Pairs list. All other port pairs should be in the Available Port Pairs list. Note: You can select port pairs for each direction; however, Radware recommends that you select a port pair in one direction only, and display traffic for both directions, if required. If you select port pairs in both directions, and traffic for both directions, the graph will display the same traffic twice. Opens the Select Policies dialog box. Select the Network Protection Policies/ Rules relevant for the network topology by moving the required policies the Selected Policies list.
Select Policies (This button is displayed only when the Scope is Devices/Policies.)
Viewing Concurrent Connections Statistics

You can display a graph showing the rate of current connections for selected port pairs. You can display the information for a selected protocol or the total for all protocols over the last 30 minutes.
To display concurrent connections statistics

1. In the Security Monitoring perspective navigation pane, select the device, or site, for which to display data. 2. Select the Traffic Monitoring tab, and in the navigation pane, select Concurrent Connections. 3. Select the traffic protocol from the Protocol list, and click Go. When you select All in the Protocol list, total traffic statistics are displayed.
Monitoring Attack SourcesGeographical Map

Attacks can originate from different locations around the world, for example, Web site attacks. Web site administrators can track these attacks to see from which countries they originate. You can generate a Top Attack Sources report for an individual device. This report displays a geographical map of the world with indicators marking the country from which attacks originated, based on their source IP address. You can modify the report output by configuring the period of time over which the map displays data, and the number of source countries to display. The Top Attack Sources report also displays a summary table of attacks that originated from each source country marked on the map, and you can view additional details for a selected source.
311
To view attack sources

1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the device, or site, for which to display data. Select the GeoMap tab. In the GeoMap pane, if required, change the display settings. Click an attack source in the map to display more details in the Location Attacks List table. (When no location is selected in the map, this table is empty.)
Table 154: GeoMap Display Settings
Parameter
Display Last
Description
The last number of hours for which the map displays information. Values: 1, 2, 3, 6, 12, 24 Default: 1 hour
Top Sources to Display
The map displays the locations that have the highest number of attacks in the database. You can set the number locations to display up to a maximum of 20. Default: 5
Total Plotted Attacks (Read-only) The number of attack source locations that are displayed. All attacks that cannot be associated with any known location are considered as originating from a single (unknown) location. You can export some rows of the Attack Distribution tables, the Attack Summary and Location Attacks List tables, to a CSV file.
To save attack-distribution attack-summary information to a CSV file

1. 2. 3. 4. 5. In the Security Monitoring perspective navigation pane, select the device, or site, for which to display data. Select the GeoMap tab. Select the row with which you want the data rows in the file to start. Above the Attack Summary table, click (CSV).
To save attack-distribution attack-location information to a CSV file

1. 2. 3. In the Security Monitoring perspective navigation pane, select the device, or site, for which to display data. Select the GeoMap tab. Select the row with which you want the data rows in the file to start.
312
4. Above the Location Attacks List table, click
(CSV).
5. Specify the location and file name; and then, click Save.
Protection Monitoring
Protection Monitoring provides the real-time traffic monitoring per network rule policy, either for the network as a whole, if BDoS is configured, or for DNS traffic, if DNS is configured. The statistical traffic information that Protection Monitoring provides can help you better understand the traffic that flows through the protected network, how the configured protection is working, and, most importantly, how anomalous traffic is detected. For information about displaying protection information for a selected device, see the following: Displaying Attack Status Information, page 313 Monitoring Network Rule Traffic, page 314 Monitoring DNS Flood Attack Traffic, page 316
Displaying Attack Status Information

You can display summary status information for attacks for each configured and enabled policy rule for protection. When there is an attack that violates a network-policy rule, the table displays an icon indicating the status of the attack in the corresponding row for the relevant attack traffic.
To display attack status information

1. In the Security Monitoring perspective navigation pane, select the DefensePro device to monitor. 2. Select the Protection Monitoring tab. By default, the Attack Status pane is displayed with the Attack Status per Rule table. The table comprises the following columns: Rule Name IPv4-TCP IPv4-UDP IPv4-ICMP IPv4-DNS IPv6-TCP IPv6-UDP IPv6-ICMP IPv6-DNS
3. When an attack icon is displayed in the table, click the icon to display the corresponding attack traffic information. You can export some rows of the Attack Status per Rule table to a CSV file.
313
To save attack information to a CSV file

1. 2. 3. 4. 5. 6. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Protection Monitoring tab. Select the Attack Status per Rule node. Select the row with which you want the data rows in the file to start. Click (CSV).
Monitoring Network Rule Traffic

You can monitor the traffic for a network-policy rule that includes BDoS protection. Traffic information is displayed in the Statistics Graph and Last Sample Statistics table.
Caution: When traffic matches multiple Network Protection policy/rules with Out of State protection, the value that APSolute Vision displays for the total dropped traffic represents the sum of all dropped traffic for all relevant Network Protection policy/rules. This is because when traffic matches multiple Network Protection policy/rules with Out of State protection, all those Network Protection policy/rules count the same dropped traffic.
To display traffic information for a network policy rule that includes BDoS protection
1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the device to monitor. Select the Protection Monitoring tab, and select Network Rule Traffic. In the content pane Filter group box, configure the filter for the display of the Statistics Graph and Last Sample Statistics table; and then, click Go. Configure the settings for the display of the Statistics Graph.
Statistics Graph
The graph displays the traffic rates for the selected network policy rule according to the specified parameters over the last 30 minutes.
Table 155: Filter Parameters for the Statistics Graph and Last Sample Statistics Table
Parameter
Rule Direction
Description
The network policy rule. The list only displays rules configured with a BDoS profile. The direction of the traffic that the Statistics Graph and Last Sample Statistics table display. Values: Inbound, Outbound
314
Parameter
Units
Description
The unit according to which the Statistics Graph and Last Sample Statistics table display the traffic. Values: KbpsKilobits per second Packets/SecPackets per second
Table 156: Statistics Graph Parameters
Parameter
IP Version Protection Type
Description
The IP version of the traffic that the graph displays. Values: IPv4, IPv6 The protection type to monitor. Values: TCP ACK FIN TCP FRAG TCP RST TCP SYN TCP SYN ACK UDP ICMP IGMP
Scale Attack Status
The scale for the presentation of the information along the Y-axis. Values: Linear, Logarithmic (Read-only) The status of the attack.
Table 157: Statistics Graph Legend
Line
Total Traffic ( ( dark blue) light blue) Legitimate Traffic
Description
The total traffic that the device sees for the specific protection type and direction. The actual forwarded traffic rate, after DefensePro blocked the attack. When there is no attack, the Total Traffic and Legitimate Traffic are equal. The statistically calculated baseline traffic rate.
Normal Edge ( ( ( dashed green) Suspected Edge Attack Edge dashed red)
The traffic rate that indicates a change in traffic that might be an dashed orange) attack. The traffic rate that indicates an attack.
315
Last Sample Statistics Table

Parameter
Traffic Type Baseline Total Traffic Baseline Portion % RT Portion % Legitimate Traffic
Description
The protection type. Each specific traffic type and direction has a baseline that the device learns automatically. The normal traffic rate expected by the device. The total traffic rate that the DefensePro device sees for the specific traffic type and direction. An indication for the rate invariant baselinethat is, the normal percentage of the specific traffic type to all other traffic in the same direction. The actual percentage of the specific traffic type relative to all other traffic in the same direction. The actual forwarded traffic rate, after the device blocked the attack. When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type relative to other types of traffic, after the device blocked the attack. Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or greater signifies an attack.
You can export rows of the Last Sample Statistics table to a CSV file.

1. 2. 3. 4. 5. In the Security Monitoring perspective navigation pane, select the DefensePro managed device or site, for which to display data. Select the Protection Monitoring tab. Select the Network Rule Traffic node. In the Last Sample Statistics group box, click (CSV).
Monitoring DNS Flood Attack Traffic

You can monitor the traffic for a network-policy rule that includes DNS Flood protection. Traffic information is displayed in the Statistics Graph and Last Sample Statistics table.
To display traffic information for a network policy rule that includes DNS protection
1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the device to monitor. Select the Protection Monitoring tab, and select Network Rule DNS Traffic. In the content pane Filter group box, configure the filter for the display of the Statistics Graph and Last Sample Statistics table; and then, click Go. Configure the settings for the display of the Statistics Graph.
316
Statistics Graph
The graph displays the traffic rates for the selected network policy rule according to the specified parameters over the last 30 minutes.
Parameter
Rule Direction
Description
The network policy rule. The list only displays rules configured with a DNS profile. The direction of the traffic that the Statistics Graph and Last Sample Statistics table display. Values: Inbound, Outbound (Read-only) The unit according to which the Statistics Graph and Last Sample Statistics table display the traffic. Value: QPSQueries per second
Units
Table 160: Statistics Graph Parameters
Parameter
IP Version Protection Type
Description
The IP version of the traffic that the graph displays. Values: IPv4, IPv6 The DNS query type to monitor. Values: Other Text A AAAA MX NAPTR PTR SOA SRV
Caution: DefensePro does not support DNS queries of type ANY. Scale Attack Status The scale for the presentation of the information along the Y-axis. Values: Linear, Logarithmic (Read-only) The status of the attack.
317
Table 161: Statistics Graph Legend
Line
Total Traffic ( ( dark blue) light blue) Legitimate Traffic
Description
The total traffic that the device sees for the specific protection type and direction. The actual forwarded traffic rate, after DefensePro blocked the attack. When there is no attack, the Total Traffic and Legitimate Traffic are equal. The statistically calculated baseline traffic rate. The traffic rate that indicates a change in traffic that might be an attack. The traffic rate that indicates an attack.
Normal Edge1 ( ( ( dashed green) dashed orange) dashed red) Suspected Edge1 Attack Edge1
1 This line is not displayed if the protection is configured to use a footprint bypass or manual triggers.
Last Sample Statistics Table

Parameter
Traffic Type Baseline Total Traffic Baseline Portion % RT Portion % Legitimate Traffic
Description
The protection type. Each specific traffic type and direction has a baseline that the device learns automatically. The normal traffic rate expected by the device. The total traffic rate that the DefensePro device sees for the specific traffic type and direction. An indication for the rate invariant baselinethat is, the normal percentage of the specific traffic type to all other traffic in the same direction. The actual percentage of the specific traffic type relative to all other traffic in the same direction. The actual forwarded traffic rate, after the device blocked the attack. When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type relative to other types of traffic, after the device blocked the attack. Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or greater signifies an attack.
You can export rows of the Last Sample Statistics table to a CSV file.

1. 2. 3. In the Security Monitoring perspective navigation pane, select the DefensePro device or site, for which to display data. Select the Protection Monitoring tab. Select the Network Rule DNS Traffic node.
318
4. In the Last Sample Statistics group box, click
(CSV).
5. Specify the location and file name; and then, click Save.
HTTP Reports
HTTP Mitigator protection monitors rate-based and rate-invariant HTTP traffic parameters, learns them, and generates normal behavior baselines accordingly.
Note: DefensePro examines the number and rate of HTTP requests. Thus, when HTTP pipelining is used, the detection mechanism remains accurate. You can monitor real-time and historical (normal baseline) values, and analyze HTTP traffic anomalies using the following reports: Monitoring Continuous Learning Statistics, page 319 Monitoring Hour-Specific Learning Statistics, page 320 HTTP Request Size Distribution, page 321 MIB Support for Real-Time HTTP Monitoring Data, page 322
Monitoring Continuous Learning Statistics

You can generate and display normal HTTP traffic baselines based on continuous traffic statistics. Continuous learning statistics are based on recent traffic, irrespective of time of day, or day of the week. The learning response period (that is, the exponential sliding-window period on which statistics measurements are based) is set based on the HTTP Mitigator learning sensitivity settings (default: 1 week). To build a comprehensive picture of the protected sites traffic, the device monitors various HTTP attack statistics. Continuous learning reports display normal HTTP traffic baselines (blue) and real-time HTTP traffic statistics (orange) over the specified recent time period.
Table 163: Continuous Learning Statistics Reports
Channel
GET &POST Requests Rate Other Requests Rate
Description
The rate of HTTP GET and POST requests sent per second to the protected server. The rate of HTTP requests that are not POST or GET sent per second to the protected server. Other HTTP request methods can be used, but are used less frequently. The maximum rate of HTTP GET and POST requests per second per source IP address. This parameter characterizes the site users behavior, enabling you to recognize abnormal activities, such as scanning or bots. Legitimate users may generate many requests per second, but automatic devices such as bots or scanners generate many more.
Requests Rate per Source
319
Table 163: Continuous Learning Statistics Reports
Channel
Requests per Connection
Description
The maximum number of HTTP GET and POST requests per TCP connection. This parameter characterizes the site users behavior, enabling you to recognize abnormal activities, such as scanning or bots. Many requests over a single TCP connection may indicate bot or scanner activity.
Outbound Bandwidth
The bandwidth, in megabits per second, of the HTTP servers sending the responses.
Note: Normal Requests per Source and Requests per Connection baseline parameters show the highest number of HTTP requests generated by a single source IP address and TCP connection respectively. This number fades out, unless a higher value is observed, within about 30 seconds.
To display continuous learning HTTP reports

1. 2. 3. 4. In the Security Monitoring perspective navigation pane, select the device to monitor. Select the HTTP Reports tab. Select a report under the Continuous Learning Statistics node. Configure the filter parameters for the graph, and click Go.
Table 164: HTTP Report Filter Parameters
Parameter
Server Display Last
Description
The name of the protected Web server for which to display HTTP traffic statistics. The last number of hours for which the graph displays information. Values: 1, 2, 3, 6, 12, 24 Default: 1 hour
Monitoring Hour-Specific Learning Statistics

The Hour-Specific Learning Statistics reports display normal traffic baselines for the last week. You can view the hourly distribution of the site requests and outbound HTTP traffic for each day in the past week and for each hour in a day. The normal baseline for each hour in the week is calculated based on historical information for the specific hour in the day and the specific day of the week over the past 12 weeks. The graph is updated every hour. The HTTP Mitigator learns the baseline traffic, and, based on these statistics, reports attacks based on abnormal traffic.
320
Table 165: Hour-Specific Learning Statistics Reports
Channel
GET & POST Requests Rate Other Requests Rate
Description
The rate of HTTP GET and POST requests sent per second to the protected server. The rate of HTTP requests that are not POST or GET sent per second to the protected server. Other HTTP request methods can be used, but are used less frequently. The bandwidth, in megabits per second, of the HTTP pages sent as responses.
Outbound Bandwidth
To display hour-specific learning HTTP reports

1. In the Security Monitoring perspective navigation pane, select the DefensePro device to monitor. 2. Select the HTTP Reports tab. 3. Select a report under the Hour-Specific Learning Statistics node. 4. In the Server list, select the protected Web server for which to display information, and click Go.
HTTP Request Size Distribution

The HTTP Request Size Distribution graph displays the URI size distribution, which shows how server resources are used, and helps you to analyze resource distribution. A large deviation from the normal probability distribution of one or more HTTP request sizes indicates that relative usage of these server resources has increased. The HTTP Request Size Distribution graph x-axis values are request sizes in 10-byte increments. The y-axis values are percentages of requests. The probability reflects the level of usage of each Request size for the protected Web server. In the graph, the blue bars represent normal probability distribution, and the orange bars represent real-time probability (short-term probability) as calculated in intervals of a few seconds.
To display the HTTP request size distribution

1. In the Security Monitoring perspective navigation pane, select the DefensePro device to monitor. 2. Select the HTTP Reports tab, and in the navigation pane, select HTTP Request Size Distribution. 3. Change display settings for the graph, as required, and click Go.
Table 166: HTTP Request Size Distribution Settings
Parameter
Server Scale
Description
The protected server for which to display information. The scale for the presentation of the information along the Y-axis. Values: Linear, Logarithmic
321
MIB Support for Real-Time HTTP Monitoring Data

DefensePro exposes HTTP-report data via MIBs. In addition to APSolute Vision, you can use thirdparty SNMP readers to access the data. DefensePro issues the statistics at 15-second intervals.
Table 167: HTTP Reports OIDs and Corresponding MIBs
OID
1.3.6.1.4.1.89.35.1.65.115.83 1.3.6.1.4.1.89.35.1.65.115.83.1 1.3.6.1.4.1.89.35.1.65.115.83.1.1 1.3.6.1.4.1.89.35.1.65.115.83.1.2 1.3.6.1.4.1.89.35.1.65.115.83.1.3 1.3.6.1.4.1.89.35.1.65.115.83.1.4 1.3.6.1.4.1.89.35.1.65.115.83.1.5 1.3.6.1.4.1.89.35.1.65.115.83.1.6
MIB
rsHTTPFReportsContinuousLearningStatisticsTable rsHTTPFReportsContinuousLearningStatisticsEntry rsHTTPFReportsContinuousLearningStatisticsServerName rsHTTPFReportsContinuousLearningStatisticsGETAndPOST RequestsRate rsHTTPFReportsContinuousLearningStatisticsOtherRequest sRate rsHTTPFReportsContinuousLearningStatisticsRequestsRate PerSource rsHTTPFReportsContinuousLearningStatisticsRequestsRate PerConnection rsHTTPFReportsContinuousLearningStatisticsOutboundBan dwidthKbps
322
Chapter 10 Administering DefensePro

This chapter describes administering DefensePro.
Note: DefensePro supports up to five simultaneous Telnet or SSH sessions. When you log on to CLI through Telnet or SSH, there is a predefined time-out for completing the authentication procedure. After establishing a CLI session with the device, the user name and password must be inserted within the period defined by the Authentication Time-out parameter. After three incorrect login attempts, the terminal is locked for 10 minutes and no further login attempts are accepted from that IP address. For Telnet or SSH sessions, you define the period of time the connection with the device is maintained despite session inactivity with the Session Time-out parameter. If the session is still inactive when the predefined period ends, the session automatically terminates.
Command Line Interface

Access to the Command Line Interface (CLI) requires a serial-cable connection and a terminal emulation application. You can also use CLI to debug. When debugging is required, DefensePro generates a separate file, delivered in text format, aggregating all the CLI commands needed by Radware Technical Support. The file also includes the output of various CLI commands, such as printouts of the Client table, ARP table, and so on. You can download this file using APSolute Vision and send it to Radware Technical Support (see Downloading a Devices Configuration File, page 255).
Table 168: DefensePro CLI Commands and Menus
Command
acl classes device dp help login logout manage net ping reboot security services shutdown ssh
Description
Access control list. Configures traffic attributes used for classification. Device settings. DefensePro security settings. Displays help for the specified command. Log in the device. Log out of the device. Device management configuration. Network configuration. Pings a remote host. Reboot the device. Device security. General networking services. Shut down. Connect via SSH to a remote host.
323
DefensePro User Guide Administering DefensePro
Table 168: DefensePro CLI Commands and Menus
Command
statistics system telnet trace-route
Description
Device statistics configuration. Sets system parameters. Connects to a remote host via Telnet. Measures hops and latency to a given destination.
CLI Session Time-Out

You can define the period of time the connection with the device via the console remains open despite the sessions inactivity with the Session Time-out parameter. After the predefined time, the session is automatically terminated.
To configure the session time-out

For the console, use the following command:
Manage terminal session-timeout

For the SSH session, use the following command:
Manage ssh session-timeout

For the Telnet session, use the following command:
Manage telnet session-timeout

For the SSH authentication, use the following command:
Manage ssh auth-timeout

For the Telnet authentication, use the following command:
Manage telnet auth-timeout
CLI Capabilities
You can use DefensePro CLI through console access, Telnet, or SSH. The CLI provides the following capabilities: Consistent, logically structured and intuitive command syntax. A system config command to view the current configuration of the device, formatted as CLI command lines. Pasting the output of system config, or part of it, to the CLI of another device, using the system config set command. This option can be used for easy configuration replication. Help and command completion keys. Command line editing keys. Command history. Configurable prompt. Configurable banner for Telnet and SSH. PingPing other hosts on the network to test availability of the other hosts.
324
DefensePro User Guide Administering DefensePro TracerouteUse the following command:
trace-route <destination IP address>

Output format: DP#trace-route www.radware.com trace-route to host 209.218.228.203: 1: 2: 3: 4: 5: 50ms 50ms 50ms * 50ms 50ms 50ms 50ms * 50ms 50ms 212.150.43.130 50ms 80.74.101.129 50ms 192.116.214.2 * 50ms 80.74.96.40
Telnet clientTo initiate a Telnet session to remote hosts, use the following CLI command:
telnet <IP address>

SSH clientTo initiate a SSH session to remote hosts, use the following CLI command:
ssh <IP address>
CLI Traps
When connected to a physical DefensePro platform via a serial cable, the device generates traps when events occur. To send traps by CLI, Telnet, and SSH, the command is:
manage terminal traps-outputs set-on

For console only:
manage terminal traps-outputs set normal
Send Traps To All CLI Users

This option enables you to configure whether traps are sent only to the serial terminal or to SSH and Telnet clients as well.
Web Based Management

Each DefensePro device can be managed using a Web-based interface. Web access can also be confined to SSL. The administrator can specify the TCP port for Web Based Management (WBM) and Secure Web Based Management (SWBM). The Web Based Management user interface is an easy and fast single device manager, which does not require any installation on a client. When using Web Based Management, on-line help is available from the Radware corporate Web site, or you can specify a custom location for help files.
Note: In Web Based Management, the online help is available by clicking on the ? Help icon that is displayed in every screen.
Web Based Management Capabilities

You can also use secure Web Based Management, that is, an HTTPS session. By default, the device has self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
325
To create a new SSL certificate using Web Based Management

1. 2. 3. Select Services > SSL > Certificates. The SSL Certificates window is displayed. Click Create. The Create Self Signed Certificate window is displayed. Fill in the relevant parameters and click OK.
Note: SSL Keys and certificates are not exported as part of the configuration.
Web Services
DefensePro devices can be managed through SNMP, serial port, Telnet, SSH, HTTP (via internal Web application), and HTTPS. To provide customers with the capability to develop enhanced application monitoring, customized application delivery network management applications and advanced automation tools, Radware provides Web Service interfaces on DefensePro with APSolute API, an open standards-based SOAP (XML) API. Integration with APSolute API allows customers a comprehensive view of device performance, including historical data analysis and trending, performance diagnostics, availability reports and the automation of maintenance operations and fine-tuning of DefensePro for optimal application delivery based on external parameters. Key features: Control of Radware product features and functions from any external application. API enabled network devices appear as software for applications, resulting in true, softwarenative integration. Comprehensive SDK for multiple development platforms and languages. Extensive sample application code, documentation, and configuration guidance. Over 1,700 methods available through a Web Services-based API. Support for SOAP/XML over HTTPS ensures flexible and secure communications.
API Structure
The APSolute API is a SOAP/XML interface that provides full access to DefensePro devices for thirdparty applications utilizing common development languages, including Java, Visual Basic/C#, and Perl. This interface enables both device configuration and monitoring status and performance statistics. APSolute API offers two approaches to interacting with DefensePro devices: 1. Issuing CLI commands: This interface does not provide support for: Commands that are not configuration commands or monitoring, such as ping, telnet and trace-route. Commands that have asynchronous output (such as accelerator related CLI commands). The response to a CLI command is limited to the first 1000 rows.
326
DefensePro User Guide Administering DefensePro 2. Configuring and monitoring the devices via SOAP commands that mirror Radware's SNMP MIB: The following type of commands are available: For scalar MIB parameter, retrieve (get) the value and change (set) the value. For a MIB table entry, create an entry, delete an entry, update one or more parameters of an entry, retrieve (get) an entry, retrieve (get) the entire table, walk through the table (get first entry and get next).
The DefensePro Web services operate via HTTP or HTTPS requests, like a regular Web browser. Web Services are by default disabled on DefensePro. You can enable DefensePro Web services by means of the following: CLImanage Web-services status WBMWeb Services window (Services > Web > Web Services window) APSolute Vision Access tab of Setup window
You can enable Web Services only if either the Web or secure Web management interface is enabled on the device.
APSolute API Software Development Kit (SDK)

The APSolute API SDK comes with all the necessary components and documentation to enable rapid development of control and monitoring capabilities in custom-developed applications. This includes the following: Web Service Description Language (WSDL) files for all interfaces and modules API Reference Product overview Sample code for some basic device configuration/monitoring functions
To start working with the APSolute API SDK, install a SOAP client tool kit (supporting SOAP version 1.1 and later) and a development environment for the tool kit on the workstation.
327
328
Appendix A Footprint Bypass Fields and Values

This appendix describes footprint bypass fields in BDoS protection and DNS protection.
BDoS Footprint Bypass Fields and Values

For more information, see Configuring BDoS Footprint Bypass, page 136.
Table 169: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers
Controller
UDP ICMP IGMP UDP ICMP IGMP UDP ICMP IGMP UDP ICMP IGMP UDP UDP UDP UDP ICMP IGMP UDP ICMP
Field
checksum
Default Status
Accept
Default Value or N/A1

For UDP: 0
Remark
The checksum value in the For ICMP and IGMP: N/A UDP header of the packet. For UDP: 0 The ID number from the IP For ICMP and IGMP: N/A packet header. The ID number from the For ICMP and IGMP: N/A IPv6 packet head. For UDP: 0 The ID number of a DNS For ICMP and IGMP: N/A query. N/A 1 N/A 0,185 The domain name requested by a DNS query. The number of DNS queries in a single DNS session. The source port of the attack. Indicates where this fragment belongs in the datagram. The fragment offset is measured in units of 8 bytes (64 bits). Indicates where this IPv6 fragment belongs in the datagram. The IPv6 fragment offset is measured in units of 8 bytes (64 bits). For UDP: 0
id-num
Accept
id-num-ipv62
Accept
dns-id-num
Accept
dns-qname dns-qcount source-port frag-offset
Accept Accept Accept Accept
frag-offset-ipv62
Accept
0,181
329
DefensePro User Guide Footprint Bypass Fields and Values
Table 169: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers
Controller
UDP ICMP
Field
flow-label2
Default Status
Accept

0,181
Remark
Used by a source to label those products for which it requests special handling by the IPv6 router. The flow is uniquely identified by the combination of a Source address and a non-zero flow label. The source IP address of the attack.
UDP ICMP IGMP UDP ICMP UDP ICMP IGMP UDP ICMP IGMP UDP ICMP UDP UDP ICMP IGMP UDP ICMP UDP ICMP IGMP UDP ICMP IGMP UDP ICMP IGMP ICMP IGMP ICMP
source-ip
Accept
N/A
source-ip-ipv62 tos
Accept Accept
N/A N/A
The source IPv6 address of the attack. The type of Service value from the IP packet header.
packet-size
Accept
For UDP and IGMP: N/A For ICMP: 74
The size of the packet in bytes, including data-link header. The size of the IPv6 packet in bytes, including data-link header. The destination port from the packet header. The destination IP address.
packet-size-ipv62 Accept
For UDP: N/A For ICMP: 118
destination-port destination-ip
Accept Accept
N/A N/A
destination-ipipv62 fragment
Accept Accept
N/A N/A
The destination IPv6 address. The protocol fragmented packet.
ttl
Accept
N/A
The Time-To-Live value in the IP packet header.
vlan-tag
Accept
N/A
The VLAN tag value (external).
icmp-igmpmessage-type icmp-messagetype-ipv62
Accept Accept
N/A N/A
The protocol Message Type value. The ICMP IPv6 Message Type value.
330
DefensePro User Guide Footprint Bypass Fields and Values 1 N/A (that is, not applicable) means that no specific values can be used with the field; only the general status, Accept or Bypass, applies. 2 This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Networking > Basic).
Table 170: BDoS Footprint Bypass Fields and Values for All TCP Controllers
Controllers
TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag
Field
sequencenum
Default Status
Accept

N/A
Remark
The sequence number value from the relevant TCP packet header.
id-num
Accept
N/A
The ID number from the IP packet header.
source-port
Accept
N/A
The source port of the generated attack.
source-ip
Bypass
The source IP address of the generated attack.
source-ipipv62
Bypass
The source IPv6 address of the generated attack.
tos
Accept
The type of Service value from the IP packet header.
331
Controllers
TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag TCP-FRAG
Field
packet-size
Default Status
Accept

For TCP-SYN, TCPSYN-ACK: 60, 62, 66, 74 For TCP-RST, TCPACK-FIN: 60 For TCP-Frag: N/A
Remark
The size of the packet in bytes, including the data-link header.
packet-sizeipv62
Accept
For TCP-SYN, TCPSYN-ACK: 80, 82, 86, 94 For TCP-RST, TCPACK-FIN: 74 For TCP-Frag: N/A
The size of theIPv6 packet in bytes, including the data-link header.
destinationport
Accept
The destination TCP port of the attack.
destination-ip Accept
The destination IP address of the attack.
destinationip-ipv62
Accept
The destination IPv6 address of the attack.
ttl
Accept
The Time-To-Live value in the IP packet header.
vlan-tag
Accept
The VLAN tag value (external).
frag-offset
Accept
0, 185
Indicates where this fragment belongs in the datagram. The fragment offset is measured in units of 8 bytes (64 bits).
332
Controllers
TCP-FRAG
Field
frag-offsetipv62
Default Status
Accept

0, 181
Remark
Indicates where this IPv6 fragment belongs in the datagram. The IPv6 fragment offset is measured in units of 8 bytes (64 bits). Used by a source to label those products for which it requests special handling by the IPv6 router. The flow is uniquely identified by the combination of a Source address and a non-zero flow label.
TCP-SYN TCP-RST TCP-ACK-FIN TCP-SYN-ACK TCP-Frag
flow-label2
Accept
1 N/A (that is, not applicable) means that no specific values can be used with the field; only the general status, Accept or Bypass, applies. 2 This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Networking > Basic).
DNS Footprint Bypass Fields and Values

DNS footprint bypass types relate to the following controllers, all of which support the same fields, default status, and default values: A AAAA MX NAPTR Others PTR SOA SRV Text
Table 171: DNS Footprint Bypass Fields and Values
Field
checksum id-num id-num-ipv62 dns-id-num
Default Status

For UDP: 0 For ICMP and IGMP: N/A For UDP: 0 For ICMP and IGMP: N/A For UDP: 0 For ICMP and IGMP: N/A For UDP: 0 For ICMP and IGMP: N/A
Remark
The checksum value in the UDP header of the packet. The ID number from the IP packet header. The ID number from the IPv6 packet head. The ID number of a DNS query.
333
Table 171: DNS Footprint Bypass Fields and Values
Field
dns-qname dns-qcount source-port flow-label2
Default Status

N/A 1 N/A 0,181
Remark
The domain name requested by a DNS query. The number of DNS queries in a single DNS session. The source port of the attack. Used by a source to label those products for which it requests special handling by the IPv6 router. The flow is uniquely identified by the combination of a Source address and a non-zero flow label. The source IP address of the attack. The source IPv6 address of the attack. The type of Service value from the IP packet header. The size of the packet in bytes, including data-link header. The size of the IPv6 packet in bytes, including data-link header. The destination IP address. The destination IPv6 address. The protocol fragmented packet. The Time-To-Live value in the IP packet header. The VLAN tag value (external). The number of DNS answers in a single DNS session. The DNS header flags field (AA, TC, RD, and so on).
source-ip source-ip-ipv62 tos packet-size packet-size-ipv6 destination-ip destination-ipipv62 fragment ttl vlan-tag dns-ancount flags
2
Accept Accept Accept Accept Accept Accept Accept Accept Accept Accept Accept Accept
N/A N/A N/A For UDP and IGMP: N/A For ICMP: 74 For UDP: N/A For ICMP: 118 N/A N/A N/A N/A N/A 0 N/A
1 N/A (that is, not applicable) means that no specific values can be used with the field; only the general status, Accept or Bypass, applies. 2 This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Networking > Basic).
334
Appendix B Configuring SSL-Based Protection with AppXcel

Note: This solution is deprecated. DefensePro in conjunction with Radwares AppXcel, can inspect SSL encrypted sessions and protect SSL tunnels from attacks. When a session is encrypted using SSL, an IPS/IDS device based on signature matching cannot inspect the secured traffic. DefensePro passively inspects SSL encrypted sessions. SSL traffic is mirrored by DefensePro and the decrypted session is inspected. SSL traffic is classified by the device the same way regular traffic is. Traffic is mirrored by DefensePro and sent to AppXcel. AppXcel decrypts the HTTPS to HTTP and DefensePro then applies its security policies on the HTTP traffic. If an attack is identified, DefensePro sends a RST packet to the source and/or destination of the original connection.
Figure 31: SSL-based Protection Flow
1. 2. 3. 4.
A client initiates an HTTPS session with the server. When DefensePro forwards the traffic to the server, it replicates the HTTPS session to a preconfigured port, where an AppXcel unit is connected. AppXcel operates in passive SSL mode, decrypts the HTTPS session and returns it as an HTTP session. DefensePro inspects the HTTP traffic received from AppXcel based on its policies. If an attack is detected, DefensePro sends a Reset packet to the source and/or destination.
Note: DoS, SYN protection and other policies can also be applied to the original SSL streams. Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by setting the operating mode to Process. When you assign the same Destination Port to more than one Source Port, you must set the Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the Destination Port must be defined (1 or 2).
335
DefensePro User Guide Configuring SSL-Based Protection with AppXcel
To configure SSL inspection

1. 2. In the Configuration perspective Networking tab navigation pane, select SSL Inspection. Do one of the following: 3. 4. To add an SSL inspection physical port, click the To edit a port, double-click the row. (Add) button.
Configure SSL inspection physical port settings and click OK. Configure SSL inspection Layer 4 port settings.
Table 172: SSL Inspection Physical Port Parameters
Parameter
Incoming Port
Description
The scanning port that was configured for one of the traffic directions. This port must be dedicated to the SSL acceleration and cannot be used for other purposes, such as static forwarding or network interface.
Port towards AppXcel The port that is used for SSL acceleration.
Configuring SSL Inspection Layer 4 Ports for DefensePro

Note: This solution (configuring SSL-based protection with AppXcel) is deprecated.
To configure SSL inspection Layer 4 ports

1. 2. In the Configuration perspective Networking tab navigation pane, select SSL Inspection > L4 Ports. Do one of the following: 3. To add an SSL inspection Layer 4 port, click the To edit a port, double-click the row. (Add) button.
Configure SSL inspection Layer 4 port settings and click OK.
Table 173: SSL Inspection Layer 4 Port Parameters
Parameter
TCP Incoming Port TCP Port towards AppXcel
Description
The SSL service port of the original traffic. This TCP port is used for forwarding SSL sessions. The corresponding service port that AppXcel uses for decrypted sessions. This HTTP port is used after decryption.
336
Appendix C Predefined Basic Filters

The following table lists predefined basic filters that DefensePro supports. The list may vary depending on the product version.
337
DefensePro User Guide Predefined Basic Filters
Table 174: Predefined Basic Filters
Name
000 001 010 011 100 101 110 111 aim-aol-any aol-msg ares_ft_udp_0 ares_ft_udp_1 bearshare_download_tcp_0 bearshare_download_tcp_1 bearshare_request_file_udp_0 bearshare_request_file_udp_1 bittorrent_command_1_0 bittorrent_command_1_1 bittorrent_command_1_2 bittorrent_command_1_3 bittorrent_command_1_4 bittorrent_command_2_0 bittorrent_command_2_1 bittorrent_command_2_2 bittorrent_command_2_3
Description
Routine Priority Immediate Flash ToS Flash Override CRITIC/ECP Internetwork Control Network Control AIM/AOL Instant Messenger AOL Instant Ares_FT_udp Ares_FT_udp BearShare_Download_tcp BearShare_Download_tcp BearShare_Request_File_udp BearShare_Request_File_udp BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent
Protocol
IP IP IP IP IP IP IP IP TCP TCP UDP UDP TCP TCP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP
OMPC Offset
1 1 1 1 1 1 1 1 0 0 36 40 0 4 0 4 0 4 8 12 16 0 4 8 12
OMPC Mask
e0000000 e0000000 e0000000 e0000000 e0000000 e0000000 e0000000 e0000000 ffff0000 0 ffffffff ff000000 ffffffff ffffffff ffffffff 00ffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff
338
Name
bittorrent_command_2_4 bittorrent_command_2_5 bittorrent_command_3_0 bittorrent_command_3_1 bittorrent_command_3_2 bittorrent_command_3_3 bittorrent_command_3_4 bittorrent_command_3_5 bittorrent_command_4_0 bittorrent_command_4_1 bittorrent_command_4_2 bittorrent_udp_1_0 bittorrent_udp_1_1 citrix-admin citrix-ica citrix-ima citrix-ma-client citrix-rtmp diameter directconnect_file_transfer_0 directconnect_file_transfer_1 directconnect_file_transfer_2 dns emule_tcp_file_request_0 emule_tcp_file_request_1 emule_tcp_hello_message_0
Description
BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent BitTorrent_UDP_1 BitTorrent_UDP_1 Citrix Admin Citrix ICA Citrix IMA Citrix MA client Citrix RTMP Diameter DirectConnect_File_transfer DirectConnect_File_transfer DirectConnect_File_transfer Session for DNS eMule eMule eMule
Protocol
TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP UDP TCP TCP TCP
OMPC Offset
16 20 0 4 8 12 16 20 8 11 11 8 12 0 0 0 0 0 0 0 21 25 0 0 4 0
OMPC Mask
ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffff0000 ffffff00 ff000000 ff000000 ffffff00 ffff0000 0 0 0 0 0 0 ff000000 ffffffff ffffffff 0 ff000000 ffff0000 ff000000
339
Name
emule_tcp_hello_message_1 emule_tcp_secure_handshake_0 emule_tcp_secure_handshake_1 ftp-session gnutella_tcp_1_0 gnutella_tcp_2_0 gnutella_tcp_2_1 gnutella_tcp_3_0 googletalk_ft_1_0 googletalk_ft_1_1 googletalk_ft_1_2 googletalk_ft_1_3 googletalk_ft_2_0 googletalk_ft_2_1 googletalk_ft_4_0 googletalk_ft_4_1 groove_command_1_0 groove_command_1_1 groove_command_1_2 groove_command_2_0 groove_command_2_1 groove_command_3_0 groove_command_3_1 groove_command_3_2 groove_command_3_3 h.225-session
Description
eMule eMule eMule Session for FTP Gnutella_TCP_1 Gnutella_TCP_2 Gnutella_TCP_2 Gnutella_TCP_3 GoogleTalk_FT_1 GoogleTalk_FT_1 GoogleTalk_FT_1 GoogleTalk_FT_1 GoogleTalk_FT_2 GoogleTalk_FT_2 GoogleTalk_FT_4 GoogleTalk_FT_4 Groove Groove Groove Groove Groove Groove Groove Groove Groove Session Of H225
Protocol
TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP
OMPC Offset
4 0 4 0 0 0 4 0 24 28 32 36 24 28 67 71 6 10 14 6 10 7 11 15 19 0
OMPC Mask
ffff0000 ff000000 ffff0000 0 ffffff00 ffffffff ffffffff ffffff00 ffffffff ffffffff ffffffff ffff0000 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffff0000 ffffffff ffffffff ffffffff ffffffff 0
340
Name
hdc1 hdc2 hdc3 hdc4 http http-alt https icecast_1 icecast_2 icecast_3 icmp icq icq_aol_ft_0 icq_aol_ft_1 icq_aol_ft_2 imap imesh_download_tcp_0 imesh_download_tcp_1 imesh_request_file_udp_0 imesh_request_file_udp_1 ip itunesdaap_ft_0 itunesdaap_ft_1 itunesdaap_ft_2 itunesdaap_ft_3 kazaa_request_file_0
Description
High Drop Class 1 High Drop Class 2 High Drop Class 3 High Drop Class 4 World Wide Web HTTP HTTP alternate HTTP over SSL IceCast_Stream IceCast_Stream IceCast_Stream ICMP ICQ ICQ_AOL_FT ICQ_AOL_FT ICQ_AOL_FT Internet Message Access iMesh_Download_tcp iMesh_Download_tcp iMesh_Request_File_udp iMesh_Request_File_udp IP Traffic iTunesDaap_FT iTunesDaap_FT iTunesDaap_FT iTunesDaap_FT Kazaa_Request_File
Protocol
IP IP IP IP TCP TCP TCP TCP TCP TCP ICMP TCP TCP TCP TCP TCP TCP TCP UDP UDP IP TCP TCP TCP TCP TCP
OMPC Offset
1 1 1 1 0 0 0 0 4 8 0 0 0 0 2 0 0 4 0 4 0 0 4 8 2 0
OMPC Mask
fc000000 fc000000 fc000000 fc000000 0 0 0 ffffffff ffffffff ffff0000 0 0 ffffffff ffffffff ffff0000 0 ffffffff ffffffff ffffffff 00ffffff 0 ffffffff ffffffff ffffff00 ffff0000 ffffffff
341
Name
kazaa_request_file_1 kazaa_request_file_2 kazaa_udp_packet_0 kazaa_udp_packet_1 ldap ldaps ldc1 ldc2 ldc3 ldc4 lrp manolito_file_transfer_0_0 manolito_file_transfer_0_1 manolito_file_transfer_0_2 manolito_file_transfer_1_0 manolito_file_transfer_1_1 manolito_file_transfer_2_0 manolito_file_transfer_2_1 mdc1 mdc2 mdc3 mdc4 meebo_get_0 meebo_get_1 meebo_get_2 meebo_get_3
Description
Kazaa_Request_File Kazaa_Request_File Kazaa_UDP_Packet Kazaa_UDP_Packet LDAP LDAPS Low Drop Class 1 Low Drop Class 2 Low Drop Class 3 Low Drop Class 4 Load Report Protocol Manolito Manolito Manolito Manolito Manolito Manolito Manolito Medium Drop Class 1 Medium Drop Class 2 Medium Drop Class 3 Medium Drop Class 4 MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_GET
Protocol
TCP TCP UDP UDP TCP TCP IP IP IP IP UDP TCP TCP TCP TCP TCP TCP TCP IP IP IP IP TCP TCP TCP TCP
OMPC Offset
4 8 6 4 0 0 1 1 1 1 0 0 0 0 4 4 4 4 1 1 1 1 0 4 8 12
OMPC Mask
ffffffff ffff0000 ffffffff ffff0000 0 0 fc000000 fc000000 fc000000 fc000000 0 ffffffff ffffffff ffffffff ff000000 ff000000 ff000000 ff000000 fc000000 fc000000 fc000000 fc000000 ffffffff ffffffff ffffffff ffffffff
342
Name
meebo_get_4 meebo_get_5 meebo_get_6 meebo_get_7 meebo_get_8 meebo_post_0 meebo_post_1 meebo_post_2 meebo_post_3 meebo_post_4 meebo_post_5 meebo_post_6 meebo_post_7 msn-any msn-msg msn_msgr_ft_0 msn_msgr_ft_1 mssql-monitor mssql-server nntp nonip oracle-server1 oracle-server2 oracle-server3 oracle-v1 oracle-v2
Description
MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_GET MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MEEBO_POST MSN Messenger Chat MSN Messenger Chat MSN_MSGR_FT MSN_MSGR_FT Microsoft SQL traffic-monitor Microsoft SQL server traffic Network News Non IP Traffic Oracle server Oracle server Oracle server Oracle SQL *Net version 1 Oracle SQL *Net version 2
Protocol
TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP TCP NonIP TCP TCP TCP TCP TCP
OMPC Offset
16 20 24 28 32 0 4 8 12 16 20 24 28 0 0 0 48 0 0 0 0 0 0 0 0 0
OMPC Mask
ffffffff ffffffff ffffffff ffffffff ff000000 ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffffff ffffff00 ffffffff 0 ffffffff ffffffff 0 0 0 0 0 0 0 0 0
343
Name
pop3 prp radius rexec rshell rtp_ft_0 rtp_ft_1 rtp_ft_2 rtsp sap sctp skype-443-handshake skype-443-s-hello skype-80-l-56 skype-80-proxy skype-80-pshack skype-ext-l-54 skype-ext-pshack smtp snmp snmp-trap softethervpn443 softethervpn8888 soulseek_pierce_fw_0 soulseek_pierce_fw_1 soulseek_pierce_fw_2
Description
Post Office Protocol 3 PRP RADIUS protocol Remote Process Execution Remote Shell RTP_FT RTP_FT RTP_FT RTSP SAP SCTP Traffic Skype signature for port 443 Skype signature for port 443 Skype signature for port 80 Skype signature for port 80 Skype signature for port 80 Skype signature Skype signature Simple Mail Transfer SNMP SNMP Trap SoftEther Ethernet System SoftEther Ethernet System SoulSeek_Pierce_FW SoulSeek_Pierce_FW SoulSeek_Pierce_FW
Protocol
TCP UDP TCP TCP TCP UDP UDP UDP TCP TCP SCTP TCP TCP TCP TCP TCP TCP TCP TCP UDP UDP TCP TCP TCP TCP TCP
OMPC Offset
0 0 0 0 0 0 0 16 0 0 0 0 11 2 0 13 2 13 0 0 0 0 0 0 4 2
OMPC Mask
0 0 0 0 0 ffff0000 ffff0000 ffff0000 0 0 0 ff000000 ffffffff ffff0000 ffffffff ff000000 ffff0000 ff000000 0 0 0 ffffff00 ffffff00 ffffffff ff000000 ffff0000
344
Name
ssh tcp telnet tftp udp voip_sign_1 voip_sign_10 voip_sign_11 voip_sign_12 voip_sign_13 voip_sign_2 voip_sign_3 voip_sign_4 voip_sign_5 voip_sign_6 voip_sign_7 voip_sign_8 voip_sign_9 yahoo_ft_0 yahoo_ft_1 yahoo_get_0 yahoo_get_1 yahoo_get_2 yahoo_get_3 yahoo_get_4 yahoo_post_0
Description
Secure Shell TCP Traffic Telnet Trivial File Transfer UDP Traffic VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature VOIP signature YAHOO_FT YAHOO_FT YAHOO_GET YAHOO_GET YAHOO_GET YAHOO_GET YAHOO_GET YAHOO_POST
Protocol
TCP TCP TCP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP UDP TCP TCP TCP TCP TCP TCP TCP TCP
OMPC Offset
0 0 0 0 0 28 28 28 28 28 28 28 28 28 28 28 28 28 0 10 0 4 8 12 16 0
OMPC Mask
0 0 0 0 0 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 c03f0000 ffffffff ffff0000 ffffffff ffffffff ffffffff ffffffff ff000000 ffffffff
345
Name
yahoo_post_1 yahoo_post_2 yahoo_post_3 yahoo_post_4
Description
YAHOO_POST YAHOO_POST YAHOO_POST YAHOO_POST
Protocol
TCP TCP TCP TCP
OMPC Offset
4 8 12 16
OMPC Mask
ffffffff ffffffff ffffffff ffff0000
346
Appendix D DefensePro Attack-Protection IDs

This appendix describes the DefensePro Attack-Protection IDs.
347
DefensePro User Guide DefensePro Attack-Protection IDs
Table 175: DefensePro Attack-Protection IDs
ID Attack-Protection Name Number or Range

8 9 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 100 White List Black List Network flood IPv4 UDP Network flood IPv4 ICMP Network flood IPv4 IGMP Network flood IPv4 TCP-SYN Network flood IPv4 TCP-RST Network flood IPv4 TCP-ACK Network flood IPv4 TCP-PSH Network flood IPv4 TCP-FIN Network flood IPv4 TCP-FRAG Network flood IPv6 UDP Network flood IPv6 ICMP Network flood IPv6 IGMP Network flood IPv6 TCP-SYN Network flood IPv6 TCP-RST Network flood IPv6 TCP-ACK Network flood IPv6 TCP-PSH Network flood IPv6 TCP-FIN Network flood IPv6 TCP-FRAG Unrecognized L2 Format
Category Default Risk Default (for Reporting) Action

N/A Access Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Behavioral-DoS Anomalies
Description
White-list encounters are not reported as security events. Black-list access violation. Network flood IPv4 UDP. Network flood IPv4 ICMP. Network flood IPv4 IGMP. Network flood IPv4 TCP with SYN flag. Network flood IPv4 TCP with RST flag. Network flood IPv4 TCP with ACK flag. Network flood IPv4 TCP with PSH flag. Network flood IPv4 TCP with FIN flag. Network flood IPv4 TCP with SYN and ACK flags Network flood IPv4 TCP with FRAG flag. Network flood IPv6 UDP. Network flood IPv6 ICMP. Network flood IPv6 IGMP. Network flood IPv6 TCP with SYN flag. Network flood IPv6 TCP with RST flag. Network flood IPv6 TCP with ACK flag. Network flood IPv6 TCP with PSH flag. Network flood IPv6 TCP with FIN flag. Network flood IPv6 TCP with SYN and ACK flags. Network flood IPv6 TCP with FRAG flag. Unrecognized L2 format.
Network flood IPv4 TCP-SYN-ACK Behavioral-DoS
Network flood IPv6 TCP-SYN-ACK Behavioral-DoS
348

103 104 105 106 108 110 112 113 116 119 120 Incorrect IPv4 checksum Invalid IPv4 Header or Total Length TTL Less Than or Equal to 1 Inconsistent IPv6 Headers IPv6 Hop Limit Reached Unsupported L4 Protocol Invalid TCP Header Length Invalid TCP Flags Invalid UDP Header Length Source or Dest Address same as Local Host Source Address same as Dest Address (Land Attack)

Anomalies Anomalies Anomalies Anomalies Anomalies Anomalies Anomalies Anomalies Anomalies Anomalies Anomalies
Description
Incorrect IPv4 checksum. Invalid IPv4 header or total length. TTL less than or equal to 1. Inconsistent IPv6 headers. IPv6 hop limit reached. Unsupported L4 protocol. Invalid TCP header length. Invalid TCP flags. Invalid UDP header length. Source or destination IP address same as local host. Source IP address same as destination IP address (Land Attack). The common vulnerability enumerator (CVE) for this signature is CVE-1999-0016.
125 150 240 350 351 352 400
L4 Source or Dest Port Zero HTTP Page Flood Attack TCP Out-of-State SCAN_TCP_SCAN SCAN_UDP_SCAN SCAN_ICMP_SCAN Brute Force Web
Anomalies HttpFlood DoS Anti Scan Anti Scan Anti Scan
Layer 4 source or destination port are zero. HTTP page flood attack. TCP Out-of-State floods. TCP scanning attempt. UDP scanning attempt. ICMP scanning attempt. A Brute Force Web attack is an attempt to break into a restricted area on a site that is protected by native HTTP authentication.
349

401 Web Scan
Description
A Web-vulnerability scan is an informationgathering attack that is usually launched as a prequel to an intrusion attack on the scanned Web server. The attacker is trying to gather the information on the Web server by sending different types of HTTP requests and analyzing the server responses. Automatic tools are often used in this case. A Brute Force SMTP attack is an attempt to break into restricted accounts on the SMTP mail server that is protected by user name and password authentication. A Brute Force FTP attack is an attempt to break into a restricted account on the FTP server that is protected by user name and password authentication. A Brute Force POP3 attack is an attempt to break into restricted accounts on the POP3 mail server that is protected by user name and password authentication. A Brute Force SIP (UDP) attack is an attempt to break into restricted accounts on the SIP server, over UDP, which is protected by user name and password authentication. This type of attack can also cause a Register flood on the SIP server. A Brute Force SIP (TCP) attack is an attempt to break into restricted accounts on the SIP server, over TCP, which is protected by user name and password authentication. This type of attack can also cause a Register flood on the SIP server.
402
Brute Force SMTP
403
Brute Force FTP
404
Brute Force POP3
405
Brute Force SIP (UDP)
406
Brute Force SIP (TCP)
350

407 Brute Force MySQL
Description
A Brute Force MySQL attack is an attempt to break into restricted Database accounts on the MySQL database server that is protected by user name and password authentication. A Brute Force MSSQL attack is an attempt to break into a restricted database accounts on the MSSQL database server that is protected by user name and password authentication. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack.
408
Brute Force MSSQL
409
SIP Scan (UDP)
410
SIP Scan (TCP)
414
SIP Scan DST (TCP)
351

416 Brute Force SIP DST (TCP)
Description
A Brute Force SIP DST (TCP) attack is an attempt to break into restricted accounts on the SIP server, over TCP, which is protected by user name and password authentication. The specific attack was detected from error responses that were found on sessions that originated from the server. This type of attack can also cause a Register flood on the SIP server. A Brute Force SMB attack is an attempt to break into restricted accounts on the SMB (file share) server that is protected by user name and password authentication. A Brute Force SIP DST (UDP) attack is an attempt to break into restricted accounts on the SIP server, over UDP, which is protected by user name and password authentication. The specific attack was detected from error responses that were found on sessions that originated from the server. This type of attack can also cause a Register flood on the SIP server. SIP scan attacks intend to identify the SIP server in order to find vulnerabilities or to harvest the server for existing subscriber phone numbers (also known as SIP users or SIP URI). The phone numbers can be used later to launch a SPIT (SPAM over IP Telephony) attack. DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS A query flood over IPv4. DNS MX query flood over IPv4. DNS PTR query flood over IPv4. DNS AAAA query flood over IPv4. DNS Text query flood over IPv4.
417
Brute Force SMB
418
Brute Force SIP DST (UDP)
419
SIP Scan DST (UDP)
450 451 452 453 454
DNS flood IPv4 DNS-A DNS flood IPv4 DNS-MX DNS flood IPv4 DNS-PTR DNS flood IPv4 DNS-AAAA DNS flood IPv4 DNS-Text
352

455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 720 721 DNS flood IPv4 DNS-SOA DNS flood IPv4 DNS-NAPTR DNS flood IPv4 DNS-SRV DNS flood IPv4 DNS-Other DNS flood IPv4 DNS-ALL DNS flood IPv6 DNS-A DNS flood IPv6 DNS-MX DNS flood IPv6 DNS-PTR DNS flood IPv6 DNS-AAAA DNS flood IPv6 DNS-Text DNS flood IPv6 DNS-SOA DNS flood IPv6 DNS-NAPTR DNS flood IPv6 DNS-SRV DNS flood IPv6 DNS-Other DNS flood IPv6 DNS-ALL SYN Flood protection SYN Flood enabled protection

DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection DNS-Protection
Description
DNS SOA query flood over IPv4. DNS NAPTR query flood over IPv4. DNS SRV query flood over IPv4. DNS Other queries flood over IPv4. DNS query flood over IPv4. DNS A query flood over IPv6. DNS MX query flood over IPv6. DNS PTR query flood over IPv6. DNS AAAA query flood over IPv6. DNS Text query flood over IPv6. DNS SOA query flood over IPv6. DNS NAPTR query flood over IPv6. DNS SRV query flood over IPv6. DNS Other queries flood over IPv6. DNS query flood over IPv6. Start, ongoing, and termination of attacks per protection policy. Ongoing message when the SYN rate relative to the first ACK/Data packet rate is above 1000 packets per second. (This event is not generated in version 5.10 and later.) Used for DefensePro's session table protection. (This event is not generated in version 5.10 and later.) Used for SARP (SYN ACK Reflection Protection).
722
SYN Flood protect full table
723
SYN ACK Reflection protection
353

724 SYN Protect delete frag
Description
Used when a fragmented packet arrives during the authentication process. The packet will be discarded. Used when a RESET packet that does not match an existing session arrives during the authentication process. The packet will be discarded. Used when a packet that does not match an existing session arrives during the authentication process. The packet will be deleted and a RESET will be sent to the source. Used when the SYN Protection table is full and the module cannot handle more concurrent authentication processes. New verified ACK (or data) packets will be discarded as long as the table is full. Used when a packet that does not match an existing session arrives during the authentication process. The packet will be deleted and a RESET will be sent to the source. Used a packet with illegal cookie arrives during the authentication process. The packet will be discarded. (This event is not relevant before version 5.1x.) Used when a new session is aged during the authentication process before the first data packet has arrived. Used when an unexpected packet or one with illegal TCP flags arrives during the authentication process. The packet will be discarded. Stateful-ACL High Drop Reports on traffic that matched an ACL rule.
725
SYN Protect delete reset
726
SYN Protect out of context
727
SYN Protect full table
729
SYN Protect out of context
730
SYN Protect unverified cookie
731
SYN Protect incompleteness
732
SYN Protect delete wrong tcp
740
TCP session dropped
354

741 742 743 744 745 746 TCP session allowed UDP session dropped UDP session allowed ICMP session dropped ICMP session allowed IP session dropped

Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Info High Info High Info High Forward Drop Forward Drop Forward Drop
Description
Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on IP traffic that matched an ACL rule that is not supported explicitly in the ACL (that is, traffic that is not, for example, TCP, UDP, ICMP, IGMP, SCTP, or supported tunneling protocols). Reports on IP traffic that matched an ACL rule that is not supported explicitly in the ACL (that is, traffic that is not, for example, TCP, UDP, ICMP, IGMP, SCTP, or supported tunneling protocols). Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Reports on traffic that matched an ACL rule. Range for signatures, from the Security Operations Center (SOC) Signature file. Odd ID numbers are DoS shield signatures. Even ID numbers are Intrusion signature. Pre-defined HTTP-SYN-flood attack protection.
747
IP session allowed
Stateful-ACL
Info
Forward
748 749 750 751 752 753 754 755 756 1,000 100,000
TCP Mid Flow packet TCP Invalid reset TCP handshake violation ICMP Smurf packet ICMP packet anomaly GRE session dropped GRE session allowed SCTP session dropped SCTP session allowed DoS Shield signatures or intrusion-protection signatures
Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL Stateful-ACL DoS
Medium Medium Medium Medium Medium High Info High Info
Drop Drop Drop Drop Drop Drop Forward Drop Forward
200,000
HTTP
SynFlood
355

200,001 200,002 200,003 200,004 200,005 200,006 200,007 200,008 HTTPS RTSP FTP_CTRL POP3 IMAP SMTP TELNET RPC

SynFlood SynFlood SynFlood SynFlood SynFlood SynFlood SynFlood SynFlood DoS
Description
Pre-defined HTTPS-SYN-flood attack protection. Pre-defined RTSP-SYN-flood attack protection. Pre-defined FTP_CTRL-SYN-flood attack protection. Pre-defined POP3-SYN-flood attack protection. Pre-defined IMAP-SYN-flood attack protection. Pre-defined SMTP-SYN-flood attack protection. Pre-defined TELNET-SYN-flood attack protection. Pre-defined RPC-SYN-flood attack protection. Range for user-defined protections. The device generates the ID number sequentially when the user creates the signature. Range for user-defined Connection Limit protections. The device generates the ID number sequentially when the user creates the protection. Range for user-defined SYN-flood protections. he device generates the ID number sequentially when the user creates the protection. Range for user-defined Connection PPS Limit protections. he device generates the ID number sequentially when the user creates the protection.
300,000 User-defined custom signatures 449,999 450,000 User-defined Connection Limit 475,000 protections 500,000 User-defined SYN-flood 599,999 protections 600,000 User-defined Connection PPS 675,000 Limit protections
DoS
SYNFlood
DoS
356
Appendix E Protocols and OSs Protected by DefensePro Signatures

This appendix lists the protocols and operating systems that DefensePro signatures can protect. DefensePro signatures can protect the following protocols: BGP BOOTP Borland Interbase Protocol CA License Client Protocol CVS DCERPC DHCP DNP3 (SCADA) DNS EIGRP Finger FTP HTTP HTTPS ICCP (SCADA) ICMP Ident IGAP IGMP IGMP IP IPP IRC ISAKMP LDAP LPR MaxDB MODBUS (SCADA) Motorola Timbuktu NBT NDAP NDMP NetBIOS NetFlow NFS NHRP NMAP NNTP Ntalk NTP ORACLE Overnet PCAnywhere POP2 POP3 PP RADIUS RDP Retrospect RFB (VNC) RIP Rlogin RTSP SCCP (SKINNY) SCTP Secure IMAP Secure SMTP SIP SMB SMS Remote Control SMTP SNMP SOAP SOCKS4 SOCKS5 SQL SSH SSL SUN-RPC TACACS TCP TELNET TFTP UDP UPNP WebDAV WHOIS Winny WINS XDMCP
DefensePro signatures can protect the following operating systems: 3COM Cisco Juniper Linux MAC OS MS Windows MS Windows Server Unix
357
DefensePro User Guide Protocols and OSs Protected by DefensePro Signatures
358
Appendix F Troubleshooting
If the device does not operate as expected, you can diagnose the system or provide Radware Technical Support with relevant information. For troubleshooting hardware-related issues, see the DefensePro Installation and Maintenance Guide. This appendix contains the following sections: Diagnostic Tools, page 359 Technical Support File, page 366
Diagnostic Tools
DefensePro supports the following diagnostic tools: Traffic Capture Trace-Log
Diagnostic tools are only available using CLI or Web Based Management. Diagnostic tools start working only after there is a diagnostic policy configured on the device (see Diagnostics Policies, page 364) and the relevant options are enabled. Diagnostic tools stop in the following cases: You stop the relevant task. You reboot the device. That is, when the device reboots, the status of the Capture Tool reverts to Disabled.
This section contains the following topics: Traffic Capture Tool, page 359 Trace-Log, page 361 Diagnostic Tools Files Management, page 363 Diagnostics Policies, page 364
Traffic Capture Tool

The Traffic Capture tool captures packets that enter the device, leave the device, or both. The captured traffic is in TCPDUMP format. You can download the captured packets, and analyze the traffic using Unix snoop or various tools. For remote administration and debugging, you can also send captured traffic to a terminal (CLI, Telnet, and SSH). You can specify where the device captures packets to get a better understanding of the traffic flowespecially if the device manipulates the packetsdue to NAT, traffic from a VIP to a real server, and so on.
Caution: Enabling this feature may cause severe performance degradation. The Traffic Capture tool uses the following format for packet capture files:
capture_<Device Name>_ddMMyyyy_hhmmss_<file number>.cap
359
DefensePro User Guide Troubleshooting
Note: The Traffic Capture tool truncates packets longer than 1619 bytes (regardless of the configuration for jumbo frames).
To configure the Capture Tool using Web Based Management

1. 2. Select Services > Diagnostics > Capture > Parameters. The Capture Tool Configuration pane is displayed. Configure the parameters; and then, click Set.
Table 176: Capture Tool Configuration Parameters
Parameter
Status
Description
Specifies whether the Capture Tool is enabled. Values: Enabled, Disabled Default: Disabled Note: When the device reboots, the status of the Capture Tool reverts to Disabled.
Output To File
Specifies the location of the stored captured data. Values: RAM Drive and FlashThe device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DefensePro uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on. RAM DriveThe device stores the data in RAM. NoneThe device does not store the data in RAM or flash, but you can view the data using a terminal.
Output To Terminal
Specifies whether the device sends captured data to the terminal. Values: Enabled, Disabled Default: Disabled
Capture Point
Specifies where the device captures the data. Values: On Packet ArriveThe device captures packets when they enter the device. On Packet SendThe device captures packets when they leave the device. BothThe device captures packets when they enter the device and when they leave the device.
360
Trace-Log
The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for debugging purposes only.
Caution: Enabling this feature may cause severe performance degradation. DefensePro uses the following format for Trace-Log files:
trace_log_<Device Name>_ddMMyyyy_hhmmss_<file number>.txt

This section contains the following topics: Trace-Log Tool Configuration, page 361 Diagnostics Trace-Log Message Format, page 362 Trace-Log Modules, page 362
Trace-Log Tool Configuration
To configure the Trace-Log tool using Web Based Management

1. Select Services > Diagnostics > Trace-Log > Parameters. The Diagnostics Trace-Log Tool Configuration pane is displayed. 2. Configure the parameters; and then, click Set.
Table 177: Trace-Log Tool Configuration Parameters
Parameter
Status
Description
Specifies whether the Trace-Log tool is enabled. Values: Enabled, Disabled Default: Disabled
Output To File
Specifies the location of the stored data. Values: RAM Drive and FlashThe device stores the data in RAM and appends the data to the file on the CompactFlash drive. Due to limits on CompactFlash size, DefensePro uses two files. When the first file becomes full, the device switches to the second, until it is full and then it overwrites the first file, and so on. RAM DriveThe device stores the data in RAM. NoneThe device does not store the data in RAM or flash, but you can view the data using a terminal.
Output To Terminal
Specifies whether the device sends Trace-Log data to the terminal. Values: Enabled, Disabled Default: Disabled
Output To Syslog Server
Specifies whether the device sends Trace-Log data to a syslog server. Values: Enabled, Disabled Default: Disabled
361
Diagnostics Trace-Log Message Format

Use the Diagnostics Trace-Log Message Format pane to specify which parameters appear in the Trace-Log message.
To configure the diagnostics Trace-Log message format using Web Based Management
1. 2. Select Services > Diagnostics > Trace-Log > Message Format. The Diagnostics Trace-Log Message Format pane is displayed. Configure the parameters; and then, click Set.
Table 178: Diagnostics Trace-Log Message Format Parameters
Parameter
Date Time Platform Name File Name Line Number Packet Id Module Name Task Name
Description
Specifies whether the date that the message was generated is included in the Trace-Log message. Specifies whether the time that the message was generated is included in the Trace-Log message. Specifies whether the platform MIB name is included in the Trace-Log message. Specifies whether the output file name is included in the Trace-Log message. Specifies whether the line number in the source code is included in the TraceLog message. Specifies whether an ID assigned by the device to each packet is included in the Trace-Log message. This enables you see the order of the packets. Specifies whether the name of the traced module is included in the Trace-Log message is included in the Trace-Log message. Specifies whether the name of the specific task of the d module is included in the Trace-Log message.
Trace-Log Modules
To help pinpoint the source of a problem, you can specify which DefensePro modules the Trace-Log feature works on and the log severity per module.
To configure the parameters of the Trace-Log modules using Web Based Management
1. Select Services > Diagnostics > Trace-Log > Modules. The Trace-Log Modules pane is displayed. The table in the pane comprises the following columns: NameThe name of the module. Values: ACL CDE GENERIC VSDR StatusThe current status of the traced module.
362
DefensePro User Guide Troubleshooting SeverityThe lowest severity of the events that the Trace-Log includes for this module. Values: Emergency Alert Critical Error Warning Notice Info Debug 2. Click the relevant link. The Trace-Log Modules Update pane is displayed. 3. Configure the parameters; and then, click Set.
Table 179: Trace-Log Modules Update Parameters
Parameter
Status Severity
Description
Specifies whether the Trace-Log feature is enabled for the module. The lowest severity of the events that the Trace-Log includes for this module. Values: Emergency Alert Critical Error Warning Notice Info Debug
Note: The default varies according to module.
Diagnostic Tools Files Management

DefensePro can store the output of the diagnostic tools in RAM and in the CompactFlash. If the device is configured to store the output in the CompactFlash, when the data size in RAM reaches its limit, the device appends the data chunk from RAM to the file on the CompactFlash drive. For each enabled diagnostic tool, DefensePro uses two temporary files. When one temporary file reaches the limit (1 MB), DefensePro stores the information in the second temporary file. When the second temporary file reaches the limit (1 MB), DefensePro overwrites the first file, and so on. When you download a CompactFlash file, the file contains both temporary files. Use the Diagnostic Tools Files Management pane to download or delete files from the RAM or CompactFlash.
363
To download or delete Trace-Log data using Web Based Management

1. Select Services > Diagnostics > Files. The Diagnostic Tools Files Management pane is displayed. The pane contains two tables, Files On RAM Drive and Files On Main Flash. Each table comprises the following columns:
Parameter
File Name File Size Action
Description
The name of the file. The file size, in bytes. The action that you can take on the data stored. Values: downloadStarts the download process of the selected data. Follow the on-screen instructions. deleteDeletes the selected file.
2.
From the Action column, select the action, Download or Delete, and follow the instructions.
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic policies, the device can classify the traffic and store only the required information.
Note: To reuse the policy, edit the policy and set it again.
To configure a diagnostics policy using Web Based Management

1. 2. 3. Select Services > Diagnostics > Policies. The Diagnostics Policies pane is displayed. Click Create. The Diagnostics Policies Create pane is displayed. Configure the parameters; and then, click Set.
Table 180: Diagnostics Policies Parameters
Parameter
Name Index
Description
The user-defined name of the policy up to 20 characters. The number of the policy in the order in which the diagnostics tools classifies (that is, captures) the packets. Default: 1 The user-defined description of the policy. The VLAN Tag group whose packets the policy classifies (that is, captures).
Description VLAN Tag Group
364
Table 180: Diagnostics Policies Parameters
Parameter
Destination
Description
The destination IP address or predefined class object whose packets the policy classifies (that is, captures). Default: anyThe diagnostics tool classifies (that is, captures) packets with any destination address.
Source
The source IP address or predefined class object whose packets the policy classifies (that is, captures). Default: anyThe diagnostics tool classifies (that is, captures) packets with any source address.
Outbound Port Group
The port group whose outbound packets the policy classifies (that is, captures). Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.
Inbound Port Group Service Type Service
The port group whose inbound packets the policy classifies (that is, captures). The service type whose packets the policy classifies (that is, captures). The service whose packets the policy classifies (that is, captures). Values: None Basic Filter AND Group OR Group
Default: None Destination MAC Group Source MAC Group The Destination MAC group whose packets the policy classifies (that is, captures). The Source MAC group whose packets the policy classifies (that is, captures).
Maximal Number of Packets The maximal number of packets the policy captures. Once the policy captures the specified number of packets, it stops capturing traffic. In some cases, the policy captures fewer packets than the configured value. This happens when the device is configured to drop packets. Maximal Packet Length Capture Status The maximal length for a packet the policy captures. Specifies whether the packet-capture feature is enabled in the policy. Values: Enabled, Disabled Default: Disabled Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy. Values: Enabled, Disabled Default: Disabled Note: You cannot set the Outbound Port Group when the value of the Trace-Log Status parameter is Enabled.
365
Technical Support File

A DefensePro device can generate a technical-support file, which you can save to a specified location and send to Radware Technical Support to help diagnose problems. Using the CLI, the technical-support file includes the following: The data that Radware Technical Support typically needs to diagnose a problem with a DefensePro device The data comprises the collected output from various CLI commands. A record of each configuration change to the device (by any management interface) A device begins storing these records when the device receives its first command. The records are sorted by date in ascending order. When the size of the data exceeds the maximum allowed size (2 MB), the oldest record is overwritten. The entire data is never cleared unless you erase the device configuration.
dp_support.txt Contains the data that Radware Technical Support typically needs to
diagnose a problem with a DefensePro device. The data comprises the collected output from various CLI commands.
auditLog.log Contains record of each configuration change to the device (by any
management interface). A device begins storing these records when the device receives its first command. The records are sorted by date in ascending order. When the size of the data exceeds the maximum allowed size (2 MB), the oldest record is overwritten. The entire data is never cleared unless you erase the device configuration The structure of each record in the auditLog.log file is as follows:
<dd>-<MM>-<yyyy> <hh>:<mm>:<ss> <Event description>

Example:
06-12-2009 19:16:11 COMMAND: logout by user radware via Console

HTTPFLD.tar Contains data on HTTP floods. NTFLD.tar Contains data on network floods.
To generate and display the output of the technical-support file on the terminal using CLI
Enter the following command:
manage support display
To generate a technical-support file and send it to a TFTP server using CLI

Enter the following command:
manage support tftp put <file name> <TFTP server IP address> [-v]
where:
-v displays also the output of the command.
366
To generate and download the technical-support file using Web Based Management
1. Select File > Support. The Download Tech Support Info File pane is displayed. 2. Click Set. A File Download dialog box opens. 3. Click Open or Save and specify the required information.
367
368
Appendix G Glossary
This glossary is a list of terms and definitions used in the Radware technical environment. Some of the words belong to the public domain, and some are Radware-specific, but all are used in the Radware documentation. A Radware glossary is intended to be a list of specialized words with their definitions that are used in the Radware technical environment. Some of the words belong to the public domain, and some are Radware-specific, but all are used in the Radware documentation, whether hardcopy or online.
Term
Anomaly Attack Attack List Attack Signature Database
Definition
An anomaly is unusual or unexpected behavior of traffic patterns or a protocol. An Attack, with an upper-case letter A is a realization of a threat, a malicious action taken against a network, host or service. An Attack List is a database of known attackers as defined in the Signatures Database. Radwares Attack signature database contains signatures of known attacks. These signatures are included in the predefined groups and profiles supplied by Radware to create protection policies in the Connect and Protect Table. Each attack group consists of attack signatures with common characteristics intended to protect a specific application or range of IPs.
Behavioral DoS (BDoS)
Behavioral DoS (Behavioral Denial of Service) protection defends networks from zero day network-flood attacks that jam available network bandwidth with spurious traffic, denying use of network resources for legitimate users. BDoS profiles do this by identifying the footprint of the anomalous traffic. Network-flood protection types include: SYN Flood TCP Flood, including TCP Fin + Ack Flood, TCP Reset Flood TCP Syn + Ack Flood, TCP Fragmentation Flood UDP Flood ICMP Flood IGMP Flood
Black List
A Black List defines the IP addresses that are always blocked without inspection. Black lists are used as exceptions for security policies/rules, blocking all traffic generated by IP addresses in the Black List.
369
DefensePro User Guide Glossary
Term
DDoS
Definition
Distributed Denial of Server attack on a DNS server. A typical attack involves numerous compromised zombie systems (botnets) sending spoofed domain-name requests to DNS servers, which process the legitimate request and send replies to the spoofed victims. When the DNS server is configured to provide recursion, the DNS server, if the requested domain name isnt available locally, will query the root name servers for the IP address. The traffic then traverses the internet backbone, affecting the Internet Service Provider and any upstream provider to reach the intended target. Radwares adaptive behavior-based DoS Protection learns the characteristics of DNS traffic and re-establishes normal traffic behavior baselines. An embedded decision engine, based on fuzzy logic, constantly analyzes DNS traffic and detects when deviations from the normal baselines occur. Upon detection, the system performs an in-depth analysis of the suspicious DNS packets in order to identify abnormal appearances of parameters in the packet headers and payload.
Deep Packet Inspection DoS Exploit
Inspection of the packet's payload as opposed to only its header. This enables the security device to perform inspection at the application level. Denial of Service is an attack intended to consume system resources and create a temporary loss of service. An exploit is a program or technique that takes advantage of a software vulnerability. The program can be used for breaking security, or otherwise attacking a host over the network.
Heuristic analysis
Heuristic analysis is behavior-based analysis, targeted to provide a filter blocking the abnormal phenomena. Heuristic analysis is the ability of a virus scanner to identify a potential virus by analyzing the behavior of the program, rather than looking for a known virus signature.
Intrusion Intrusion Detection System (IDS)
An intrusion is an attempted or successful access to system resources in any unauthorized manner. Radwares Intrusion Detection System (IDS) applies the latest security or attack expertise to filter out potentially destructive/malicious events from a much larger amount of legitimate activity. There are two system-monitoring approaches: NIDSnetwork-based IDSmonitors all network traffic passing on the segment where the agent is installed, acting upon suspicious anomalies or signature-based activity. HIDShost-based IDSis confined to the local host and monitor activity in detail, such as, command execution, file access, or system calls.
Organizations generally choose a combination of these approaches, based on known vulnerabilities. Intrusion Prevention Intrusion prevention A security service that scans, detects and prevents real-time attempts to compromise system security. Intrusion prevention is a security service that scans, detects and prevents real-time attempts aimed at compromising system security.
370
Term
IP interface
Definition
An IP interface in DefensePro is comprised of two components: an IP address and an associated interface. The associated interface can be a physical interface or a virtual interface (VLAN). IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP interface that contains an IP address associated with a VLAN. DefensePro is designed to intercept HTTP requests and to redirect them to a content inspection server farm. The first assumption in designing a DefensePro network is that the DefensePro device resides on the path between the clients and both the Internet and the content inspection servers. This is required since DefensePro needs to intercept the clients' requests going to the Internet and to manipulate the packets returning from the content inspection servers to the clients. Except when using local triangulation or transparent proxy, all traffic must physically travel through the DefensePro device. This includes traffic from the users to the Internet and from the content inspection server farm back to the users. If there are users statically configured to use a content inspection server, they should be configured to the DefensePro virtual address. This address is the access IP address for the content inspection servers. This address is used only for statically configured users.
NHR Server Cracking Protection
A Next-Hop Router (NHR) is a network element with an IP address through which traffic is routed. Radwares Server Cracking Protection is a behavioral server-based technology that detects and prevents both known and unknown application scans and brute-force attacks. This behavioral protection is part of Radwares DefensePro Full Spectrum Protection Technology. The technology includes: An adaptive behavioral network-based protection that mitigates network DoS and DDoS attacks Adaptive behavioral user-based protections that mitigate network pre-attack probes and zero-day worm propagation activities Stateful signature-based protections against exploitation attempts of known application vulnerabilities.
See also Server Cracking Protection Profiles. Server Cracking Protection Profile A Server Cracking Protection profile provides application level protection that identifies excessive frequencies of error responses from various applications. The profile initiates blocking of hacking sources, while allowing legitimate traffic to pass through. Application scanning and authentication brute force attempts are usually precursors to more serious exploitation attempts. An attacker tries to gain access to a restricted section, or to find a known vulnerability by sending a list of legitimate-looking requests and analyzing the responses. Both cracks and scanning attempts are characterized by a higher than usual error responses from the application to a few specific users. Server Protection Profile Server Protection Profiles are designed to defend from network and application attacks targeting network servers or services, such as: SYN Flood protection using SYN Cookies Connection limit Server Cracking HTTP Page floods
371
Term
Server, Reporting
Definition
A reporting server is the component responsible for running the required services to display reports to the end user. It may contain a Web server and provide services for both Eclipse and Web interfaces. A feature that provides protection against a set of attacks. A Signature is a pattern-based analysis, used to search for packets generated by known attack tools. A spoof is when one system entity poses as or assumes the identity of another entity. SYN cookies are particular choices of initial TCP sequence numbers by TCP servers. The difference between the server's initial sequence number and the client's initial sequence number is: Top 5 bits: t mod 32, where t is a 32-bit time counter that increases every 64 seconds. Next 3 bits: an encoding of an MSS selected by the server in response to the client's MSS. Bottom 24 bits: a server-selected secret function of the client IP address and port number, the server IP address and port number, and t.
Service Signature Spoof SYN cookie
This choice of sequence number complies with the basic TCP requirement that sequence numbers increase slowly; the server's initial sequence number increases slightly faster than the client's initial sequence number. A server that uses SYN cookies does not have to drop connections when its SYN queue fills up. Instead it sends back a SYN+ACK, exactly as if the SYN queue had been larger. (Exceptions: the server must reject TCP options such as large windows, and it must use one of the eight MSS values that it can encode.) When the server receives an ACK, it checks that the secret function works for a recent value of t, and then rebuilds the SYN queue entry from the encoded MSS. A SYN flood is simply a series of SYN packets from forged IP addresses. The IP addresses are chosen randomly and don't provide any hint of where the attacker is. The SYN flood keeps the server's SYN queue full. Normally this would force the server to drop connections. A server that uses SYN cookies, however, will continue operating normally. The biggest effect of the SYN flood is to disable large windows.
372
Term
SYN flood
Definition
A SYN attack/flood is a type of DoS (Denial of Service) attack. SYN flood attacks are performed by sending a SYN packet without completing the TCP three-way handshake, referred as single packet attack. Alternatively, the TCP three-way handshake can be completed, but no data packets are sent afterwards. Such attacks are known as connection flood attacks. A SYN packet notifies a server of a new connection. The server then allocates some memory in order to handle the incoming connection, sends back an acknowledgement, then waits for the client to complete the connection and start sending data. By spoofing large numbers of SYN requests, an attacker can fill up memory on the server, which waits for more data that never arrives. Once memory has filled up, the server is unable to accept connections from legitimate clients. This effectively disables the server. Key point: SYN floods exploit a flaw in the core of the TCP/IP technology itself. There is no complete defense against this attack. There are, however, partial defenses. Servers can be configured to reserve more memory and decrease the amount of time they wait for connections to complete. Likewise, routers and firewalls can filter out some of the spoofed SYN packets. Finally, there are techniques (such as SYN cookies) that can play tricks with the protocol in order to help distinguish good SYNs from bad ones.
SYN-ACK Reflection Attack Prevention
SYN-ACK Reflection Attack Prevention is intended to prevent reflection of SYN attacks and reduce SYN-ACK packet storms that are created as a response to DoS attacks. When a device is under SYN attack, it sends a SYN-ACK packet with an embedded Cookie, in order to prompt the client to continue the session.
Threat
A threat, in Internet security terms, is a person, thing, event, or idea, that poses a danger to an asset. A fundamental threat can be any of the following: information leakage, Denial of Service, integrity violation, and illegitimate use.
Trojan Horse
A Trojan horse (also known as a trojan) is a computer program that appears benign, but is actually designed to harm or compromise the system. It is usually designed to provide unrestricted access into internal systems, bypassing security monitoring and auditing policies.
Virus Worm Zero Day Attack
A virus is a malicious program code written with the intention to damage computer systems and to replicate itself to extend the possible damage. A worm is a type of computer virus that uses the Internet or local networks to spread itself by sending copies of itself to other hosts. A Zero Day attack (0day) is an attack on a vulnerability no one knows about except those who discovered it. A zero day exploit is an attack against a non-public, unknown vulnerability. Since there are no known signatures, it penetrates any signature-based security defenses. If the exploit passes through a common port, and there are no other defenses, such as behavioral-based or impact-based techniques, it is hard or impossible to stop.
373
374
DefensePro User Guide Radware Ltd. End User License Agreement
Radware Ltd. End User License Agreement

By accepting this End User License Agreement (this License Agreement) you agree to be contacted by Radware Ltd.s (Radware) sales personnel. If you would like to receive license rights different from the rights granted below or if you wish to acquire warranty or support services beyond the scope provided herein (if any), please contact Radware's sales team. THIS LICENSE AGREEMENT GOVERNS YOUR USE OF ANY SOFTWARE DEVELOPED AND/OR DISTRIBUTED BY RADWARE AND ANY UPGRADES, MODIFIED VERSIONS, UPDATES, ADDITIONS, AND COPIES OF THE SOFTWARE FURNISHED TO YOU DURING THE TERM OF THE LICENSE GRANTED HEREIN (THE SOFTWARE). THIS LICENSE AGREEMENT APPLIES REGARDLESS OF WHETHER THE SOFTWARE IS DELIVERED TO YOU AS AN EMBEDDED COMPONENT OF A RADWARE PRODUCT (PRODUCT), OR WHETHER IT IS DELIVERED AS A STANDALONE SOFTWARE PRODUCT. FOR THE AVOIDANCE OF DOUBT IT IS HEREBY CLARIFIED THAT THIS LICENSE AGREEMENT APPLIES TO PLUG-INS, CONNECTORS, EXTENSIONS AND SIMILAR SOFTWARE COMPONENTS DEVELOPED BY RADWARE THAT CONNECT OR INTEGRATE A RADWARE PRODUCT WITH THE PRODUCT OF A THIRD PARTY (COLLECTIVELY, CONNECTORS) FOR PROVISIONING, DECOMMISSIONING, MANAGING, CONFIGURING OR MONITORING RADWARE PRODUCTS. THE APPLICABILITY OF THIS LICENSE AGREEMENT TO CONNECTORS IS REGARDLESS OF WHETHER SUCH CONNECTORS ARE DISTRIBUTED TO YOU BY RADWARE OR BY A THIRD PARTY PRODUCT VENDOR. IN CASE A CONNECTOR IS DISTRIBUTED TO YOU BY A THIRD PARTY PRODUCT VENDOR PURSUANT TO THE TERMS OF AN AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT VENDOR, THEN, AS BETWEEN RADWARE AND YOURSELF, TO THE EXTENT THERE IS ANY DISCREPANCY OR INCONSISTENCY BETWEEN THE TERMS OF THIS LICENSE AGREEMENT AND THE TERMS OF THE AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT VENDOR, THE TERMS OF THIS LICENSE AGREEMENT WILL GOVERN AND PREVAIL. PLEASE READ THE TERMS AND CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE OPENING THE PACKAGE CONTAINING RADWARE'S PRODUCT, OR BEFORE DOWNLOADING, INSTALLING, COPYING OR OTHERWISE USING RADWARE'S STANDALONE SOFTWARE (AS APPLICABLE). THE SOFTWARE IS LICENSED (NOT SOLD). BY OPENING THE PACKAGE CONTAINING RADWARE'S PRODUCT, OR BY DOWNLOADING, INSTALLING, COPYING OR USING THE SOFTWARE (AS APPLICABLE), YOU CONFIRM THAT YOU HAVE READ AND UNDERSTAND THIS LICENSE AGREEMENT AND YOU AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT. FURTHERMORE, YOU HEREBY WAIVE ANY CLAIM OR RIGHT THAT YOU MAY HAVE TO ASSERT THAT YOUR ACCEPTANCE AS STATED HEREINABOVE IS NOT THE EQUIVALENT OF, OR DEEMED AS, A VALID SIGNATURE TO THIS LICENSE AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT, YOU SHOULD PROMPTLY RETURN THE UNOPENED PRODUCT PACKAGE OR YOU SHOULD NOT DOWNLOAD, INSTALL, COPY OR OTHERWISE USE THE SOFTWARE (AS APPLICABLE). THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE SOFTWARE BETWEEN YOU AND RADWARE, AND SUPERSEDES ANY AND ALL PRIOR PROPOSALS, REPRESENTATIONS, OR UNDERSTANDINGS BETWEEN THE PARTIES. YOU MEANS THE NATURAL PERSON OR THE ENTITY THAT IS AGREEING TO BE BOUND BY THIS LICENSE AGREEMENT, THEIR EMPLOYEES AND THIRD PARTY CONTRACTORS. YOU SHALL BE LIABLE FOR ANY FAILURE BY SUCH EMPLOYEES AND THIRD PARTY CONTRACTORS TO COMPLY WITH THE TERMS OF THIS LICENSE AGREEMENT. 1. License Grant. Subject to the terms of this Agreement, Radware hereby grants to you, and you accept, a limited, nonexclusive, nontransferable license to install and use the Software in machine-readable, object code form only and solely for your internal business purposes (Commercial License). If the Software is distributed to you with a software development kit (the SDK), then, solely with regard to the SDK, the Commercial License above also includes a limited, nonexclusive, nontransferable license to install and use the SDK solely on computers within your organization, and solely for your internal development of an integration or interoperation of the Software and/or other Radware Products with software or hardware products owned, licensed and/or controlled by you (the SDK Purpose). To the extent an SDK is distributed to you together with code samples in source code format (the Code Samples) that are meant to illustrate and teach you how to configure, monitor and/or control the Software and/or any other Radware Products, the Commercial License above further includes a limited,
375
DefensePro User Guide Radware Ltd. End User License Agreement nonexclusive, nontransferable license to copy and modify the Code Samples and create derivative works based thereon solely for the SDK Purpose and solely on computers within your organization. The SDK shall be considered part of the term Software for all purposes of this License Agreement. You agree that you will not assign, sublicense, transfer, pledge, lease, rent or share your rights under this License Agreement nor will you distribute copies of the Software or any parts thereof. Rights not specifically granted herein, are specifically prohibited. 2. Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the Software is provided to you for evaluation purposes, as indicated in your purchase order or sales receipt, on the website from which you download the Software, as inferred from any timelimited evaluation license keys that you are provided with to activate the Software, or otherwise, then You may use the Software only for internal evaluation purposes (Evaluation Use) for a maximum of 30 days or such other duration as may specified by Radware in writing at its sole discretion (the Evaluation Period). The evaluation copy of the Software contains a feature that will automatically disable it after expiration of the Evaluation Period. You agree not to disable, destroy, or remove this feature of the Software, and any attempt to do so will be a material breach of this License Agreement. During or at the end of the evaluation period, you may contact Radware sales team to purchase a Commercial License to continue using the Software pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial License, you agree to stop using the Software and to delete the evaluation copy received hereunder from all computers under your possession or control at the end of the Evaluation Period. In any event, your continued use of the Software beyond the Evaluation Period (if possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to the terms of this License Agreement, and you agree to pay Radware any amounts due for any applicable license fees at Radware's then-current list prices. Subscription Software. If you licensed the Software on a subscription basis, your rights to use the Software are limited to the subscription period. You have the option to extend your subscription. If you extend your subscription, you may continue using the Software until the end of your extended subscription period. If you do not extend your subscription, after the expiration of your subscription, you are legally obligated to discontinue your use of the Software and completely remove the Software from your system. Feedback. Any feedback concerning the Software including, without limitation, identifying potential errors and improvements, recommended changes or suggestions (Feedback), provided by you to Radware will be owned exclusively by Radware and considered Radware's confidential information. By providing Feedback to Radware, you hereby assign to Radware all of your right, title and interest in any such Feedback, including all intellectual property rights therein. With regard to any rights in such Feedback that cannot, under applicable law, be assigned to Radware, you hereby irrevocably waives such rights in favor of Radware and grants Radware under such rights in the Feedback, a worldwide, perpetual royalty-free, irrevocable, sublicensable and non-exclusive license, to use, reproduce, disclose, sublicense, modify, make, have made, distribute, sell, offer for sale, display, perform, create derivative works of and otherwise exploit the Feedback without restriction. The provisions of this Section 4 will survive the termination or expiration of this Agreement. Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt or create any derivative works based on the Software; or (b) sublicense or transfer the Software, or include the Software or any portion thereof in any product; or (b) reverse assemble, decompile, reverse engineer or otherwise attempt to derive source code (or the underlying ideas, algorithms, structure or organization) from the Software; or (c) remove any copyright notices, identification or any other proprietary notices from the Software (including any notices of Third Party Software (as defined below); or (d) copy the Software onto any public or distributed network or use the Software to operate in or as a time-sharing, outsourcing, service bureau, application service provider, or managed service provider environment. Notwithstanding Section 5(d), if you provide hosting or cloud computing services to your customers, you are entitled to use and include the Software in your IT infrastructure on which you provide your services. It is hereby clarified that the prohibitions on modifying, or creating derivative works based on, any Software provided by Radware, apply whether the Software is provided in a machine or in a human readable form. Human readable Software to which this prohibition applies includes (without limitation) Radware AppShape++ Script Files that contain Special License Terms. It is acknowledged that examples provided in a human readable form may be modified by a user.
3.
4.
5.
376
DefensePro User Guide Radware Ltd. End User License Agreement 6. Intellectual Property Rights. You acknowledge and agree that this License Agreement does not convey to you any interest in the Software except for the limited right to use the Software, and that all right, title, and interest in and to the Software, including any and all associated intellectual property rights, are and shall remain with Radware or its third party licensors. You further acknowledge and agree that the Software is a proprietary product of Radware and/or its licensors and is protected under applicable copyright law. 7. No Warranty. The Software, and any and all accompanying software, files, libraries, data and materials, are distributed and provided AS IS by Radware or by its third party licensors (as applicable) and with no warranty of any kind, whether express or implied, including, without limitation, any non-infringement warranty or warranty of merchantability or fitness for a particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or makes any representation regarding the title in the Software, the use of, or the results of the use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the operation of the Software will be uninterrupted or error-free, or that the use of any passwords, license keys and/or encryption features will be effective in preventing the unintentional disclosure of information contained in any file. You acknowledge that good data processing procedure dictates that any program, including the Software, must be thoroughly tested with non-critical data before there is any reliance on it, and you hereby assume the entire risk of all use of the copies of the Software covered by this License. Radware does not make any representation or warranty, nor does Radware assume any responsibility or liability or provide any license or technical maintenance and support for any operating systems, databases, migration tools or any other software component provided by a third party supplier and with which the Software is meant to interoperate. This disclaimer of warranty constitutes an essential and material part of this License. In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable under any warranty provision, Radware shall be released from all such obligations in the event that the Software shall have been subject to misuse, neglect, accident or improper installation, or if repairs or modifications were made by persons other than by Radware's authorized service personnel. 8. Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors, contractors, subsidiaries, or parent organizations (together, the Radware Parties), be liable for any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating to the use of, or the inability to use, the Software, or to your relationship with, Radware or any of the Radware Parties (including, without limitation, loss or disclosure of data or information, and/or loss of profit, revenue, business opportunity or business advantage, and/or business interruption), whether based upon a claim or action of contract, warranty, negligence, strict liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of the possibility of such damages. If any Radware Party is found to be liable to You or to any thirdparty under any applicable law despite the explicit disclaimers and limitations under these terms, then any liability of such Radware Party, will be limited exclusively to refund of any license or registration or subscription fees paid by you to Radware. 9. Third Party Software. The Software includes software portions developed and owned by third parties (the Third Party Software). Third Party Software shall be deemed part of the Software for all intents and purposes of this License Agreement; provided, however, that in the event that a Third Party Software is a software for which the source code is made available under an open source software license agreement, then, to the extent there is any discrepancy or inconsistency between the terms of this License Agreement and the terms of any such open source license agreement (including, for example, license rights in the open source license agreement that are broader than the license rights set forth in Section 1 above and/or no limitation in the open source license agreement on the actions set forth in Section 5 above), the terms of any such open source license agreement will govern and prevail. The terms of open source license agreements and copyright notices under which Third Party Software is being licensed to Radware or a link thereto, are included with the Software documentation or in the header or readme files of the Software. Third Party licensors and suppliers retain all right, title and interest in and to the Third Party Software and all copies thereof, including all copyright and other
377
DefensePro User Guide Radware Ltd. End User License Agreement intellectual property associated therewith. In addition to the use limitations applicable to Third Party Software pursuant to Section 5 above, you agree and undertake not to use the Third Party Software as a general SQL server, as a stand-alone application or with applications other than the Software under this License Agreement. 10. Term and Termination. This License Agreement is effective upon the first to occur of your opening the package of the Product, purchasing, downloading, installing, copying or using the Software or any portion thereof, and shall continue until terminated. However, sections 4-13 shall survive any termination of this License Agreement. The License under this License Agreement is not transferable and will terminate upon transfer of the Software. If the Software is licensed on subscription basis, this Agreement will automatically terminate upon the termination of your subscription period if it is not extended. 11. Export. The Software or any part thereof may be subject to export or import controls under the laws and regulations of the United States and/or Israel. You agree to comply with such laws and regulations, and, agree not to knowingly export, re-export, import or re-import, or transfer products without first obtaining all required Government authorizations or licenses therefor. 12. Governing Law. This License Agreement shall be construed and governed in accordance with the laws of the State of Israel. 13. Miscellaneous. If a judicial determination is made that any of the provisions contained in this License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or provisions shall be rendered void or invalid only to the extent that such judicial determination finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder of this License Agreement shall remain operative and in full force and effect. In any event a party breaches or threatens to commit a breach of this License Agreement, the other party will, in addition to any other remedies available to, be entitled to injunction relief. This License Agreement constitutes the entire agreement between the parties hereto and supersedes all prior agreements between the parties hereto with respect to the subject matter hereof. The failure of any party hereto to require the performance of any provisions of this License Agreement shall in no manner affect the right to enforce the same. No waiver by any party hereto of any provisions or of any breach of any provisions of this License Agreement shall be deemed or construed either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of any other provision or breach of any other provision of this License Agreement. IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE YOU MUST REMOVE THE SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMIDIATELY CEASE USING THE SOFTWARE. COPYRIGHT 2013, Radware Ltd. All Rights Reserved.
378

DefensePro AdminGuide SW7

Încărcat de

Informații document

Descriere originală:

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

DefensePro AdminGuide SW7

Încărcat de

Drepturi de autor:

Formate disponibile

DefensePro User Guide

Software Version 7.20

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Notice traitant du copyright

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Limitations on Warranty and Liability

Limitations on Warranty and Liability

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Limitations de la Garantie et Responsabilit

Haftungs- und Gewhrleistungsausschluss

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Figure 1: Electrical Shock Hazard Label

Figure 2: Dual-Power-Supply-System Safety Warning in Chinese

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Figure 3: tiquette davertissement de danger de chocs lectriques

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Cette marque ou remarque inclut lavertissement textuel suivant: AVERTISSEMENT

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Figure 5: Warnetikett Stromschlaggefahr

Figure 6: Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Figure 7: Statement for Class A VCCI-certified Equipment

Figure 8: Statement for Class B VCCI-certified Equipment

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

Figure 9: KCCKorea Communications Commission Certificate of Broadcasting and Communication Equipment

Figure 10: Statement for Class A KCC-certified Equipment in Korean

Figure 11: Statement for Class A BSMI-certified Equipment

Dclarations sur les Interfrences lectromagntiques

Document ID: RDWR-DP-V072000_UG1307

DefensePro User Guide

DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI

Figure 12: Dclaration pour lquipement de classe A certifi VCCI

Figure 13: Dclaration pour lquipement de classe B certifi VCCI