Sunteți pe pagina 1din 250
HUAWEI ATIC Management Center V500R001 Configuration Guide Issue 01 Date 2015-07-20 HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI ATIC Management Center

V500R001

Configuration Guide

Issue

01

Date

2015-07-20

HUAWEI TECHNOLOGIES CO., LTD.

HUAWEI ATIC Management Center V500R001 Configuration Guide Issue 01 Date 2015-07-20 HUAWEI TECHNOLOGIES CO., LTD.
HUAWEI ATIC Management Center V500R001 Configuration Guide Issue 01 Date 2015-07-20 HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2015. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd.

Trademarks and Permissions

of Huawei Technologies Co., Ltd. Trademarks and Permissions and other Huawei trademarks are trademarks of Huawei

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.

All other trademarks and trade names mentioned in this document are the property of their respective holders.

Notice

The purchased products, services and features are stipulated by the contract made between Huawei and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in the preparation of this document to ensure accuracy of the contents, but all statements, information, and recommendations in this document do not constitute a warranty of any kind, express or implied.

Huawei Technologies Co., Ltd.

Address:

Huawei Industrial Base

Bantian, Longgang

Shenzhen 518129

People's Republic of China

Email:

HUAWEI ATIC Management Center Configuration Guide

Contents

Contents

1 Conventions

7

2 Safety Information

11

3 Alarm

13

3.1

Managing Alarms

13

3.1.1 Managing Current Alarms

13

3.1.2 Managing Past Alarms

15

3.1.3 Alarm Severity Rule

17

3.2

Alarm Notification

17

3.2.1

Managing Remote Notification

18

3.2.1.1 Creating the Remote Notification Rule

18

3.2.1.2 Modifying the Remote Notification Rule

20

3.2.2

Configuring the Sound Notification

21

4 Initial Configuration of the Management Center

23

4.1 Logging In to the ATIC Management center

23

4.2 Customizing a Homepage

24

4.3 Adding Devices

25

4.3.1 Creating an AntiDDoS

25

4.3.2 Creating an SAS

28

4.3.3 Creating an Syslog-linkage Device

31

4.4

Configuring an Collector

32

4.4.1 Adding a Collector

33

4.4.2 Associating the Collector with the devices

35

4.5

Configuring the Defense Group

35

5 Configuring Defense Policies

39

5.1

Configuring the Zone

39

5.1.1 Adding a Zone

40

5.1.2 Importing Zones in a Batch

44

5.2

Configuring the Zone-based Defense Policy

45

5.2.1 Configuring a Defense Mode

47

5.2.2 Configuring a Filter

49

 

5.2.2.1

Creating a Filter

51

HUAWEI ATIC Management Center Configuration Guide

Contents

5.2.2.2

Associating a Zone with a Filter

54

5.2.3 Configuring a Location Blocking Policy

55

5.2.4 Creating a Service and a Defense Policy

56

5.2.4.1 Overview

58

5.2.4.2 Configuring a Service Learning Task

59

5.2.4.3 Applying Service Learning Results

60

5.2.5

Adjusting a Threshold (by Baseline Learning)

61

5.2.5.1 Description

61

5.2.5.2 Configuring a Baseline Learning Task

62

5.2.5.3 Applying Baseline Learning Results

65

5.2.6

Configuring the Zone-based Defense Policy

65

5.2.6.1 TCP Defense Policy

66

5.2.6.2 UDP Defense Policy

69

5.2.6.3 ICMP Defense Policy

70

5.2.6.4 Other Defense Policy

70

5.2.6.5 DNS Defense Policy

70

5.2.6.6 SIP Defense Policy

73

5.2.6.7 HTTP Defense Policy

73

5.2.6.8 HTTPS Defense Policy

76

5.2.6.9 Top N Study

77

5.2.6.10 Global Defense Policy for Non-Zone

79

5.2.6.11 First-Packet Discarding

80

5.2.7

Configuring Global Defense Policies (ATIC)

80

5.2.7.1 Configuring Basic Attack Defense

80

5.2.7.2 Blacklist and Whitelist

83

5.2.8 Creating User-defined IP Locations

83

5.2.9 Library Files

84

5.2.10 Configuring Policy Templates

85

5.2.11 Cloud Cleaning

87

5.2.12 Deploying the Defense Policy

89

5.2.13 Saving Configurations

90

6 Configuring Traffic Diversion

91

6.1 Configuring Mirroring

91

6.2 Configuring Traffic Diversion

93

6.2.1 Configuring Policy-based Route Diversion

93

6.2.2 Configuring BGP Traffic Diversion (CLI)

95

6.2.3 Configuring BGP Traffic Diversion (ATIC)

100

6.3

Configuring Traffic Injection

103

6.3.1 Layer-2 Injection

103

6.3.2 Configuring Static Route Injection

105

6.3.3 Configuring UNR Route Injection

107

HUAWEI ATIC Management Center Configuration Guide

Contents

6.3.4 Configuring Policy-Based Route Injection

110

6.3.5 Configuring GRE Traffic Injection

114

6.3.6 Configuring MPLS LPS Traffic Injection

117

6.3.7 Configuring MPLS VPN Traffic Injection

120

6.4 Configuring the Loop Check Function

125

6.5 Configuring Blackhole Traffic Diversion

126

7 Attack Response and Source Tracing

128

7.1 Viewing the Status of a Zone and Anti-DDoS Alarms

128

7.2 Handling Abnormal Events

129

7.3 Packet Capture

129

7.3.1 Packet Capture, Analysis and Report

129

7.3.2 Configuring Packet Capture Length

132

7.3.3 Managing Packet Capture Task

133

7.3.3.1 Creating an ACL Matched

Packet Capture Task

134

7.3.3.2 Creating a Global Defense Packet Capture Task

137

7.3.3.3 Creating a Zone Attacked Packet Capture Task

140

7.3.3.4 Creating an Anomaly-based Packet Capture Task

142

7.3.4

Managing Packet Capture File

145

7.3.4.1 Viewing Anomaly or Attack Events

146

7.3.4.2 Tracing Attack Sources Through a Packet Capture File

147

7.3.4.3 Parsing Packets in a Packet Capture File

149

7.3.4.4 Extracting Fingerprints from a Packet Capture File

149

7.3.4.5 Downloading a Packet Capture File

151

 

8 Report

152

8.1 Overview

152

8.2 Traffic Analysis

153

8.2.1 Data Overview

153

8.2.2 Traffic Comparison

155

8.2.3 Traffic Top N

157

8.2.4 Application Traffic

162

8.2.5 Protocol Traffic Distribution

164

8.2.6 Number of TCP Connections

166

8.2.7 Board Traffic

169

8.2.8 IP Location Top N

171

8.2.9 IP Location Traffic

173

8.3

Anomaly/Attack Analysis

175

8.3.1 Anomaly/Attack Details

175

8.3.2 Anomaly/Attack Top N

177

8.3.3 Attack Top N

180

8.3.4 Distribution of Anomaly/Attack Types

182

8.3.5 Packet Discarding Trend

184

HUAWEI ATIC Management Center Configuration Guide

Contents

8.4

DNS Analysis

186

8.4.1 Top N Request Trend

186

8.4.2 Top N Response Trend

188

8.4.3 Cache Request Trend

190

8.4.4 Request Category Trend

192

8.4.5 Resolution Success Ratio

195

8.4.6 Abnormal Packet Analysis

197

8.5

HTTP(S) Analysis

199

8.5.1 Top N HTTP Request Sources by Traffic

199

8.5.2 Top N HTTPS Request Sources by Traffic

202

8.5.3 Top N Requested URl

204

8.5.4 Top N Requested Host

206

8.6

Comprehensive Report

208

8.6.1 Querying Comprehensive Reports

208

8.6.2 Managing Scheduled Task

211

 

8.6.2.1

Creating a Scheduled Task

212

8.6.3

Downloading Report

214

8.7

Report Customization

215

8.7.1 Customizing Report-Related Information

215

8.7.2 Configuring IP Description

215

9 System Management

218

9.1

Configuring the System Administrators

218

9.1.1 Introduction to System Administrators

218

9.1.2 Managing Administrators

219

9.1.2.1 Creating an Administrator

220

9.1.2.2 Modifying an Administrator Group

223

9.1.3

Managing Administrator Groups

224

9.1.3.1 Creating an Administrator Group

224

9.1.3.2 Modifying an Administrator Group

225

9.1.4 Managing Online Administrators

225

9.1.5 Configuring the System Security Policy

226

9.1.6 Configuring the Authentication Server

229

9.2

System Maintenance

231

9.2.1 Performance Monitoring

231

9.2.2 Dumping the Operation Logs

232

9.2.3 Dumping the Alarms

234

9.2.4 Maintaining Anti-DDoS Data

236

9.2.5 Backing Up and Restoring Configuration Files

238

9.2.5.1 Backing Up a Configuration File

238

9.2.5.2 Restoring a Configuration File

239

9.3

Log Management

241

HUAWEI ATIC Management Center Configuration Guide

Contents

9.3.1 Introduction to Log Management

241

9.3.2 Searching for an Operation Log

242

9.3.3 Querying Device Operation Logs

244

9.3.4 Querying Syslog Interworking Logs

245

9.4 Notification Server

245

9.4.1 Mail Server

245

9.4.2 SMS Server

247

9.4.3 Syslog Server

248

HUAWEI ATIC Management Center Configuration Guide

1 Conventions

1

Conventions

This describes the conventions of symbol, format and expression methods.

Content Conventions

The purchased products, services and features are stipulated by the contract made between Huawei Technologies Co., Ltd. and the customer. All or part of the products, services and features described in this document may not be within the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements, information, and recommendations in this document are provided "AS IS" without warranties, guarantees or representations of any kind, either express or implied.

Feature Conventions

The following operations may involve the collection of user communication information. Huawei does not collect or store the user communication information alone. You are advised to enable specific functions for the purpose allowed and within the scope defined in local laws and regulations. In usage, you are obligate to take considerable measures to ensure that user communication information is fully protected when the information is being used and stored.

Traffic mirrored by port mirroring-capable routers is the basis for traffic statistics and analysis on a detection device but may involve the collection of user communication information. You can choose to configure a detection device to discard mirrored traffic after traffic statistics is collected.

Packet capturing is vital to attack source tracing and attack feature analysis but may involve the collection of user communication information. The product provides permission control over such functions. You are advised to clear packet capturing records after attack source tracing and traffic analysis are complete.

The anti-DDoS collectors collects only traffic logs, not user communication information.

Symbol Conventions

The symbols that may be found in this document are defined as follows.

Symbol

Description

Indicates a hazard with a high level of risk, which if not avoided, will result

Indicates a hazard with a high level of risk, which if not avoided, will result in death or serious injury.

HUAWEI ATIC Management Center Configuration Guide

1 Conventions

Symbol

Description

Indicates a hazard with a medium or low level of risk, which if not avoided,

Indicates a hazard with a medium or low level of risk, which if not avoided, could result in minor or moderate injury.

Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data

Indicates a potentially hazardous situation, which if not avoided, could result in equipment damage, data loss, performance degradation, or unexpected results.

Indicates a tip that may help you solve a problem or save time.

Indicates a tip that may help you solve a problem or save time.

Provides additional information to emphasize or supplement important points of the main text.

Provides additional information to emphasize or supplement important points of the main text.

General Conventions

The general conventions that may be found in this document are defined as follows.

Convention

Description

Times New Roman

Normal paragraphs are in Times New Roman.

Boldface

Names of files, directories, folders, and users are in boldface. For example, log in as user root.

Italic

Book titles are in italics.

Courier New

Examples of information displayed on the screen are in Courier New.

Command Conventions

The command conventions that may be found in this document are defined as follows.

Convention

Description

Boldface

 

The keywords of a command line are in boldface.

Italic

 

Command arguments are in italics.

[ ]

 

Items (keywords or arguments) in brackets [ ] are optional.

{

x

| y |

}

Optional items are grouped in braces and separated by vertical bars. One item is selected.

[ x

| y |

]

Optional items are grouped in brackets and separated by vertical bars. One item is selected or no item is selected.

{

x

| y |

}

*

Optional items are grouped in braces and separated by vertical bars. A minimum of one item or a maximum of all items can be selected.

HUAWEI ATIC Management Center Configuration Guide

1 Conventions

Convention

 

Description

[ x

| y |

]

*

Optional items are grouped in brackets and separated by vertical bars. Several items or no item can be selected.

&<1-n>

 

The parameter before the & sign can be repeated 1 to n times.

#

A line starting with the # sign is comments.

GUI Conventions

The GUI conventions that may be found in this document are defined as follows.

Convention

Description

Boldface

Buttons, menus, parameters, tabs, window, and dialog titles are in boldface. For example, click OK.

>

Multi-level menus are in boldface and separated by the ">" signs. For example, choose File > Create > Folder.

Keyboard Operations

The keyboard operations that may be found in this document are defined as follows.

Format

Description

Key

Press the key. For example, press Enter and press Tab.

Key 1+Key 2

Press the keys concurrently. For example, pressing Ctrl+Alt+A means the three keys should be pressed concurrently.

Key 1, Key 2

Press the keys in turn. For example, pressing Alt, A means the two keys should be pressed in turn.

Mouse Operations

The mouse operations that may be found in this document are defined as follows.

Action

Description

Click

Select and release the primary mouse button without moving the pointer.

Double-click

Press the primary mouse button twice continuously and quickly without moving the pointer.

Drag

Press and hold the primary mouse button and move the

HUAWEI ATIC Management Center Configuration Guide

1 Conventions

Action

Description

 

pointer to a certain position.

HUAWEI ATIC Management Center Configuration Guide

2 Safety Information

2 Safety Information

Observe the safety information to ensure the normal operating of the ATIC.

Hardware Operations

It is recommended to configure an independent uninterrupted power supply (UPS) for the ATIC server, protecting the hardware, system, and data from unexpected power failure. If the ATIC server is not configured with the UPS, the administrator must properly close the ATIC process, database, and power one by one before the power cut after receiving the notice for upcoming power cut.

To shut down the ATIC server, you must follow the proper shutdown method in all situations. It is forbidden to switch off the hardware power directly to shut down the ATIC server; otherwise, the system recovery failure will be caused.

It is recommended to check the network communication every day according to the daily maintenance items to protect the network communication from disruption.

It is forbidden to remove the network cable from the server at will when the ATIC is running. If you really need to remove the network cable, stop the ATIC service first.

Software Operations

Do not install unnecessary software on the ATIC server.

Do not use the ATIC server to browse Web pages. Do not set unnecessary sharing directory. Ensure that the permissions on the sharing directory is specified.

Do not connect other computers to the network where the ATIC server resides to avoid IP address conflict and virus infection.

Set the properties of the OS, database, and ATIC passwords by level, and assign the passwords to the maintenance owner only. Only the maintenance owner has the administrator password. Passwords should be strictly managed with clear properties.

Check and test the ATIC periodically according to the maintenance item list and make a record of the check. After you discover a problem, handle it in time. For the problems that cannot be solved, contact the local office or customer service center in time to solve them.

ATIC Operations

It is forbidden to change the system time when the ATIC is running. Set the system time before you install the ATIC.

HUAWEI ATIC Management Center Configuration Guide

2 Safety Information

Shut down the ATIC server before you change the system time. Restart the ATIC sever after the system time is changed. Do not set the system clock of the server ahead; otherwise, data mess will be caused.

To log in to Windows, you must use the user name that was used to install the ATIC. Do no change the user name for logging in to Windows.

During the use of the ATIC, ensure that data on the NE and that on the ATIC are consistent.

Back up database periodically to minimize the system loss when errors occur.

It is recommended to synchronize NE data to the ATIC and query the latest NE data before you set parameters.

The ATIC will display a message for dangerous operations. Please notice such warnings.

Do not set the NE to a language except Chinese and English; otherwise, the search results will be displayed as garbles on the ATIC interface.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

3

Alarm

About This Chapter

4.1 Managing Alarms

You can use the alarm confirmation mechanism to verify that the current alarm is handled in time. In addition, you can add alarm maintenance experiences to each alarm, facilitating system maintenance and sharing experiences.

4.2 Alarm Notification

This section describes the settings of remote and voice notifications.

3.1 Managing Alarms

You can use the alarm confirmation mechanism to verify that the current alarm is handled in time. In addition, you can add alarm maintenance experiences to each alarm, facilitating system maintenance and sharing experiences.

3.1.1 Managing Current Alarms

The current alarms contain all the uncleared and alarms. You can use the alarm confirmation mechanism to verify that the current alarm is handled in time. You can also export the alarms as files from the alarm database.

Procedure

Step 1

Choose Alarms > Alarm Management > Current Alarms.

Step 2

Managing current alarms includes the following operations:

Confirm

The confirmed state indicates that the alarm is handled. According to the alarm confirmation status, you can distinguish unhandled alarms from handled alarms, and handle the unhandled alarms in time.

a. Select one or more alarms whose Confirmed status is Unconfirmed.

b. Click

.
.

The confirmation dialog box is displayed.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

c. Click OK.

The ATIC Management center changes the status of the specified alarm to Confirmed after receiving the instruction for confirming the alarm. Meanwhile, the ATIC Management center records the confirmation person and time, refreshes all the alarm displaying windows on the client, and updates the data in the alarm database.

Cancel confirmation

Cancel the confirmation of a confirmed alarm.

a. Select one or more alarms whose Confirmed status is Confirmed.

b. Click

.
.

The confirmation dialog box is displayed.

c. Click OK. The status of the selected alarms is changed to Unconfirmed.

Clear

In some special situations, for example, the communication between the ATIC Management center and a device disrupts, the cleared alarms reported from the device may be lost. Once this situation appears, these alarms will not be cleared automatically if the device does not support the function of alarm verification. To solve this problem, the ATIC Management center supports the ability to manually clear the alarms. In other words, manually change the uncleared state of the alarms to cleared.

a. Select one or more alarms whose Confirmed status is Confirmed.

b. Click

.
.

The confirmation dialog box is displayed.

c. Click OK.

All the selected alarms are removed from the current alarm list to the past alarm list. The ATIC Management center records the clearance person and time, refreshes all the alarm displaying windows on the client, and updates the data in the alarm database.

Export

Export some important alarms in a file, helping the administrator to locate and analyze

problems.

a. Select one or more alarms.

b. Click

.
.

The File Download dialog box is displayed.

c. Click Save.

The Save As dialog box is displayed.

d. Select a path for saving the alarm file, enter a name for the file or use the default file name, and click Save.

The selected alarms are exported to the specified local path.

Export all

Export all the current alarms in a file, helping the administrator to locate and analyze

problems.

a. Click

.
.

The File Download dialog box is displayed.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

b. Click Save.

The Save As dialog box is displayed.

c. Select a path for saving the alarm file, enter a name for the file or use the default file name, and click Save.

All the current alarms are exported to the specified local path.

Refresh

The refresh policy can be Refresh every 15 seconds, Refresh every 30 seconds, Refresh every 60 seconds, or Stop Refresh.

Refresh every 30 seconds is selected by default. This means that the ATIC Management center server performs a round robin every 30 seconds. Once a new alarm occurs, the ATIC Management center will refresh it to the current alarm list.

Search

Set the conditions to search for the desired alarms. The search method can be the basic search or advanced search.

When you select Search, you can search for alarms by alarm severity.

When you select Advanced Search, you can search for alarms by alarm severity, alarm type, confirmation status, alarm source, and alarm occurrence time.

c

status, alarm source, and alarm occurrence time. − c You can click Reset to clear all

You can click Reset to clear all the specified parameter values.

View

You can click the name of an alarm to view its details.

i. Click the name of an alarm.

The page showing the details about the alarm is displayed.

ii. View the basic information and modification suggestions of the alarm.

You can click the times of an alarm to view the occurrence time, confirmed status and time, clearance status and time, and notification type of the alarm.

According to the alarm notification type, you can know whether the alarm is a new alarm, manual clear or automatic clear.

----End

3.1.2 Managing Past Alarms

The past alarms include all cleared alarms. You can export one, more, or all past alarms.

Procedure

Step 1

Choose Alarms > Alarm Management > Past Alarms.

Step 2

Managing past alarms includes the following operations:

Export

Export some important alarms in a file, helping the administrator to locate and analyze

problems.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

HUAWEI ATIC Management Center Configuration Guide 3 Alarm If the Internet Explorer executes the default security

If the Internet Explorer executes the default security policy, the To help protect you security, Internet Explorer blocked this site from downloading file from to your computer message is displayed upon an export operation. In this case, right-click the message, and choose Download File from the shortcut menu. After the interface is refreshed, export the event information again.

a. Select one or more alarms.

b. Click

.
.

The File Download dialog box is displayed.

c. Click Save.

The Save As dialog box is displayed.

d. Select a path for saving the alarm file, enter a name for the file or use the default file name, and click Save.

The selected alarms are exported to the specified local path.

Export all

Export all the past alarms in a file, helping the administrator to locate and analyze

problems.

a. Click

the administrator to locate and analyze problems. a. Click . The File Download dialog box is

.

The File Download dialog box is displayed.

b. Click Save.

The Save As dialog box is displayed.

c. Select a path for saving the alarm file, enter a name for the file or use the default file name, and click Save.

All the past alarms are exported to the specified local path.

Search

Set the conditions to search for the desired alarms. The search method can be the basic search or advanced search.

When you select Search, you can search for alarms by alarm severity.

When you select Advanced Search, you can search for alarms by alarm severity, confirmation status, alarm source, and alarm occurrence time.

status, alarm source, and alarm occurrence time. You can click Reset to clear all the specified

You can click Reset to clear all the specified parameter values.

View

You can click the name of an alarm to view its details.

i. Click the name of an alarm.

The page showing the details about the alarm is displayed.

ii. View the basic information and modification suggestions of the alarm.

You can click the times of an alarm to view the occurrence time, confirmation status and time, clearance status and time, and notification type of the alarm.

According to the alarm notification type, you can know whether the alarm is a new alarm, manual clear or automatic clear.

----End

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

3.1.3 Alarm Severity Rule

The anti-DDoS device can automatically specify severity levels for the alarms triggered by DDoS attacks or anomalies based on the configured rules.

Context

 

The anti-DDoS device provides four severity levels for the alarms:

Critical

Major

Minor

Warning

Alarm severity may change during DDoS attacks. As the attack traffic volume increases or decreases, alarms in the ATIC management center need to record the highest level and current level.

Procedure

Step 1

Step 2

Step 3

Choose Alarms > Alarm Management > Alarm Severity Rule.

Choose Alarms > Alarm Management > Alarm Severity Rule .

In the Alarm Severity Rule area, click

.
.
For the parameters of user-defined alarm severity rules, see Table 4-1 .

For the parameters of user-defined alarm severity rules, see Table 4-1.

Table 3-1 Parameters of user-defined alarm severity rules

Parameter

Description

Incoming Traffic (Mbps)

Incoming traffic bandwidth per second

Incoming Traffic (pps)

Incoming packets per second

Concurrent Connections

Number of concurrent connections

New Connections

Number of new connections per second

Duration

Attack or anomaly duration

Action

Create The Diversion Task

Do Not Create The Diversion Task

----End

3.2 Alarm Notification

This section describes the settings of remote and voice notifications.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

3.2.1 Managing Remote Notification

The ATIC Management center provides remote alarm notification methods by email. This enables that the maintenance personnel can learn about the device alarms anytime.

Choose Alarms > Alarm Notification > Remote Notification to manage the remote alarm notification.

Create

Click

Click to create the remote alarm notification rule. For details about

to create the remote alarm notification rule. For details about

this operation, see 4.2.1.1 Creating the Remote Notification Rule.

Modify

Click the name of a remote notification rule. The page shows the details about

the remote notification rule is displayed. Click

notification rule. The page shows the details about the remote notification rule is displayed. Click on

on this page to

modify the basic information, notification target, resource information, and alarm

information about the notification rule. For details about this operation, see 4.2.1.2 Modifying the Remote Notification Rule.

Enable

Select one or more remote notification rules that are in the Disabled state, and

click

click to enable the selected remote notification rules.

to enable the selected remote notification rules.

After the remote notification rules are enabled, the alarm information will be sent to the specified email addresses.

Disable

Select one or more remote notification rules that are in the Enabled state, and

click

click to disable the selected remote notification rules.

to disable the selected remote notification rules.

After the remote notification rules are disabled, the alarm information will not be sent to the specified email addresses.

Search

Enter the full or partial name of a remote notification rule or resource and click

. The remote notification rules that meet the search condition will be displayed in the

. The remote notification rules that meet the search condition will be displayed in the Remote Notifications.

If no remote notification rule meets the search conditions, the Remote Notifications will be empty.

Delete

Select one or more remote notification rule and click selected remote notification rules.

Select one or more remote notification rule and click selected remote notification rules. to delete the

to delete the

NOTE Deleting the notification rules cannot be undone. Perform this operation with caution.

3.2.1.1 Creating the Remote Notification Rule

After you create and enable the remote alarm notification, the alarm information will be sent to the maintenance personnel's email address in emails. This enables the maintenance personnel to learn about the network status in time.

Context

You can use the configured mail or SMS server to send the alarm information to the specified email address to learn about the device status in time. For details about how to configure the notification server, see 10.4 Notification Server.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

Procedure

Step 1

Step 2

Step 3

Choose Alarms > Alarm Notification > Remote Notification.

.
.

Click

Set the parameters of the remote alarm notification rule, as described in Table 4-2.

Table 3-2 Setting the parameters of the remote alarm notification rule

Parameter

Description

Recommended Value

Name

Name of the remote alarm notification.

The name can contain only 1 to 32 letters, Chinese characters, digits, hyphens, or underscores and must start with a letter, Chinese character, or underscore.

Status

Indicates whether the remote alarm notification is enabled.

Select Enable or Disable.

When you do not need to use the remote alarm notification, you can set this parameter to Disable.

You can click to enable the remote alarm notification again later.

You can click to enable the remote alarm notification again later.

Start time

Time when the remote

Click

Start time Time when the remote Click to select the start time. Click OK or

to select the start time. Click OK or

notification starts to take effect.

double-click the selected time.

The start time of the remote notification cannot be later than the end time.

End time

Time when the validity of remote notification ends.

Click

End time Time when the validity of remote notification ends. Click to select the end time.

to select the end time. Click OK or

double-click the selected time.

The end time of the remote notification cannot be earlier than the start time.

Sending

Set language of the remote alarm notification.

The remote alarm notification can be in Simple Chinese or English.

language

Sending

Set contents of the remote alarm notification.

Optional fields include Severity, Name, Type, Source, Occurred at, Clear Status, Description, and Location message.

contents

Description

Brief description about the remote alarm notification rule, helping the maintenance personnel learn about the rule without viewing the rule details.

Description contains a maximum of 128 characters.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

Step 4

Click Next. Select the type of resource on which the remote alarm notification will be applied from the resource tree on the left, and select the resource from the resource list on the right.

and select the resource from the resource list on the right. Only one type can be

Only one type can be selected. In the resources resources by name or IP address.

list on the right, you can search for the desired

Such resources are alarm sources. For example, if Zone is selected for resources, the remote notification function must be applied to alarms generated by the anti-DDoS component of the ATIC Management center. if AntiDDoS is selected for resources, the remote notification function must be applied to alarms generated by the AntiDDoS. If Management System is selected for resources, the remote notification function must be applied to alarms generated by the ATIC Management center system itself.

Step 5

Click Next. Select the alarm to send for the remote notification.

 

You can search for the desired alarms by setting the alarm severity level (critical, major, minor, or info). Then, select the specific alarms to send. For example, you can set Critical for the alarm severity level to search for all the critical alarms of the device, and select the specific alarm to send.

Step 6

Click Next. Select the sending mode, and add the mobile phone number or email address for receiving remote notification messages.

You can click

to add a mobile phone number or email address, or

to add a mobile phone number or email address, or

 You can click to add a mobile phone number or email address, or to delete

to delete an

existing one. You can set relevant information about the mobile phone number or email address to be added.

Either the mobile phone number or the email address must be specified.

 

A maximum of 10 mobile phone numbers or email addresses can be added at a time. The mobile phone number or email address must be unique.

Step 7

Click Finish.

----End

Result

If the notification server parameters are pre-specified, the recipient email box will receive the alarm once the specified alarm occurs after the remote notification is created successfully.

If the remote notification rule is expired, then the state of the rule in the list is Expired.

3.2.1.2 Modifying the Remote Notification Rule

Modifying the remote alarm notification enables you to reset the basic information, notification target, alarm device, and alarm information about the remote notification.

Context

You cannot modify the remote notification rule in Expired state.

Procedure

Step 1

Choose Alarms > Alarm Notification > Remote Notification.

Step 2

Click the name of a remote notification.

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

Step 3

Modify the basic information about the remote notification.

1. Click

1. Click in the Basic Information area.

in the Basic Information area.

2. Modify the information except the name.

 

For details about how to set the remote notification parameters, see 4.2.1.1 Creating the Remote Notification Rule.

3. Click OK.

 

Step 4

(Optional) Modify the notification target.

 

1. Click

1. Click in the Notification Target area.

in the Notification Target area.

2. Select the sending mode, and add the email address for receiving the alarm information.

3. Click OK.

 

Step 5

(Optional) Select the alarm devices.

 

You can do as follows to re-select the alarm devices.

Click

 Click in the Resources area to select the alarm devices.

in the Resources area to select the alarm devices.

Select the devices that do not need the remote alarm notification and click to delete the selected devices from the resource list.

devices that do not need the remote alarm notification and click to delete the selected devices

You can also enter the full or partial name of a device and click the devices that you want to delete.

You can also enter the full or partial name of a device and click the devices

to search for

Step 6

(Optional) Select the alarms to send.

 

You can do as follows to re-select the alarms to send.

Click

do as follows to re-select the alarms to send.  Click in the Notify Alarms area

in the Notify Alarms area to select the alarms to send.

Select the alarms that do not need to send and click alarms from the alarm list.

do not need to send and click alarms from the alarm list. to delete the selected

to delete the selected

You can also select the security from the drop-down box and click for the alarms that you want to delete.

box and click for the alarms that you want to delete. to search ----End 3.2.2 Configuring

to search

----End

3.2.2 Configuring the Sound Notification

You can set different sounds for alarms at different levels. When the ATIC Management center receives an alarm, the client host sound box plays the audio notification for the highest level and Uncleared and Unconfirmed alarms.

Context

The alarm severity level can be critical, major, minor, or warning. The sound can be a Normal or a Cyclic for different alarm severity levels.

If the sound type is set Normal, the system plays the audio notification per thirty seconds for the highest level and Uncleared and Unconfirmed alarms. If the sound type is set Cyclic, the system plays cyclic audio notifications for the Uncleared and Unconfirmed alarms. It is recommended to set Cyclic for critical and major alarms in

HUAWEI ATIC Management Center Configuration Guide

3 Alarm

case that the maintenance personnel is not on site temporarily and cannot hear the alarm sound.

You can click Restore Defaults to set the alarm sound to the default value. The sound notification is enabled for the Critical alarms by default.

There will be no sound notification for the alarms occurring on the masked resources or the confirmed alarms.

It is not recommended to disable the sound notification for all levels of alarms, avoiding the delayed handling of alarms.

Procedure

Step 1

Choose Alarms > Alarm Notification > Audible Notification.

Step 2

Click

.
.

Step 3

Select an alarm severity level on the Modify Alarm Sound page to enable the sound notification for this alarm severity level.

Step 4

Select a sound warning type from the Type drop-down list box.

a sound warning type from the Type drop-down list box. You can click to test the

You can click

You can click to test the sound of the selected sound file. When the sound type

to test the sound of the selected sound file. When the sound type is set Cyclic, the

audio stops after the system plays cyclic audio for 7 seconds.

Step 5

Click OK.

plays cyclic audio for 7 seconds. Step 5 Click OK . You can click Restore Defaults

You can click Restore Defaults to set the alarm sound to the default value.

----End

Follow-up Procedure

sound to the default value. ----End Follow-up Procedure You can click enable or disable the mute

You can click

enable or disable the mute function.

in the upper right corner of the ATIC Management center interface to

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

4 Initial Configuration of the Management Center

About This Chapter

Initial configurations are basic configurations of anti-DDoS services in the ATIC management center, covering adding anti-DDoS devices, adding collectors, binding anti-DDoS devices and collectors, and creating defense groups for identifying anti-DDoS devices.

5.1 Logging In to the ATIC Management center

The section describes how to log in to the ATIC Management center.

5.2 Customizing a Homepage

By customizing a homepage, you can place real-time interface traffic comparison, Zone traffic comparison, and alarm monitoring on the homepage.

5.3 Adding Devices

An device must be added before you can perform other operations.

5.4 Configuring an Collector

The management center is comprised of ATIC server and collectors. The collectors collect, parse, summarize, and store traffic and logs from anti-DDoS devices. Therefore, collectors need to be added to the ATIC during the configuration of anti-DDoS services. You can view the performance data of the added anti-DDoS collectors, modify the collectors, or delete them.

5.5 Configuring the Defense Group

A defense group identifies the collection and networking of anti-DDoS devices. If an AntiDDoS is deployed in off-line mode, traffic diversion can be implemented only after the detecting device and cleaning device are added to the same defense group.

4.1 Logging In to the ATIC Management center

The section describes how to log in to the ATIC Management center.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Prerequisites

 

The installation of the ATIC Management center server software is complete. For details, see Installation Guide.

Context

 

Upon the first login, use the default super administrator account admin and password

Admin@123.

Procedure

Step 1

Open the Web browser.

The ATIC Management center supports Internet Explorer 8.0, Firefox 3.6, and the Firefox browser of later versions.

Step 2

Enter https://server IP address:port (the port can be omitted if port 443 is used.) in the address bar and press Enter.

Step 3

Select a language on the login page and enter the correct user name, password, and verification code.

The default user name is admin and its password is Admin@123.

Step 4

Click Log In.

Step 5

The system prompts that Initial login.Please change your password. on the Web page. Enter a new password and confirm it. Then click OK.

Step 6

Click OK in the Succeeded dialog box.

----End

4.2 Customizing a Homepage

By customizing a homepage, you can place real-time interface traffic comparison, Zone traffic comparison, and alarm monitoring on the homepage.

Context

Procedure

Step 1

Step 2

Step 3

The administrator can query only customized content.

On the ATIC Management center homepage, click

.
.
.
.

Click

On the Create Homepage Customization Profile page, select the content to be customized, set given conditions, and click OK.

The customized content is displayed on the homepage.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Guide 4 Initial Configuration of the Management Center A maximum of 12 items can be displayed

A maximum of 12 items can be displayed on the homepage. Interface traffic and Zone traffic are refreshed every 10 seconds, and every 70 seconds respectively. The homepage displays only several latest alarms.

Step 4

Drag the customized content to a proper position and click current layout.

----End

4.3 Adding Devices

and click current layout. ----End 4.3 Adding Devices to save the An device must be added

to save the

An device must be added before you can perform other operations.

4.3.1 Creating an AntiDDoS

After the communication between the ATIC Management center and the AntiDDoS is established through SNMP, you can add the AntiDDoS.

Prerequisites

 

The IP address segments of the AntiDDoS devices are known.

The communication has been set up between the ATIC Management center server and the AntiDDoS devices.

Procedure

Step 1

Step 2

Choose Defense > Network Settings > Devices.

Click

.
.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Guide 4 Initial Configuration of the Management Center Step 3 In the Basic Information group box,

Step 3

In the Basic Information group box, set the name and IP address of an AntiDDoS device and set Device Type to AntiDDoS.

Step 4

Set Telnet parameters.

When you select Telnet, the ATIC Management center uses port 23 for accessing AntiDDoS devices through Telnet by default. In this case, enter the name and password of a Telnet user for authentication.

When you select STelnet, the ATIC Management center uses port 22 for accessing AntiDDoS devices through STelnet by default. In this case, enter the name and password of an STelnet user for authentication.

Step 5

Set SNMP parameters.

When you select SNMPv1 and SNMPv2c, set read and write community names.

Read community indicates the name of a read-only community and the default value is public. Write community indicates the name of a write-only community and the default value is private.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

When you select SNMPv3, see parameter settings as shown in Table 5-1.

SNMPv3 , see parameter settings as shown in Table 5-1 . The Username , Environment name

The Username, Environment name, Environment engine ID, Data encryption protocol, Data encryption password, Authentication protocol, Authentication password parameters are available only when the type is SNMPv3.

Table 4-1 SNMPv3 template parameters

Parameter

Description

Recommended Value

Username

User name used for accessing the AntiDDoS device.

-

Environment name

Name of the environment engine.

This parameter value is the same as the environment name on the AntiDDoS device or blank.

Environment engine ID

Unique identifier of an SNMP engine. This ID is used together with the environment name to determine an environment that uniquely identifies an SNMP entity. The SNMP message packet is processed only when the environments of the sender terminal and the recipient terminal are the same; otherwise, the SNMP message packet will be discarded.

Same as the environment engine ID on the AntiDDoS device.

Authentication protocol

Protocol used for verifying messages.

The parameter value can be the HMACMD5 or HMACSHA protocol or no protocol. If the HMACMD5 or HMACSHA protocol is selected, you need to set the authentication password.

You can select the authentication protocol as required.

HMACMD5 converts the character string in any order based on the hash algorithm and produces a 128-bit message digest, in integer format.

 

HMACSHA possesses higher security than

HMACMD5.

HMACSHA produces a 160-bit message digest for the binary messages not longer than 264 bits.

Authentication password

If the authentication protocol is used when verifying messages, you need to set the

-

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Parameter

Description

Recommended Value

 

authentication password.

 

Data encryption protocol

Encryption protocol used when encapsulating data.

The parameter value can be the DES or AES encryption protocol or no encryption. If the DES or AES encryption protocol is selected, you need to set the encryption password.

You can select the encryption protocol as required.

DES: It indicates the Data Encryption Standard (DES), which is an international encryption algorithm with the key length of 56 characters.

 

AES: It indicates the Advanced Encryption Standard (AES). There are three types of key lengths of 128 characters

Data encryption password

If the encryption algorithm is used when encapsulating data, you need to set the data encryption password.

-

Result

Step 6

Click OK to add an AntiDDoS device.

After successfully added, the AntiDDoS device is displayed on the Devices page and a default Zone associated with the AntiDDoS device is automatically generated on the Zone List page. The default Zone is saved using the Basic-10M policy template.

----End

Each AntiDDoS device is automatically synchronized once it is added. If synchronization fails, rectify the fault as prompted and synchronize AntiDDoS devices manually with the ATIC Management center.

Follow-up Procedure

If only one collector is available, the new AntiDDoS devices are automatically associated with the collector. If multiple collectors are available, associate AntiDDoS devices with the given collector.

4.3.2 Creating an SAS

When the SIG1000E/9280E serves as a detecting device, add the Service Analysis Server (SAS) to the ATIC Management center. To enable the ATIC Management center to synchronize Zones on the SIG1000E/9280E, configure the SIG1000E/9280E database of the SAS on the ATIC Management center. Ensure that the configured database is the same as the SIG1000E/9280E database on the SAS.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Prerequisites

 

Before you create an SAS, ensure that the following are available:

IP addresses of devices

SIG1000E/9280E database on the SAS

IP connectivity between the ATIC management center and the device

Context

 

The Service Analyse Server (SAS) is the service processing center of the SIG1000E/9280E system. It is responsible for receiving and analyzing service information reported by the SRS, and saving the information to the database. ATIC Management center needs to synchronize the Zone on the SIG1000E/9280E device using the SAS database.

Procedure

Step 1

Step 2

Step 3

Choose Defense > Network Settings > Devices.

.
.

Click

In the Basic Information group box, set the name and IP address of an device and select SIG SAS for Device Type.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Guide 4 Initial Configuration of the Management Center Step 4 Configure the parameters. For details, see

Step 4

Configure the parameters. For details, see Table 5-2,

Table 4-2 Configuring the database information of the SAS

Parameter

Description

Value

Database IP

Indicates the database information of the SAS.

The configured database must be the same

Address

as the SIG1000E/9280E database on the SAS.

Database

 

username

 

Database

password

Areas to Be Synchronized

The Zones on the SIG1000E/9280E device in the selected areas are to be synchronized to the ATIC

You can select all areas or specify some of the areas.

All: Indicates all the configured areas on the SIG1000E/9280E device. If the

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Parameter

Description

Value

 

Management center.

 

number of areas configured on the SIG1000E/9280E device increases, the number of synchronized areas increases accordingly.

Specified areas: Indicates that only the Zone in specified areas on the SIG1000E/9280E device are to be synchronized.

Step 5

Click OK.

----End

4.3.3 Creating an Syslog-linkage Device

When the Syslog-linkage Devices as a detecting device, add the Syslog-linkage Device to the ATIC Management center.

Prerequisites

 

Before you create an Syslog-linkage Device, ensure that the following are available:

IP addresses of devices

IP connectivity between the ATIC management center and the device

Context

 

The Syslog-linkage Device analyzes traffic and sends logs to the ATIC Management center. After analyzing anomaly logs reported by the Syslog-linkage Device, the ATIC Management center generates a traffic diversion task and delivers it to the cleaning device in the same defense group.

Procedure

Step 1

Step 2

Step 3

Choose Defense > Network Settings > Devices.

.
.

Click

In the Basic Information group box, set the name and IP address of an device and select Syslog-linkage Device for Device Type.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Guide 4 Initial Configuration of the Management Center Step 4 Click OK . ----End 4.4 Configuring

Step 4

Click OK.

----End

4.4 Configuring an Collector

The management center is comprised of ATIC server and collectors. The collectors collect, parse, summarize, and store traffic and logs from anti-DDoS devices. Therefore, collectors need to be added to the ATIC during the configuration of anti-DDoS services. You can view the performance data of the added anti-DDoS collectors, modify the collectors, or delete them.

Choose Defense > Network Settings > Collectors, and manage collectors.

Create

Click

Create Click to add a collector in the ATIC Management center. For

to add a collector in the ATIC Management center. For

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

 

details, see 5.4.1 Adding a Collector.

Associate

Click

Click of an collector and bind the collector to one or more anti-DDoS

of an collector and bind the collector to one or more anti-DDoS

Device

devices. For details, see 5.4.2 Associating the Collector with the devices.

Modify

Click

Click of the collector to be modified to change the collector parameters.

of the collector to be modified to change the collector parameters.

NOTE The collector in Down state cannot be modified.

Delete

Delete one collector:

Click

Click in the Operation column to delete the corresponding collector.

in the Operation column to delete the corresponding collector.

Delete collectors in batches:

Select the check boxes of multiple collector names and click above the list to delete the selected collectors.

Select the check boxes of multiple collector names and click above the list to delete the

Select the check box on the title bar and click to delete all collectors.

Select the check box on the title bar and click to delete all collectors.

above the list

NOTE Collectors being associated with the device cannot be deleted.

View

1. Click the name of the collector to be viewed for collector configurations.

2. Click Close to close the dialog box.

State

Indicates the connection state between the ATIC server and the collector.

 indicates that the collector is online. That is, the ATIC server and collector are

indicates that the collector is online. That is, the ATIC server and collector are connected and the collector service has been started.

 indicates that the collector is offline. The possible causes are: the IP address of

indicates that the collector is offline. The possible causes are: the IP address of the collector is changed, the ATIC server fails to connect to the collector, and the collector service is not started.

Device

Indicates the number of devices bound to the collector.

Quantity

CPU,

Indicates performance data including information about CPUs, memory, and

Memory,

disks of collectors.

Disk

Informatio

n

4.4.1 Adding a Collector

After the centralized installation is complete, the ATIC Management center automatically creates a collector. You must manually create collectors during the distributed installation.

Procedure

Step 1

Step 2

Choose Defense > Network Settings > Collectors.

On the Collectors page, click

.
.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Step 3

On the Create Collector page, select Anti-DDoS from the Collector Type drop-down list.

select Anti-DDoS from the Collector Type drop-down list. Step 4 Set other parameters of the collector.

Step 4

Set other parameters of the collector. For details, see Table 5-3.

Table 4-3 Collector parameters

 

Parameter

Description

Value

Name

Indicates the collector name.

The name contains a maximum of 32 characters including letters, digits, underscores (_), and hyphens (-). It must start with a letter or an underscore (_).

IP Address

Indicates the IP address of the collector.

The IP address is routable to the IP addresses of the FTP server and log server.

This parameter cannot be changed during collector modification.

Encryption Key

Indicates the key content.

Before configuring a packet capture task, configure an encryption key for packet capture logs.

When the collector is associated with an anti-DDoS device, deliver the key to the anti-DDoS device.

Step 5

Optional: On the Create Collector page, click Test.

 

If the system displays Succeeded in connecting the collector., perform Step 6.

If the system displays Failed to connect the collector Possible causes: The IP address of the collector is incorrect, or the collector is not started, or the connectivity error occurs., the ATIC Management center and collector cannot be normally connected. Perform the check according to the displayed cause.

Step 6

On the Create Collector page, click OK.

 

After the collector is successfully added, the system displays the Collectors page.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

----End

Follow-up Procedure

You can view, modify, or delete a collector by referring to 5.4 Configuring an Collector.

4.4.2 Associating the Collector with the devices

Devices can send logs and captured packets to the anti-DDoS collector after being associated for future analysis. When only one anti-DDoS collector is available, the collector is automatically associated with devices. When multiple anti-DDoS collectors exist, associate them with devices manually. You are advised to associate each collector with one device.

Prerequisites

 

The device and anti-DDoS collector are routable to each other.

Devices have be added. For details on how to add devices, see 5.3 Adding Devices.

The anti-DDoS collector has been added. For details on how to add the anti-DDoS collector, see 5.4.1 Adding a Collector.

Procedure

Step 1

Step 2

Choose Defense > Network Settings > Collectors.

On the Collectors page, click

> Collectors . On the Collectors page, click of the anti-DDoS collector. The connection status of

of the anti-DDoS collector.

On the Collectors page, click of the anti-DDoS collector. The connection status of the collector is

The connection status of the collector is Online.

Step 3

Step 4

Step 5

.
.

On the Associated Devices interface, click

On the Select Device page, select the check box of the device to be associated.

Click OK.

The device associated with the collector is displayed in Associated devices.

----End

4.5 Configuring the Defense Group

A defense group identifies the collection and networking of anti-DDoS devices. If an AntiDDoS is deployed in off-line mode, traffic diversion can be implemented only after the detecting device and cleaning device are added to the same defense group.

Defense Group Overview

The detecting device and cleaning device can be added to a defense group. In a defense group, the detecting device reports anomaly traffic to the ATIC Management center, and

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

the ATIC Management center delivers a traffic diversion task to the cleaning device. Then the cleaning device performs traffic diversion and cleaning.

Cleaning Device Linkage: When multiple cleaning devices are added into a defense group and any cleaning device in the group detects attack traffic, the cleaning device interworks with others to divert and clean attack traffic.

When two or more detecting devices exist on the network, add them into a defense group and select a working mode, load redundancy or load sharing.

and select a working mode, load redundancy or load sharing. If a detecting device not in

If a detecting device not in any defense group detects abnormal traffic, the device will divert the traffic to cleaning devices that do not belong to any defense group.

Management Operation

Choose Defense > Network Settings > Defense Group, and manage defense groups.

Creat

 
Creat  

e

Click

to create a defense group. For details, see Creating a Defense

Group.

Modi

Click

of the defense group to be modified to modify the defense group.

of the defense group to be modified to modify the defense group.

 

fy

 

Delet

Delete one defense group:

 

e

 

Click

Click in the Operation column to delete the corresponding defense group.

in the Operation column to delete the corresponding defense group.

Delete defense groups in batches:

 

Select the check boxes of multiple defense groups and click the list to delete the selected defense groups.

Select the check boxes of multiple defense groups and click the list to delete the selected

above

Select the check box on the title bar and click delete all defense groups.

Select the check box on the title bar and click delete all defense groups.

above the list to

View

1. Click the name of the defense group to be viewed for its basic information and device information.

2. Click Close to close the dialog box.

 

Creating a Defense Group

Step 1

Step 2

Step 3

Devices that serve as cleaning devices or detecting devices have been discovered and synchronized.

Choose Defense > Network Settings > Defense Group.

.
.

On the Defense Group List page, click

Set the basic parameters of the defense group. For details, see Table 5-4.

Table 4-4 Defense group parameters

Param

Description

Value

eter

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

Param

Description

Value

eter

Name

Indicates the name of the defense group.

The collector name contains a maximum of 64 characters. It cannot contain any spaces or characters such as "'", "|", "\", ",", "<", ">", "&", ";", """, and "%". The value cannot be null.

Cleanin

When the

-

g

cleaning

Device

device

Linkag

linkage is

e

enabled and any cleaning device in the defense group detects attack traffic, the cleaning device interworks with other devices to clean attack traffic.

Detecti

Indicates the

If two or more detecting devices are adopted for collaboration,

ng

detecting

you need to select the value of this parameter. In other cases,

Mode

mode when two or more detecting devices work together.

skip this item.

The following detecting modes are available:

Load Sharing

In load sharing mode, all detecting devices detect traffic collectively. This mode applies to heavy traffic scenarios and poses high requirements on device performance. Reports cover the total traffic of all detecting devices.

 

Load Redundancy

In load redundancy mode, detecting devices detect the same traffic (by mirroring or optical splitting), improving detection reliability. Reports cover the traffic of only one of the detecting devices.

Descrip

Indicates

The value contains a maximum of 255 characters.

tion

remarks

information

for

identifying a

defense

group.

Step 4

Select devices to be added to the defense group.

1. In the Select Device group box, click

.
.

HUAWEI ATIC Management Center Configuration Guide

4 Initial Configuration of the Management Center

2. On the Select Device page that is displayed, select the check box of an device and click OK.

After successfully added, the device is displayed in the device list on the Create Defense Group page.

Step 5

the device list on the Create Defense Group page. Step 5  Each device can be

Each device can be added to only one defense group.

In the device list, you can select an device and click

 In the device list, you can select an device and click to delete the device;

to delete the device; you can

select the check box on the title bar and click

you can select the check box on the title bar and click to delete all devices.

to delete all devices.

On the Create Defense Group page, click OK.

----End

HUAWEI ATIC Management Center Configuration Guide

5 Configuring Defense Policies

5 Configuring Defense Policies

About This Chapter

6.1 Configuring the Zone

Before you configure an anti-DDoS policytraffic security policy, add Zones to be protected by anti-DDoS devices. The ATIC Management center provides refined and differentiated filtering and protection for different Zones.

6.2 Configuring the Zone-based Defense Policy

After you create a Zone, configure a defense policy specifically for the Zone so that attack traffic can be blocked. When the Zone identifies abnormal traffic or is under attack, you can refer to the defense status information on the Versatile Security Manager (VSM) graphical user interface (GUI) to handle anomalies or attacks.

5.1 Configuring the Zone

Before you configure an anti-DDoS policytraffic security policy, add Zones to be protected by anti-DDoS devices. The ATIC Management center provides refined and differentiated filtering and protection for different Zones.

Choose Defense > Policy Settings > Zone, and manage Zones.

Creat

 
Creat  

e

Click

to add a Zone. For details, see 6.1.1 Adding a Zone.

 

Modi

Click

of the Zone to be modified, and modify the Zone. For the parameter

of the Zone to be modified, and modify the Zone. For the parameter

fy

description, see 6.1.1 Adding a Zone.

Delet

NOTICE

e

Once the Zone is deleted, all the services, policies, packet-capturing tasks, diversion tasks, baseline-learning tasks, and service-learning tasks under the Zone will be deleted, and the Zone will be undeployed from all associated devices. Perform this operation with caution.

Select the check boxes of multiple Zone accounts and click the list to delete the selected collectors.

 Select the check boxes of multiple Zone accounts and click the list to delete the

above

Select the check box on the title bar and click delete all Zones.

above the list to

above the list to

HUAWEI ATIC Management Center Configuration Guide

5 Configuring Defense Policies

Expo

 
.
.

rt

1. Select one or more Zones and click

2. On the File Download page, click Open to view the Zone list or click Save to save the list to the local.

Expo

1. Click

1. Click
 

rt All

.

2. On the File Download page, click Open to view the Zone list or click Save to save the list to the local.

Impo

Click

Click to import Zones in a batch. For details, see 6.1.2 Importing

to import Zones in a batch. For details, see 6.1.2 Importing

rt

Zones in a Batch.

NOTE SIG Zones are VICs synchronized from the SIG1000E/9280E and cannot be imported

View

1. Click the account or name of the Zone to be viewed for its basic information and IP address.

2. Click Close to close the dialog box.

 

Searc

Basic search

h

On the upper right of the page, enter the account/name of the Zone to be

On the upper right of the page, enter the account/name of the Zone to be

searched for and click displayed on the page.

. The Zone that meets search conditions are

Advanced search

1. Click Advanced Search.

 

2. In the advanced search area that is displayed, set search conditions such as Account/Name, Type, or IP Address, and then click Search.

5.1.1 Adding a Zone

IP addresses protected by anti-DDoS devices are identified and grouped by adding a Zone. Then Zone-specific policies can be configured to achieve differentiated and hierarchical defense.

Prerequisites

To add a Zone and associate it with devices, ensure that devices associated with the Zone have been discovered by the ATIC Management center.

Context

The Zones are classified into user-defined Zones, default Zones, and SIG1000E/9280E Zones.

User-Defined Zones

To protect specific IP addresses/address segments, the administrator can manually create user-defined Zones and add the IP addresses/address segments to the user-defined Zones. The anti-DDoS device uses defense policies to provide refined defense for traffic of these IP addresses/address segments.

The type of such Zones is User-Defined.

Default Zones

HUAWEI ATIC Management Center Configuration Guide

5 Configuring Defense Policies

One default Zone is automatically added when you add an anti-DDoS device. Each anti-DDoS device can be associated with only one default Zone, which does not have any given IP address. Refined defense can be implemented by the anti-DDoS device on the destination IP addresses except those in User-Defined Zones.

The type of such Zones is Default.

Zones Synchronized from the SIG1000E/9280E.

After the SIG1000E/9280E is added, the system automatically synchronizes Zones from the SIG1000E/9280E system to protect them. The administrator cannot change the basic information and IP addresses of Zones of this type, but can select cleaning devices for Zones of this type, and apply the policies configured for the Zones to the traffic destined for corresponding IP addresses/address segments for refined defense.

The type of such Zones is SIG1000E/9280E Zone.

If a network is large or covers multiple areas and each administrator needs to manage one part of the network, you can create multiple Zones and authorize each administrator the permission of managing the corresponding Zone.

Procedure

Step 1

Step 2

Step 3

Choose Defense > Policy Settings > Zone.

.
.

On the Zone List page, click

Set the basic parameters of the Zone. For details, see Table 6-1.

Table 5-1 Zone Basic Information

Para

Description

Value

meter

Accou

Indicates the Zone

The Zone account consists of letters, digits, and

nt

account.

underscores (_) and must start with a letter. It can neither be any illegitimate characters such as null and default nor start with sig. It is case insensitive. Its length cannot exceed 32 characters.

This parameter cannot be changed during Zone modification.

Type

Indicates the Zone type.

The value can be User-Defined or Default.

This parameter cannot be changed during Zone modification.

Name

Indicates the Zone name, as a supplement of Zone account for query convenience.

The Zone name contains a maximum of 64 characters. It cannot contain spaces or any of the following characters: | \ , < > / : " % * ? & =

The value cannot be null.

Conta

Indicates the basic

-

ct,

information of the

Phone

contact person.

,

Mobil

e

HUAWEI ATIC Management Center Configuration Guide

5 Configuring Defense Policies

Para

Description

Value

meter

Phone

   

, Post

Code,

Email

,

Addre

ss

Descri

Indicates the detailed description on the Zone.

Its length cannot exceed 255 characters.

ption

Step 4

Set the IP address of the user-defined Zone.

ption Step 4 Set the IP address of the user-defined Zone. This operation can be performed

This operation can be performed only when a user-defined Zone is added.

1. On the Create Zone page, click the IP Address tab.

2. Click

.
.
Create Zone page, click the IP Address tab. 2. Click . 3. Create IP addresses. For

3. Create IP addresses. For details on the parameters, see Table 6-2.

addresses. For details on the parameters, see Table 6-2 . Both IPv4 and IPv6 addresses are

Both IPv4 and IPv6 addresses are applicable.

Table 5-2 Creating IP addresses

Para

Description

Value

meter

IP

Indicates the IP

regular: The IP address belongs to this Zone.