Defence Pro User Guide PDF
Defence Pro User Guide PDF
Defence Pro User Guide PDF
DefensePro
User Guide
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 2016. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 2016. Tous droits réservés.
Le copyright ainsi que tout autre droit lié à la propriété intellectuelle et aux secrets industriels
contenus dans ce guide sont la propriété de Radware Ltd.
Ce guide d’informations est fourni à nos clients dans le cadre de l’installation et de l’usage des
produits de Radware décrits dans ce document et ne pourra être utilisé dans un but autre que celui
pour lequel il a été conçu.
Les informations répertoriées dans ce document restent la propriété de Radware et doivent être
conservées de manière confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement préalable écrit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschränkungen ausgeliefert:
Copyright Radware Ltd. 2016. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschäftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschließlichen Zweck ausgehändigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf für keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und müssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfältigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
The programs included in this product are subject to a restricted use license and can only be used in
conjunction with this application.
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of the OpenSSL License and
the original SSLeay license apply to the toolkit. See below for the actual license texts. Actually both
licenses are BSD-style Open Source licenses. In case of any license issues related to OpenSSL,
please contact [email protected].
OpenSSL License
Copyright (c) 1998-2011 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit. (http://www.openssl.org/)
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote
products derived from this software without prior written permission. For written permission,
please contact [email protected].
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in
their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment:
“This product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/)”
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS'' AND ANY EXPRESSED OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY,
WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young ([email protected]). This
product includes software written by Tim Hudson ([email protected]).
Original SSLeay License
Copyright (C) 1995-1998 Eric Young ([email protected])
All rights reserved.
This package is an SSL implementation written by Eric Young ([email protected]).
The implementation was written so as to conform with Netscapes SSL.
This library is free for commercial and non-commercial use as long as the following conditions are
aheared to. The following conditions apply to all code found in this distribution, be it the RC4, RSA,
lhash, DES, etc., code; not just the SSL code. The SSL documentation included with this distribution
is covered by the same copyright terms except that the holder is Tim Hudson ([email protected]).
Copyright remains Eric Young's, and as such any Copyright notices in the code are not to be
removed.
If this package is used in a product, Eric Young should be given attribution as the author of the parts
of the library used.
This can be in the form of a textual message at program startup or in documentation (online or
textual) provided with the package.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the copyright notice, this list of conditions and the
following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3. All advertising materials mentioning features or use of this software must display the following
acknowledgement:
"This product includes cryptographic software written by Eric Young ([email protected])"
The word 'cryptographic' can be left out if the rouines from the library being used are not
cryptographic related :-).
4. If you include any Windows specific code (or a derivative thereof) from the apps directory
(application code) you must include an acknowledgment:
"This product includes software written by Tim Hudson ([email protected])"
THIS SOFTWARE IS PROVIDED BY ERIC YOUNG “AS IS”' AND ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT
SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR
BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH
DAMAGE.
The licence and distribution terms for any publically available version or derivative of this code
cannot be changed. i.e. this code cannot simply be copied and put under another distribution licence
[including the GNU Public Licence.]
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <[email protected]>
@author Antoon Bosselaers <[email protected]>
@author Paulo Barreto <[email protected]>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at: http://www.gnu.org/licenses/old-licenses/gpl-2.0.html.
This code is hereby placed in the public domain.
Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes
de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets à
source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande
auprès de Radware. Une copie de la licence est répertoriée sur: http://www.gnu.org/licenses/old-
licenses/gpl-2.0.html.
Ce code est également placé dans le domaine public.
Ce produit renferme des codes développés dans le cadre du projet OpenSSL.
Copyright ©1983, 1990, 1992, 1993, 1995
Les membres du conseil de l’Université de Californie. Tous droits réservés.
La distribution et l’usage sous une forme source et binaire, avec ou sans modifications, est autorisée
pour autant que les conditions suivantes soient remplies:
1. La distribution d’un code source doit inclure la notice de copyright mentionnée ci-dessus, cette
liste de conditions et l’avis de non-responsabilité suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matériel fourni la notice de copyright mentionnée ci-dessus, cette liste de conditions et
l’avis de non-responsabilité suivant.
3. Le nom de l’université, ainsi que le nom des contributeurs ne seront en aucun cas utilisés pour
approuver ou promouvoir un produit dérivé de ce programme sans l’obtention préalable d’une
autorisation écrite.
Ce produit inclut un logiciel développé par Markus Friedl.
Ce produit inclut un logiciel développé par Theo de Raadt.
Ce produit inclut un logiciel développé par Niels Provos.
Ce produit inclut un logiciel développé par Dug Song.
Ce produit inclut un logiciel développé par Aaron Campbell.
Ce produit inclut un logiciel développé par Damien Miller.
Ce produit inclut un logiciel développé par Kevin Steves.
Ce produit inclut un logiciel développé par Daniel Kouril.
Ce produit inclut un logiciel développé par Wesley Griffin.
Ce produit inclut un logiciel développé par Per Allansson.
Ce produit inclut un logiciel développé par Nils Nordman.
Ce produit inclut un logiciel développé par Simon Wilkinson.
La distribution et l’usage sous une forme source et binaire, avec ou sans modifications, est autorisée
pour autant que les conditions suivantes soient remplies:
1. La distribution d’un code source doit inclure la notice de copyright mentionnée ci-dessus, cette
liste de conditions et l’avis de non-responsabilité suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matériel fourni la notice de copyright mentionnée ci-dessus, cette liste de conditions et
l’avis de non-responsabilité suivant.
LE LOGICIEL MENTIONNÉ CI-DESSUS EST FOURNI TEL QUEL PAR LE DÉVELOPPEUR ET TOUTE
GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS S’Y LIMITER, TOUTE GARANTIE
IMPLICITE DE QUALITÉ MARCHANDE ET D’ADÉQUATION À UN USAGE PARTICULIER EST EXCLUE.
EN AUCUN CAS L’AUTEUR NE POURRA ÊTRE TENU RESPONSABLE DES DOMMAGES DIRECTS,
INDIRECTS, ACCESSOIRES, SPÉCIAUX, EXEMPLAIRES OU CONSÉCUTIFS (Y COMPRIS, MAIS SANS
S’Y LIMITER, L’ACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE D’USAGE,
DE DONNÉES OU DE PROFITS OU L’INTERRUPTION DES AFFAIRES), QUELLE QU’EN SOIT LA CAUSE
ET LA THÉORIE DE RESPONSABILITÉ, QU’IL S’AGISSE D’UN CONTRAT, DE RESPONSABILITÉ
STRICTE OU D’UN ACTE DOMMAGEABLE (Y COMPRIS LA NÉGLIGENCE OU AUTRE), DÉCOULANT DE
QUELLE QUE FAÇON QUE CE SOIT DE L’USAGE DE CE LOGICIEL, MÊME S’IL A ÉTÉ AVERTI DE LA
POSSIBILITÉ D’UN TEL DOMMAGE.
Copyrightvermerke
Die in diesem Produkt enthalten Programme unterliegen einer eingeschränkten Nutzungslizenz und
können nur in Verbindung mit dieser Anwendung benutzt werden.
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
öffentlich zugänglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code für den Rijndael cipher (jetzt AES)
@author Vincent Rijmen <[email protected]>
@author Antoon Bosselaers <[email protected]>
@author Paulo Barreto <[email protected]>
Der OnDemand Switch verwendet möglicherweise Software, die im Rahmen der DNU Allgemeine
Öffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschließlich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhältlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter http://www.gnu.org/licenses/old-licenses/
gpl-2.0.html.
Dieser Code wird hiermit allgemein zugänglich gemacht.
Dieses Produkt enthält einen vom OpenBSD-Projekt entwickelten Code
Copyright ©1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binärem Format, mit oder ohne Veränderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binärem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universität noch die Namen der Beitragenden dürfen ohne ausdrückliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Dieses Produkt enthält von Markus Friedl entwickelte Software.
Dieses Produkt enthält von Theo de Raadt entwickelte Software.
Dieses Produkt enthält von Niels Provos entwickelte Software.
Dieses Produkt enthält von Dug Song entwickelte Software.
Dieses Produkt enthält von Aaron Campbell entwickelte Software.
Dieses Produkt enthält von Damien Miller entwickelte Software.
Dieses Produkt enthält von Kevin Steves entwickelte Software.
Dieses Produkt enthält von Daniel Kouril entwickelte Software.
Dieses Produkt enthält von Wesley Griffin entwickelte Software.
Dieses Produkt enthält von Per Allansson entwickelte Software.
Dieses Produkt enthält von Nils Nordman entwickelte Software.
Dieses Produkt enthält von Simon Wilkinson entwickelte Software.
Die Verbreitung und Verwendung in Quell- und binärem Format, mit oder ohne Veränderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binärem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
Standard Warranty
The following standard warranty is presented in English, French, and German.
Standard Warranty
Radware offers a limited warranty for all its products (“Products”). Radware hardware products are
warranted against defects in material and workmanship for a period of one year from date of
shipment. Radware software carries a standard warranty that provides bug fixes for up to 90 days
after date of purchase. Should a Product unit fail anytime during the said period(s), Radware will, at
its discretion, repair or replace the Product.
For hardware warranty service or repair, the product must be returned to a service facility
designated by Radware. Customer shall pay the shipping charges to Radware and Radware shall pay
the shipping charges in returning the product to the customer. Please see specific details outlined in
the Standard Warranty section of the customer’s purchase order.
Radware shall be released from all obligations under its Standard Warranty in the event that the
Product and/or the defective component has been subjected to misuse, neglect, accident or
improper installation, or if repairs or modifications were made by persons other than Radware
authorized service personnel, unless such repairs by others were made with the written consent of
Radware.
EXCEPT AS SET FORTH ABOVE, ALL RADWARE PRODUCTS (HARDWARE AND SOFTWARE) ARE
PROVIDED BY “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED.
Garantie standard
Radware octroie une garantie limitée pour l’ensemble de ses produits (“Produits”). Le matériel
informatique (hardware) Radware est garanti contre tout défaut matériel et de fabrication pendant
une durée d’un an à compter de la date d’expédition. Les logiciels (software) Radware sont fournis
avec une garantie standard consistant en la fourniture de correctifs des dysfonctionnements du
logiciels (bugs) pendant une durée maximum de 90 jours à compter de la date d’achat. Dans
l’hypothèse où un Produit présenterait un défaut pendant ladite (lesdites) période(s), Radware
procédera, à sa discrétion, à la réparation ou à l’échange du Produit.
S’agissant de la garantie d’échange ou de réparation du matériel informatique, le Produit doit être
retourné chez un réparateur désigné par Radware. Le Client aura à sa charge les frais d’envoi du
Produit à Radware et Radware supportera les frais de retour du Produit au client. Veuillez consulter
les conditions spécifiques décrites dans la partie “Garantie Standard” du bon de commande client.
Radware est libérée de toutes obligations liées à la Garantie Standard dans l’hypothèse où le Produit
et/ou le composant défectueux a fait l’objet d’un mauvais usage, d’une négligence, d’un accident ou
d’une installation non conforme, ou si les réparations ou les modifications qu’il a subi ont été
effectuées par d’autres personnes que le personnel de maintenance autorisé par Radware, sauf si
Radware a donné son consentement écrit à ce que de telles réparations soient effectuées par ces
personnes.
SAUF DANS LES CAS PREVUS CI-DESSUS, L’ENSEMBLE DES PRODUITS RADWARE (MATERIELS ET
LOGICIELS) SONT FOURNIS “TELS QUELS” ET TOUTES GARANTIES EXPRESSES OU IMPLICITES
SONT EXCLUES, EN CE COMPRIS, MAIS SANS S’Y RESTREINDRE, LES GARANTIES IMPLICITES DE
QUALITE MARCHANDE ET D’ADÉQUATION À UNE UTILISATION PARTICULIÈRE.
Standard Garantie
Radware bietet eine begrenzte Garantie für alle seine Produkte (“Produkte”) an. Hardware Produkte
von Radware haben eine Garantie gegen Material- und Verarbeitungsfehler für einen Zeitraum von
einem Jahr ab Lieferdatum. Radware Software verfügt über eine Standard Garantie zur
Fehlerbereinigung für einen Zeitraum von bis zu 90 Tagen nach Erwerbsdatum. Sollte ein Produkt
innerhalb des angegebenen Garantiezeitraumes einen Defekt aufweisen, wird Radware das Produkt
nach eigenem Ermessen entweder reparieren oder ersetzen.
Für den Hardware Garantieservice oder die Reparatur ist das Produkt an eine von Radware
bezeichnete Serviceeinrichtung zurückzugeben. Der Kunde hat die Versandkosten für den Transport
des Produktes zu Radware zu tragen, Radware übernimmt die Kosten der Rückversendung des
Produktes an den Kunden. Genauere Angaben entnehmen Sie bitte dem Abschnitt zur Standard
Garantie im Bestellformular für Kunden.
Radware ist von sämtlichen Verpflichtungen unter seiner Standard Garantie befreit, sofern das
Produkt oder der fehlerhafte Teil zweckentfremdet genutzt, in der Pflege vernachlässigt, einem
Unfall ausgesetzt oder unsachgemäß installiert wurde oder sofern Reparaturen oder Modifikationen
von anderen Personen als durch Radware autorisierten Kundendienstmitarbeitern vorgenommen
wurden, es sei denn, diese Reparatur durch besagte andere Personen wurden mit schriftlicher
Genehmigung seitens Radware durchgeführt.
MIT AUSNAHME DES OBEN DARGESTELLTEN, SIND ALLE RADWARE PRODUKTE (HARDWARE UND
SOFTWARE) GELIEFERT “WIE GESEHEN” UND JEGLICHE AUSDRÜCKLICHEN ODER
STILLSCHWEIGENDEN GARANTIEN, EINSCHLIESSLICH ABER NICHT BEGRENZT AUF
STILLSCHWEIGENDE GEWÄHRLEISTUNG DER MARKTFÄHIGKEIT UND EIGNUNG FÜR EINEN
BESTIMMTEN ZWECK AUSGESCHLOSSEN.
Document Conventions
The following describes the conventions and symbols that this guide uses:
Example
Possible damage to Endommagement Mögliche Schäden an
equipment, software, or possible de l’équipement, Gerät, Software oder
Caution: data des données ou du Daten
logiciel
Additional information Informations Zusätzliche
complémentaires Informationen
Note:
A statement and Références et Eine Erklärung und
instructions instructions Anweisungen
To
Table of Contents
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Standard Warranty ........................................................................................................ 9
Limitations on Warranty and Liability ........................................................................... 10
Document Conventions ............................................................................................... 11
Chapter 1 – Introduction......................................................................................... 21
DefensePro—Overview .............................................................................................. 21
DefensePro System Components ............................................................................... 22
Radware Security Update Service on the Web ........................................................... 23
Typical Deployment (Transparent Device Operation Mode) ....................................... 23
Out-of-Path Deployments (IP Device Operation Mode) .............................................. 24
Network Connectivity ................................................................................................... 25
Management Interfaces—APSolute Vision and Others .............................................. 26
DefensePro Features .................................................................................................. 27
Security Protections ............................................................................................................. 27
Real-time Security Reporting for DefensePro ...................................................................... 28
Historical Security Reporting—APSolute Vision Reporter .................................................. 28
DefensePro Physical Ports .......................................................................................... 29
DefensePro Platforms and Models .............................................................................. 29
Related Documentation ............................................................................................... 29
DefensePro Release Notes ................................................................................................. 29
DefensePro Installation and Maintenance Guide ................................................................ 30
APSolute Vision Documentation .......................................................................................... 30
APSolute Vision Reporter Documentation ........................................................................... 30
Web-Based Management Help ............................................................................................ 30
CLI Reference Manual ......................................................................................................... 31
DefensePro—Overview
Radware’s award-wining DefensePro™ is a real-time intrusion prevention system (IPS) and DoS-
protection device, which maintains business continuity by protecting the application infrastructure
against existing and emerging network-based threats that cannot be detected by traditional IPSs
such as: network- and application-resource misuse, malware spreading, authentication defeat and
information theft.
DefensePro features full protection from traditional vulnerability-based attacks through proactive
signature updates, preventing the already known attacks, including worms, trojans, bots, SSL-based
attacks, and VoIP attacks.
Unlike market alternatives that rely on static signatures, DefensePro provides unique behavioral-
based, automatically generated, real-time signatures, preventing attacks that are not vulnerability-
based and zero-minute attacks such as: network and application floods, HTTP page floods, malware
propagation, Web application hacking, brute force attacks aiming to defeat authentication schemes,
and more—all without blocking legitimate users’ traffic and with no need for human intervention.
With multiple-segment protection in a single unit, a pay-as-you-grow license-upgrade approach, and
ease of management through “hands-off” security features such as no-configuration and self-tuning,
DefensePro is the industry’s leading IPS for best functionality, maximum affordability, and ease of
management.
- Weekly Updates
- Emergency Updates
- Custom Updates
e
dat
DefensePro Device: e Up
ur
- Traffic Scanning Against Attacks nat
Sig
- Traffic Shaping
Lo
gg Co
ing nfig
sec ura
uri tion
ty and APSolution Vision Management Station:
dev
ice - Configuring
eve
nts - Monitoring
- Reporting
For up-to-date security information, refer to the Radware Security Zone, available from the Radware
Web site:
http://www.radware.com/content/support/securityzone/serviceinfo/default.asp.
Network Connectivity
The following figures show typical network topologies of DefensePro.
You can perform most tasks using any of the management systems. However, for the most part, this
guide describes management tasks using APSolute Vision.
APSolute Vision is a graphical application that enables you to configure, modify, monitor, and
generate reports centrally for single or multiple DefensePro deployments.
You can connect a DefensePro device to management interfaces through network physical interfaces
or through serial ports. DefensePro supports the following port types:
• Using the network connection: SNMP, HTTP, HTTPS, Telnet, SSH
• Using the serial port connection: RS-232 up to 115 Kbit/s (default is 19,200 Kbit/s)
The following table lists the DefensePro physical interfaces and supporting management interfaces:
DefensePro Features
This section provides a brief description of the main DefensePro features and includes the following
topics:
• Security Protections, page 27
• Real-time Security Reporting for DefensePro, page 28
• Historical Security Reporting—APSolute Vision Reporter, page 28
Security Protections
You can use APSolute Vision, WBM, or the CLI to configure DefensePro security policies.
Note: The DefensePro version and platform may affect the types of the security policies that the
DefensePro device supports.
A security policy in an organization is a set of rules and regulations that defines what constitutes a
secure network and how it reacts to security violations. You implement a security policy for your
organization by using the global security settings, Network Protection policy, and Server Protection
policy. You can adjust a security policy to suit the security needs of different network segments
down to a single server, providing comprehensive protection for your organization.
Each policy consists of multiple rules. Each rule in a policy defines a network segment or server, one
or more protection profiles to be applied, and the action to be taken when the device detects an
attack.
Each protection profile defines the security defenses that provide protection against a specific
network threat. For example, the Signature Protection profile prevents intrusion attempts, and the
Behavioral DoS profile prevents flood attacks aimed at creating denial of service.
Notes
• Unless specifically noted, the procedures to configure security policies in this book relate to
using APSolute Vision.
• Some protections are not supported on management interfaces.
DefensePro’s multi-layer security approach combines features for detecting and mitigating a wide
range of network and server attacks.
DefensePro supports three types of security protections: Network-wide protections, Server
protections, and Access-control policies.
Access control (ACL) policies block or allow traffic to or from specified networks, based on protocols,
applications, and other criteria.
Notes
• The infrastructure of DefensePro 7.x versions contain internal logic of two DefensePro software
instances—using the DoS Mitigation Engine (DME) and physical ports as shared resources. Each
DefensePro instance includes a dedicated string-matching engine (SME) unit. The capacity of
each instance—in terms of bandwidth, connections per second, and packets per second—is
roughly half of the total capacity of the hardware platform.
• With the infrastructure of DefensePro 7.x versions, you must set the operating instance for each
network policy. When assigning a policy, you should consider the maximum capacity of an
instance to balance the workload between the two.
Related Documentation
See the following documents for information related to DefensePro:
• DefensePro Release Notes, page 29
• DefensePro Installation and Maintenance Guide, page 30
• APSolute Vision Documentation, page 30
• APSolute Vision Reporter Documentation, page 30
• Web-Based Management Help, page 30
• CLI Reference Manual, page 31
— The language of the APSolute Vision graphical user interface. Click the (globe icon) to
set the value.
3. Click Log In.
Caution: Radware recommends increasing the SNMP Timeout to 180 seconds (APSolute Vision
Settings view System perspective, General Settings > Connectivity > Timeout).
Note: For information on passwords and managing APSolute Vision users, see the APSolute Vision
User Guide.
Parameter Description
Current Username (Read-only) The current username.
Current Password Your current password.
New Password Your new password.
Confirm New Password Your new password.
The APSolute Vision interface follows a consistent hierarchical structure, organized functionally to
enable easy access to options. You start at a high functional level and drill down to a specific
module, function, or object.
Note: Access to and privileges in APSolute Vision interface elements is determined by Role-Based
Access Control (RBAC). For more information, see the APSolute Vision documentation.
User ribbon
Refresh button
and last refresh
time
Settings button
Scheduler button
Security Control
Center button
• User ribbon—Clicking the arrow in the User ribbon, , opens the User drop-down dialog box.
Use the User dialog box to do the following:
— View the user name, RBAC role, and previous login time
— Change the UI language by selecting another value from the Language drop-down list
— Log out of the session and log in as another user
Click the relevant button (System, Dashboards, or Preferences) to display the perspective that
you require.
At the upper-left of the APSolute Vision Settings view, APSolute Vision displays the APSolute Vision
device-properties pane. For more information, see Device-Properties Pane, page 41.
When you hover over a device node in the device pane, a popup displays. For more information, see
Device-Properties Hover Popup, page 41.
Alerts pane—Displays the Alerts table. The Alerts table displays APSolute
Vision alerts, device alerts, DefensePro security alerts, and device
configuration messages.
Note: For more information on the most of the operations that are exposed in the APSolute Vision
Settings view System perspective, see the APSolute Vision User Guide.
Device Pane
Users with a proper role can use the device pane to add or delete the Radware devices that the
APSolute Vision server manages.
Note: For information on how to add or delete the Radware devices that the APSolute Vision server
manages, see Managing APSolute Vision Sites and DefensePro Devices, page 47.
Click the little button close to the upper-left corner to display the device pane.
You can organize managed devices into high-availability clusters and sites.
Typically, a site is a group of devices that share properties, such as location, services, or device
type. You can nest sites; that is, each site can contain child sites and devices. In the context of role-
based access control (RBAC) RBAC, sites enable administrators to define the scope of each user.
When you double-click a device in the device pane, APSolute Vision displays the device-properties
pane and the last perspective that you viewed on the device along with the corresponding content
area.
You can filter the sites and devices that APSolute Vision displays. The filter applies to all the sites
and devices in the tree. The filter does not change the contents of the tree, only how APSolute Vision
displays the tree to you. By default, APSolute Vision displays all the sites and devices that you have
permission to view. To each node in the tree, APSolute Vision appends the number of devices
matching the filter at that level according to your RBAC permissions.
You can filter the sites and devices that APSolute Vision displays according to the following criteria:
• Status—Up, Down, Maintenance, or Unknown.
• Type—Alteon, AppWall, DefensePro, or LinkProof NG. The Physical Containers tab does
not display this field.
• Name—The name of a device, site, or string contained in the name (for example, the value aRy
matches an element named Primary1 and SecondaryABC).
• IP Address—The IP address, IP range, or IP mask.
After you configure the filter criteria, to apply the filter, click the button to apply the filter.
Docks the device pane. Displays the UI for the selected device(s).
Device-Properties Pane
When you select a single device in the device pane, all APSolute Vision perspectives display the
device-properties pane (see Figure 8 - Settings View (Showing the System Perspective), page
38,Figure 12 - Monitoring Perspective—DefensePro, page 43, Figure 13 - Security Monitoring
Perspective—Showing the Security Dashboard, page 44).
When you select multiple devices in the device pane, APSolute Vision displays the multi-device view.
When you select a single device in the device pane, the device-properties pane displays the
following parameters:
• The device type (Alteon, AppWall, DefensePro, or LinkProof NG) and the user-defined device
name.
• An icon showing whether the device is locked.
• A picture of the device front panel. When the device is locked, you can click the button to
reset or shut down the device.
• Status—The device general status: Up, Down, or Maintenance.
• Locked By—If the device is locked, the user who locked it.
• Platform (displayed only for DefensePro version 6.x and 7.x devices)—The platform type, for
example x420.
• Mngt IP—The host or IP address of the devices.
• Version—The device version.
• MAC—The MAC address.
• HA Status—The high-availability status of the device: Standalone, Primary, or Secondary.
• Device Driver—The device driver name.
Configuration Perspective
Use the Configuration perspective to configure Radware devices.
Choose the device to configure in the device pane.
You can view and modify device configurations in the content area.
The following points apply to all configuration tasks in the Configuration perspective:
• To configure a device, you must lock it. For more information, see the APSolute Vision
documentation.
• When you change a field value (and there is configuration that is pending Submit action), the
tab title changes to in italics with an asterisk (*).
2. Lock the device by clicking the icon in the device-properties pane. The icon changes to
Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects.
Content pane.
Note: For more information on the Security Monitoring perspective, see Using Real-Time Security
Monitoring, page 1.
Parameter Description
Default Landing Page The page that APSolute Vision displays when you open APSolute
Vision WBM.
Values:
• None—When you open APSolute Vision WBM, you land in the
default page configured on the APSolute Vision server.
• Application SLA Dashboard—When you open APSolute Vision
WBM, you land on the Application SLA Dashboard.
• Security Control Center—When you open APSolute Vision WBM,
you land on the Security Control Center.
• Operator Toolbox—When you open APSolute Vision WBM, you
land on the Toolbox.
Default: None
Note: Your user role and scope determines the available options.
If you do not have permission to view default page configured on
the APSolute Vision server, you land in the first permitted tab in
the APSolute Vision Settings view.
Notes
• You can configure and control a managed device only when the device is locked (see Locking
and Unlocking Devices, page 21).
• The APSolute Vision documentation shows icons/buttons in their colored state.
View Opens a “View...” tab to view the values of the selected entry.
— If a table column displays a drop-down list (with an arrow, like this, ), click
the arrow and select the value to filter by.
— If the table column displays a white, text box (like this, ), type the value to
filter by.
Notes
— For text boxes, the filter uses a contains algorithm. That is, the filter considers it to be a
match if the string that you enter is merely contained in a value. For example, if you enter
ser in the text box, the filter returns rows with the values ser, service1, and service2.
— If the box at the top of a column is gray (like this, ), you cannot filter
according to that parameter.
Note: For more information on APSolute Vision permissions, see the APSolute Vision User Guide.
The following topics describe how to set up your network of APSolute Vision sites and DefensePro
devices:
• Device Pane—Sites, Clusters, and Physical Containers, page 47
• Configuring Sites, page 48
• Managing DefensePro Devices in APSolute Vision, page 49
• Locking and Unlocking Devices, page 55
• Managing DefensePro Clusters for High Availability, page 56
• Using the Multi-Device View and the Multiple Devices Summary, page 61
• After You Set Up Your Managed Devices, page 62
Note: To add DefensePro devices to APSolute Vision or remove them, you can also use vDirect with
APSolute Vision. For more information, see the APSolute Vision User Guide.
You can also display real-time security monitoring for multiple devices. You can select a site or select
multiple devices (using standard mouse click/keyboard combinations) even if the devices are in the
same site.
Tree nodes are organized alphabetically in the tree within each level. For example, a site called
Alteon_Site appears before a site at the same level called DefensePro_Site.
All nested sites appear before devices at the same level, regardless of their alphanumerical order.
All node names in a tree must be unique. For example, you cannot give a site and a device the same
name, and you cannot give devices in different sites the same name.
Node names are case-sensitive.
You can export a CSV file with the devices in the Sites and Clusters tab. The CSV file includes
information on each device. The file does not include information regarding associated sites. For
more information, see the procedure To export a CSV file with the devices in the Sites and Clusters
tab, page 54.
Configuring Sites
By default, the root site is called Default. You can rename this site, and add nested sites and
devices.
You can add, rename, and delete sites. When you delete a site, you must first remove all its child
sites and devices.
Notes
• To move a device between sites, you must first delete the device from the sites tree and then
add it in the required target site.
• A site cannot have the same name as a device, and sites nested under different parent sites
cannot have the same name.
• You cannot delete the Default site.
Caution: With RADIUS or TACACS+ authentication, if a user definition explicitly mentions the name
of a site and the site name changes, the user definition in the RADIUS or TACACS+ server must be
updated accordingly. For more information, see the APSolute Vision User Guide.
If the name of an APSolute Vision site changes and APSolute Vision authenticates the users locally,
APSolute Vision updates the relevant scopes for the users.
To rename a site
1. In the device pane, select the site.
To delete a site
1. In the device pane, select the site.
Notes
• A device cannot have the same name as a site.
• Devices in different sites cannot have the same name.
• You can change the name of a device after you have added it to the APSolute Vision
configuration
• To move a device between sites, you must first delete the device from the sites tree and then
add it to the required target site.
• If you replace a device with a new device to which you want to assign the same management IP
address, you must delete the device from the site and then recreate it for the replacement.
• When you delete a device, you can no longer view historical reports for that device.
• When you delete a device, the device alarms and security monitoring information are removed
also.
• You can export a CSV file with the devices in the Sites and Clusters tab. The CSV file includes
information on each device. The file does not include information regarding associated sites. For
more information, see the procedure To export a CSV file with the devices in the Sites and
Clusters tab, page 54.
• HTTPS is used for downloading/uploading various files from/to managed devices, including:
configuration files, certificate and key files, attack-signature files, device-software files, and so
on.
Caution: If a DefensePro device was added to APSolute Vision using vDirect (that is, registered on
APSolute Vision), and the device Web (HTTPS) credentials are different from the CLI (SSH)
credentials, you must update the Web credentials of the device in the APSolute Vision Device
Properties dialog box. For more information on vDirect, see the APSolute Vision User Guide.
Parameter Description
Type The type of the object. Choose DefensePro.
Name The name of the device.
Notes:
• There are some reserved words (for example,
DefenseFlow) that APSolute Vision does not allow as
names.
• You can change the name of a device after you have
added it to the APSolute Vision configuration.
Parameter Description
Management IP The management IP address as it is defined on the managed
device.
Note: Once you add the device to the APSolute Vision
configuration, you cannot change its IP address.
SNMP Version The SNMP version used for the connection.
Parameter Description
SNMP Read Community The SNMP read community name.
(This parameter is displayed only
when SNMP Version is SNMPv1 or
SNMPv2.)
SNMP Write Community The SNMP write community name.
(This parameter is displayed only
when SNMP Version is SNMPv1 or
SNMPv2.)
User Name The username for the SNMP connection.
(This parameter is displayed only Maximum characters: 18
when SNMP Version is SNMPv3.)
Use Authentication Specifies whether the device authenticates the user for a
(This parameter is displayed only successful connection.
when SNMP Version is SNMPv3.) Default: Disabled
Authentication Protocol The protocol used for authentication.
(This parameter is available only Values: MD5, SHA
when the Use Authentication Default: SHA
checkbox is selected.)
Authentication Password The password used for authentication.
(This parameter is available only Caution: The password should be at least eight
when the Use Authentication characters. vDirect requires that password be at least
checkbox is selected.) eight characters.
Use Privacy Specifies whether the device encrypts SNMPv3 traffic for
(This parameter is available only additional security.
when and the Use Authentication Default: Disabled
checkbox is selected.)
Privacy Protocol Value: DES, AES128
(This parameter is available only Default: DES
when and the Use Privacy checkbox
is selected.)
Privacy Password The password used for the Privacy facility.
(This parameter is available only Caution: The password should be at least eight
when the Use Privacy checkbox is characters. vDirect requires that password be at least
selected.) eight characters.
Parameter Description
Verify HTTP Access Specifies whether APSolute Vision verifies HTTP access to the
managed device.
Default: Enabled
Verify HTTPS Access Specifies whether APSolute Vision verifies HTTPS access to
the managed device.
Default: Enabled
Parameter Description
User Name The username for HTTP and HTTPS communication.
Maximum characters: 18
Password The password used for HTTP and HTTPS communication.
HTTP Port The port for HTTP communication with the device.
Default: 80
HTTPS Port The port for HTTPS communication with the device.
Default: 443
Parameter Description
User Name The username for SSH access to the device.
Maximum characters: 32
Default: admin
Password The password for SSH access to the device.
Maximum characters: 32
Default: admin
SSH Port The port for SSH communication with the device.
Default: 22
Note: This value should be the same as the value for the
SSH port configured in the device (Configuration
perspective, System> Management Access >
Management Protocols > SSH).
Parameter Description
Register This APSolute Vision Server Specifies whether the APSolute Vision server configures itself
for Device Events as a target of the device events.
Values:
• Enabled—The APSolute Vision server configures itself as
a target of the device events (for example, traps, alerts,
IRP messages, and packet-reporting data).
• Disabled—For a new device, the APSolute Vision server
adds the device without registering itself as a target for
events.
For an existing device, the APSolute Vision removes
itself as a target of the device events.
Default: Enabled
Notes:
• APSolute Vision runs this action each time you click
Submit in the dialog box.
• For more, important information, see APSolute Vision
Server Registered for Device Events—DefensePro,
page 54.
Register APSolute Vision Server IP The port and IP address of the APSolute Vision server to
(This parameter is available only which the managed device sends events.
when the Register This APSolute Select an APSolute Vision server interface that is used as the
Vision Server for Device Events APSolute Vision server data port, and is configured to have a
checkbox is selected.) route to the managed devices.
Remove All Other Targets of Device Specifies whether the APSolute Vision server removes from
Events the device all recipients of device events (for example, traps,
(This parameter is available only and IRP messages) except for its own address.
when the Register This APSolute Default: Disabled
Vision Server for Device Events
Note: APSolute Vision runs this action each time you click
checkbox is selected.)
Submit in the dialog box. For example, if you select the
checkbox and click Submit—and later, a trap target is
added to the trap target-address table—APSolute Vision
removes the additional address the next time you click
Submit in the dialog box.
To delete a device
1. In the device pane Sites and Clusters tree, select the device name, and click the (Delete)
button.
2. Click Yes in the confirmation box. The device is deleted from the list of managed devices.
To export a CSV file with the devices in the Sites and Clusters tab
1. In the device pane Sites and Clusters tree, click (Export Device List to CSV).
2. View the file or specify the location and file name, and then, click Save.
The CSV file includes the following columns:
— Device Name
— Device Type
— Status
— Management IP Address
— Software Version
— MAC Address
— License
— Platform
— Form Factor
— HA Status
— Device Driver
Caution: If the Register This APSolute Vision Server for Device Events checkbox is cleared,
the Alert browser, security reporting, and APSolute Vision Reporter (AVR) might not collect and
display information about the device.
Note: Only one APSolute Vision server should manage any one Radware device.
While the device is locked:
• The device icon in the device pane includes a small lock symbol— for DefensePro.
• Configuration panes are displayed in read-only mode to other users with configuration
permissions for the device.
• If applicable, the Submit button is available.
2. In the device-properties pane, click (the drawing of the unlocked padlock at the lower-left
corner of the device drawing). The drawing changes to (a picture of a locked padlock).
2. In the device-properties pane, click (the drawing of the locked padlock at the lower-left
corner of the device drawing). The drawing changes to (a picture of an unlocked padlock).
3. In the device-properties pane, click (the drawing of the unlocked padlock at the lower-left
corner of the device drawing). The drawing changes to (a picture of a locked padlock).
3. In the device-properties pane, click (the drawing of the locked padlock at the lower-left
corner of the device drawing). The drawing changes to (a picture of an unlocked padlock).
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
This section contains the following topics:
• High-Availability in DefensePro—Overview, page 56
• Configuring DefensePro High-Availability Clusters, page 59
• Monitoring DefensePro Clusters, page 60
• Synchronizing High-Availability Devices and Switching the Device States, page 61
High-Availability in DefensePro—Overview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in
a two-node cluster. One member of the cluster is configured as the primary; the other member of
the cluster assumes the role of secondary.
Both cluster members must meet the following requirements:
• Must use the same:
— Platform
— Software version
— Software license
— Throughput license
— Radware signature file
• Must be on the same network.
• Must use the same management port (that is, MNG-1 on both devices, MNG-2 on both devices,
or both MNG-1 and MNG-2 on both devices).
When you configure a cluster and submit the configuration, the newly designated primary device
configures the required parameters on the designated secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, routing, and
the port-pair Failure Mode.
A primary device immediately transfers each relevant change to its secondary device. For example,
after you make a change to a Network Protection policy, the primary device immediately transfers
the change to the secondary device. However, if you change the list of device users on the primary
device, the primary device transfers nothing (because the secondary device maintains its own list of
device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
The following situations trigger the active device and the passive device to switch states (active to
passive and passive to active):
• The passive device does not detect the active device according to the specified Heartbeat
Timeout.
• All links are identified as down on the active device according to the specified Link Down
Timeout.
• Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the
specified Idle Line Timeout.
• You issue the Switch Over command. To switch the device states, select the cluster node, and
then select Switch Over.
Notes
• To create a cluster, the devices must not be locked by another user.
• By design, an active device does not fail over during a user-initiated reboot. Before you reboot
an active device, you can manually switch to the other device in the cluster.
• You can initiate a baseline synchronization if a cluster member is passive, using the CLI or Web
Based Management.
• When you upgrade the device software, you need to break the cluster (that is, ungroup the two
devices). Then, you can upgrade the software and reconfigure the cluster as you require.
• In an existing cluster, you cannot change the role of a device (primary to secondary or vice
versa). To change the role of a device, you need to break the cluster (that is, ungroup the two
devices), and then, reconfigure the cluster as you require.
• If the devices of a cluster belong to different sites, APSolute Vision creates the cluster node
under the site where the primary device resides; and APSolute Vision removes the secondary
device from the site where it was configured.
• APSolute Vision issues an alert if the state of the device clusters is ambiguous. For example, if
there has been no trigger for switchover and both cluster members detect traffic. This state is
normal during the initial synchronization process.
• There is no failback mechanism. There is only the automatic switchover action and the manual
Switch Over command.
• When a passive device becomes active, any grace time resets to 0 (for example, the time of the
Graceful Startup Mode Startup Timer).
• You can monitor high-availability operation in the High Availability pane of the Monitoring
perspective (Monitoring perspective, Operational Status > High Availability).
• The Properties pane displays the high-availability information of the selected device.
Parameter Description
Cluster Name The name for the cluster (up to 32 characters).
Primary Device Specifies which of the cluster members is the primary device.
Associated Management Ports Specifies the management (MNG) port or ports through which the
primary and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if
the cluster is configured with MNG1+2, and MNG1 is in use,
you cannot change the value to MNG2.
Note: You cannot change the value if the currently specified management port is being used by
the cluster. For example, if the cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.
Icon Description
Cluster
Primary device
Secondary device
The following table describes the icon elements that APSolute Vision displays in the device pane for
DefensePro high-availability clusters.
Synchronizing
Unavailable
The following table describes some icons that APSolute Vision can display in the device pane for
DefensePro high-availability clusters.
Icon Description
The cluster is operating nominally.
Icon Description
The secondary device is active, locked, and operating nominally.
3. Click Synchronize ( ).
View button.
Configuration button—Opens the Multi-Device Configuration
dialog box.
Parameter Description
Device Name (Read-only) The device name configured on the device.
Device Description (Read-only) The device description configured on the device.
Location The device location, if required.
Contact Information Contact information, if required.
System Up Time (Read-only) The length of time since that the device has been up
since last device reboot.
Base MAC Address (Read-only) The MAC address of the first port on the device.
Device Serial Number (Read-only) The serial number of the device.
Parameter Description
Device Date The date setting on the device.
Click in the field to modify the date.
Device Time The time setting on the device.
Click in the field to modify the time.
Parameter Description
Software Version (Read-only) The version of the product software on the device.
Hardware Version (Read-only) The version of device hardware.
Managing Certificates
This section describes certificates for DefensePro, and how to manage the certificates using
APSolute Vision.
This section contains the following topics:
• Certificates, page 64
• Keys, page 65
• Self-Signed Certificates, page 65
• Modifying Certificate Information for a Selected Device, page 65
• Configuring Certificates, page 65
• Configuring Default Certificate Attributes, page 67
• Importing Certificates, page 67
• Exporting Certificates, page 68
• Showing Certificate Content, page 69
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It can also include information from a third-party
verifying identity. Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
A basic certificate includes the following:
• The certificate holder’s identity
• The certificate’s serial number
• The certificate expiry date
• A copy of the certificate holder’s public key
• The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency
Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the
Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only
by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or
interpret the data. The recipient also uses the key to authenticate that the data comes from the
sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. DefensePro
supports the following key size lengths: 512, 1024, or 2048 bytes.
Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you open an HTTPS session, the
DefensePro device uses a certificate for identification. By default, the device has self-signed
Radware SSL certificates. You can also specify your own self-signed SSL certificates.
Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management
(WBM).
You can also create certificate signing requests and keys for new certificates.
Parameter Description
Name The name of the key or certificate.
Caution: Do not define a certificate name longer than 49 characters.
This can corrupt the Certificate Table.
Type The type of certification.
Values:
• Certificate
• Certificate of Client CA1
• Certificate Signing Request
• Key—When you select Key, only the Key Size and Passphrase fields
are available.
Default: Key
Key Size The key size, in bytes.
Larger key sizes offer an increased level of security. Radware
recommends that certificates have a key size of 1024 or more. Using a
certificate of this size makes it extremely difficult to forge a digital
signature or decode an encrypted message.
Values: 512 Bytes, 1024 Bytes, 2048 Bytes
Default: 1024 Bytes
Common Name The domain name of the organization (for example, www.radware.com)
or IP address.
Organization The name of the organization.
Email Address Any e-mail address that you want to include within the certificate.
Key Passphrase The Key Passphrase encrypts the key in storage and is required to
export the key. Since Private Keys are the most sensitive parts of PKI
data, they must be protected by a passphrase. The passphrase should
be at least four characters and Radware recommends using stronger
passphrases than that based on letters, numbers and signs.
Verify Key Passphrase After you define the key passphrase, re-enter it for verification.
Locality The name of the city.
State / Province The state or province.
Organization Unit The department or unit within the organization.
Country Name The organization country.
Certificate Expiration The duration, in days, that the certificate remains valid.
Values: 1–4,294,967,295 (4 GB)
Default: 365
1 – If you select this option when it is not allowed (according to the type of certificate you
are using), the device alerts you with an error message.
Parameter Description
Common Name The domain name of the organization. For example, www.radware.com.
Locality The name of the city.
State / Province The state or province.
Organization The name of the organization.
Organization Unit The department or unit within the organization.
Country Name The organization country.
Email Address Any e-mail address to include in the certificate.
Importing Certificates
To import keys and certificates, the connection between the APSolute Vision server and the relevant
device must use SNMPv3.
Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for
certificate, you must import them consecutively with the same entry name.
Caution: A certificate that you import must not include a header or footer. (Header and footer
example: -----BEGIN PUBLIC KEY-----, -----END PUBLIC KEY-----) If the certificate that
you want to import includes a header or footer, you must remove it before importing it. Common
external applications such as openssl or ssh-keygen may include a header and footer when they
generate a certificate. A certificate that DefensePro generates does not include a header or footer.
Parameter Description
Entry Name A new entry name to create by import, or an existing entry name to
overwrite or complete a Key or CSR.
Entry Type Values:
• Key—Imports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
• Certificate—Imports a certificate from backup or exported from
another machine. The certificate must be imported onto a
matching key or signing request.
• Certificate of Client CA—Imports a Client CA certificate.
Default: Key
Note: In Web Based Management, DefensePro supports the
following three additional options: Intermediate CA Certificate,
Certificate and Key, SSH Public Key.
Passphrase Since Private Keys are the most sensitive parts of PKI data they
(This parameter is available must be protected by a passphrase. The passphrase should be at
only when the Entry Type is least four characters, and Radware recommends using stronger
Key.) passwords than that based on letters, numbers, and signs.
Verify Passphrase Since Private Keys are the most sensitive parts of PKI data they
(This parameter is available must be protected by a passphrase. The passphrase should be at
only when the Entry Type is least four characters, and Radware recommends using stronger
Key.) passwords than that based on letters, numbers, and signs.
Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing
configurations to another system or for completion of Signing Request processes. You can export
certificates from a device by copying and pasting a key or by downloading a file. Keys and
certificates are exported to PEM format.
Note: The Radware key is created without a Radware password at system startup, thus it can be
exported without a Radware password.
Parameter Description
Entry Name Select the name of the entry to export. By default, the name of the
selected certificate in the Certificates table is displayed.
Entry Type According to the selected entry name, you can export Certificate,
Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request.
Passphrase Required when exporting Keys. Use the passphrase entered when the key
was created or imported. You must enter the key passphrase to validate
that you are authorized to export the key.
Parameter Description
License ID (Read-only) The device software license ID provided to Radware when
requesting the new license.
New License Key The key for the device software license, which allows you to activate
advanced software functionality.
Throughput License ID (Read-only) The device throughput-license ID provided to Radware
when requesting the new throughput license.
Throughput License Key The key for the device throughput license.
Parameter Description
Enable NTP Enables or disables the NTP feature.
Default: Disabled
Note: The NTP Server Address must be configured to enable the NTP
feature.
Server Name The IP address of the NTP server.
L4 Port The NTP server port.
Default: 123
Polling Interval The interval, in seconds, between time query messages sent to the NTP
server.
Default: 64
Time Zone The time-zone offset from GMT (-12:00 to +12:00 hours).
Default: 00:00
Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the daylight saving
time period, the device does not change the system time.
Parameter Description
Enabled Enables or disables daylight saving time.
Default: Disabled
Begins at The start date and time for daylight saving time.
Ends at The end date and time for daylight saving time.
Current Mode Specifies whether the device is on standard time or daylight saving
time.
Caution: Changing the configuration of this feature takes effect only after a device reset.
Caution: The IPv4 and IPv6 option consumes more memory than the IPv4 option. If you select
IPv4 and IPv6, you must perform a memory check before rebooting the device (Configuration
perspective, Setup > Advanced Parameters > Tuning Parameters > Check Available
Memory). When you click Check Available Memory, a message box is displayed, which notifies
you whether there is enough memory on the device, and, if not, how much memory is required. If
there is not enough memory, reduce the memory of modules that you are not using.
DefensePro supports processing of IPv6 packets and ICMPv6 packets, including the following:
• Setting networks with IPv6 addresses
• Applying security policies
• Blocking attacks
• Security reporting
IP Fragmentation
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, DefensePro can classify the Layer 4 information of IP fragments. The device
identifies all the fragments belong to same datagram, then classifies and forwards them accordingly.
The device does not reassemble the original IP packet, but forwards the fragmented datagrams to
their destination, even if the datagrams arrive at the device out of order.
Traffic Exclusion
Traffic Exclusion is when DefensePro passes through all traffic that matches no network policy
configured on the device.
In DefensePro 7.x versions, the Traffic Exclusion behavior is always enabled. That is, the device
always passes through all traffic that matches no network policy configured on the device.
Parameter Description
IP Version Mode The IP version that the device supports.
Values:
• IPv4—The device processes IPv4 packets only.
• IPv4 and IPv6—The device processes IPv6 and IPv4 packets.
Caution: The IPv4 and IPv6 option consumes more memory
than the IPv4 option. If you select IPv4 and IPv6, you must
perform a memory check before rebooting the device
(Configuration perspective, Setup > Advanced Parameters >
Tuning Parameters > Check Available Memory). When you
click Check Available Memory, a message box is displayed,
which notifies you whether there is enough memory on the device,
and, if not, how much memory is required. If there is not enough
memory, reduce the memory of modules that you are not using.
Note: If the IPv4 option is selected and IPv6 Network classes are
configured, all IPv6 policies (rules) are automatically disabled.
Policies applied on both IPv4 and IPv6 traffic continue to process
IPv4 traffic only. The IPv6 information remains visible.
Parameter Description
Bypass Jumbo Frames Specifies whether jumbo frames bypass the device.
Values:
• Enabled—Frames of 1577–9216 bytes bypass the device without
any inspection or monitoring.
• Disabled—The device discards frames that are larger than 1576
bytes.
Default: Disabled
Notes:
• Changing the configuration of the option takes effect only after a
device reset.
• When the option is enabled, there is no sampling for Black List
rules.
• When the option is enabled, TCP SYN Protection may not behave
as expected because the third packet in the TCP three-way-
handshake can include data and be in itself a jumbo frame.
• When the option is enabled, some protections that rely on the
DefensePro Session table might produce false-negatives and drop
traffic when all the session traffic bypasses the device in both
directions for a period longer than Session Aging Time.
Parameter Description
Enable IP Fragmentation Specifies whether IP fragmentation is enabled.
Default: Disabled
Queuing Limit The percentage of IP packets the device allocates for out-of-sequence
fragmented IP datagrams.
Values: 0–100
Default: 25
Aging Time The time, in seconds, that the device keeps the fragmented
datagrams in the queue.
Values: 1–255
Default: 1
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
You can set the operation mode of a port pair. When the port pair operates in Process mode,
DefensePro inspects the traffic for attacks and applies traffic-sampling policies. When the port pair
operates in Forward mode, DefensePro forwards the traffic to the destination port without any
inspection.
Note: The Port Pair functionality may also be referred to as static forwarding.
Parameter Description
Source Port The source port for received traffic.
Note: The list of ports depends on the platform.
Destination Port The destination port for transmitted traffic.
Note: The list of ports depends on the platform.
Parameter Description
Operation The operation mode assigned to a pair of ports.
Values:
• Forward—The traffic is forwarded without any inspection.
• Process—The traffic passes through the CPU and is inspected for attacks,
bandwidth, and so on.
In Port Specifies which port in the pair is designated as the inbound port—the
source or destination port. This setting is used in real-time reports for
inbound and outbound traffic.
Values: Source, Destination
Default: Source
Parameter Description
Enable Interface Grouping Specifies whether the device groups the statuses of the port-pair
interfaces.
When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also; so,
a remote device connected to the DefensePro device perceives the
same disconnected status.
Typically, the option is enabled when DefensePro is configured
between switches that use link redundancy. Interface grouping is the
only way both switches always perceive the same DefensePro
interfaces status.
Default: Disabled
Note: In this DefensePro version, you can use the following CLI commands to display transceiver
information:
• system hardware transceiver-info all —Displays manufacturer, part number, and serial
number for all ports.
• system hardware transceiver-info port <port number> —Displays detailed
information for the specified port. The information includes: manufacturer, part number,
revision, serial number, data code, temperature, voltage, Tx bias, Tx power, and Rx power.
Parameter Description
Port (Read-only) The index number of the port.
Speed (Read-only) The traffic speed of the port.
Values:
• Auto
• Ethernet
• Fast Ethernet
• GbE
• 10GbE
• 40GbE
• 100GbE
Duplex Mode (Read-only) Specifies whether the port allows both inbound and outbound
traffic (Full Duplex) or one way only (Half Duplex).
Autonegotiation (Read-only) Specifies the autonegotiation status of the hardware.1
Status
Values:
• Auto—There is no transceiver installed in the physical port.
• On—Autonegotiation is ON.
• Off—Autonegotiation is OFF.
Parameter Description
Autonegotiation Specifies the autonegotiation configuration for the physical port.1
Setting
Values:
• Auto—The Autonegotiation Status value determines whether
autonegotiation is ON or OFF.
• On—Autonegotiation is enabled by the user.
• Off—Autonegotiation is disabled by the user.
Default:
• For fiber GbE transceivers: ON
• For management ports: ON
Caution: You can configure the Autonegotiation Status value even when
there is no transceiver currently installed in the physical port. If you specify
ON and later insert a transceiver that does not support autonegotiation,
DefensePro issues a trap, the Autonegotiation Setting will remain ON but
the behavior will be undetermined. If you specify OFF and later insert a
transceiver that supports only ON, DefensePro issues a trap, the
Autonegotiation Setting will remain OFF but the behavior will be
undetermined.
Notes:
• For fiber GbE transceivers and for management ports, autonegotiation is
configurable. That is, the Autonegotiation Setting determines the
Autonegotiation Status.
• 10GbE, 40GbE, and 100GbE transceivers do not support autonegotiation.
• Copper GbE transceivers (not management ports) only support
autonegotiation.
1 – Autonegotiation refers to the port automatically detecting and configuring the speed and
duplex mode for the interface.
Caution: Before you physically replace a transceiver with a transceiver of another speed,
you must first remove the port from the link aggregation (that is, change the Trunk Name
value of the port to Unattached). If you do not first remove the port from the link
aggregation, the link aggregation will not operate, and APSolute Vision will continue to
display the original speed.
• Before attaching a port to a link aggregation, make sure that the port is not used in any Port Pair
(also referred to static forwarding), Port Mirroring, or IP Management configuration.
Note: For more information on the Port Pair, Port Mirroring, and IP Management features, see
Configuring Port Pairs for the DefensePro Networking Setup, page 74, Configuring Port Mirroring
in the DefensePro Setup, page 79, and Configuring IP Interface Management in the Networking
Setup, page 81, respectively.
• The failure or replacement of a single link within a link aggregation will not cause failure from
the perspective of a MAC client.
• MAC client traffic can be distributed across multiple links. Therefore, to guarantee the correct
ordering of frames at the receiving-end station, all frames belonging to one session must be
transmitted through the same physical link. The algorithm for assigning frames to a physical
port with link aggregation is based on hashing the Layer 3 destination IP address and the Layer
4 destination port.
• You cannot assign a management port that has a preconfigured IP address to a link aggregation.
If you want to use a management port in a link aggregation, you must first remove the IP
address and only then add it to the link aggregation.
• You cannot copy a port belonging to a link aggregation to another port (copy port).
• When a link aggregation is part of a protected-segment definition, the Operation parameter in
the Port Pairs table must be set to Process mode for both directions of that segment.
• You cannot specify a port within a link aggregation as the source or destination of SSL
inspection.
Parameter Description
Port (Read-only) The physical port index.
Port MAC Address (Read-only) The MAC address assigned to the port.
Trunk Name The trunk (link aggregation) to which the port is attached.
Values:
• Unattached
• T1–T7—The range of values depends on the platform. That is, the number
of trunks that you can configure depends on the device platform.
• T-MNG
Default: Unattached
Port Status (Read-only)
Values:
• Individual—The port is not attached to any trunk.
• Aggregate—The port is attached to a trunk.
Note: The Port Pair feature is available only when the Device Operation Mode is
Transparent. For more information on the features, see Configuring Port Pairs for the
DefensePro Networking Setup, page 74 and Configuring the Device Operation Mode for
DefensePro, page 156.
• When the Device Operation Mode is IP, the Port Mirroring input port (Input Interface) must
be configured with at least one IP address (Configuration perspective, Setup > Networking >
IP Management). For more information on the Device Operation Mode feature, see
Configuring the Device Operation Mode for DefensePro, page 156.
• When the Device Operation Mode changes, DefensePro clears the Port Mirroring table. For
more information on the Device Operation Mode feature, see Configuring the Device
Operation Mode for DefensePro, page 156.
Parameter Description
Input Interface The traffic port.
Output Port The port for the mirrored traffic.
Traffic to Mirror The direction of the traffic that the device mirrors.
Values: Transmit and Receive, Receive Only, Transmit Only
Enable Promiscuous Values:
Mode • Enabled—The device copies all traffic to the specified output port.
• Disabled—The device copies only the traffic destined to the input port.
Default: Enabled
Backup Port The backup port for the mirrored traffic.
Mode The mode of port mirroring.
Values: Enabled, Traffic Rate
Threshold The traffic rate, in PPS or Kbps, that can pass through the specified input
port (Input Interface) before the mirroring process starts.
Note: The Threshold Units parameter and the Threshold Interval
parameter are defined globally for each device and not for each pair of
ports. For more information, see Configuring Advanced Port-Mirroring
Parameters in the DefensePro Setup, page 80.
Parameter Description
Traffic Threshold Units The units in which the Port Mirroring mechanism measures the threshold.
Values:
• PPS—Packets per second
• Kbps—Kilobits per second
Threshold Interval How long, in seconds, mirroring continues after the traffic rate falls below
the specified threshold.
Default: 30
Reset Traffic Rate Click Reset Traffic Rate to set the device to record the traffic that
(button) exceeds the predefined limit within a new Threshold Interval.
To configure an IP interface
1. In the Configuration perspective, select Setup > Networking > IP Management.
2. Do one of the following:
Parameter Description
Network Type (Read-only for management ports) The IP version of the network
interface.
Values: IPv4, IPv6
Default: IPv4
IP Address The IP address of the interface.
Prefix The prefix length that defines the subnet attached to this IP interface.
Values for IPv4: 1–32
Values for IPv6: 1–128
Parameter Description
Port The interface identifier.
Values for the x420 platform:
• 1–24—Available only when the Device Operation Mode is IP
• MNG-1—Available only when is Network Type is IPv4
• MNG-2—Available only when is Network Type is IPv4
• LO—Specifies loopback
Note: For information on the Device Operation Mode, see
Configuring the Device Operation Mode for DefensePro, page 156.
VLAN Tag The VLAN tag to be associated with this IP interface. When multiple
VLANs are associated with the same switch port, the switch identifies to
which VLAN to direct incoming traffic from that specific port. VLAN
tagging provides an indication in the Layer 2 header that enables the
switch to make the correct decision.
Label A name for the interface.
Maximum characters: 19
Notes
• When editing a static route, you can modify only the Via Interface and Metric fields.
• The Type field is displayed only in the Static Routes table. It cannot be configured.
Parameter Description
Destination Network The destination network to which the route is defined.
Netmask The network mask of the destination subnet.
Next Hop The IP address of the next hop toward the Destination subnet. (The next
hop always resides on the subnet local to the device.)
Via Interface The local interface or VLAN through which the next hop of this route is
reached. This can be the port name, trunk name, or VLAN ID.
Type (Read-only) This field is displayed in the Static Routes table.
Values:
• Local—The subnet is directly reachable from the device.
• Remote—The subnet is not directly reachable from the device.
Metric The metric value defined or calculated for this route.
Parameter Description
Enable Proxy ARP Specifies whether a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on Specifies whether DefensePro sends a trap there is an ICMP error
ICMP Error message.
Default: Enabled
Note: The Internet Control Message Protocol (ICMP) is one of the core
protocols of the Internet Protocol Suite and is used by networked
computers’ operating systems to send error messages—indicating, for
example, that a requested service is not available, or that a host or
router could not be reached.
Note: For more information on the Device Operation Mode, see Configuring the Device Operation
Mode for DefensePro, page 156.
Parameter Description
Network Type Values: IPv4, IPv6
Default: IPv4
Destination Address The IP address to which the route is defined.
Prefix Length The prefix length that defines the subnet attached to this IP interface.
Values: 0–128
Next Hop IP address of the next hop toward the Destination subnet. (The next hop
always resides on the subnet local to the device.)
Metric The metric value defined or calculated for this route.
Port (Read-only, displayed in the table view) The port for the interface.
Label (Read-only, displayed in the table view) The label for the interface.
Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite
and is used by networked computers’ operating systems to send error messages—indicating, for
instance, that a requested service is not available or that a host or router could not be reached.
Parameter Description
IP Address IP address of the interface.
Destination Address IP destination address for multicast Router Advertisements sent from the
interface.
Values:
• 224.0.0.1—The All Hosts multicast group that contains all systems on
the same network segment
• 255.255.255.255—The limited-broadcast address
Parameter Description
Minimum The minimum time, in seconds, between sending unsolicited multicast
Router Advertisements from the interface.
Values: 3–the maximum specified interval
Default: 75% of the maximum specified interval
Maximum The maximum time, in seconds, between multicast Router
Advertisements from the interface.
Values: The minimum specified interval–1800
Lifetime The maximum time, in seconds, that the advertised addresses are
considered valid.
Values: The maximum specified interval–9000
Default: Triple the maximum interval
Advertise this Interface Enables you to advertise the device IP using ICMP Router Advertise.
Preference Level The preference level of the address as the default router address, relative
to other router addresses on same subnet.
Reset all Parameters to Resets ICMP interface parameters to default values.
Default
Parameter Description
Port The interface number where the station resides.
IP Address The station’s IP address.
Parameter Description
MAC Address The station’s MAC address.
Type The entry type.
Values:
• Other—Not Dynamic or Static.
• Invalid—Invalidates the ARP entry and effectively deletes it.
• Dynamic—The entry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
• Static—The entry was configured by the network management station
and is permanent.
Parameter Description
Inactive ARP Timeout The time, in seconds, that inactive ARP cache entries can remain in the
ARP table before the device deletes them. If an ARP cache entry is not
refreshed within a specified period, it is assumed that there is a problem
with that address.
Values: 10–86,400
Default: 3,600
Note: For more information on the Device Operation Mode, see Configuring the Device Operation
Mode for DefensePro, page 156.
You can configure GRE tunnels between DefensePro and the Provider Edge (PE) routers for
reinjection of clean traffic. That is, DefensePro can function as a tunnel “head end” for reinjection of
clean traffic.
You configure the tunnel with its IP address, tunnel source address, and tunnel destination address,
which can be any relevant IP interface in DefensePro, including its loopback address. The tunnel
address in both tunnel edges belongs to the same IP subnet. When there is an attack, the BGP
announcement specifies the tunnel remote edge address as the next hop to the destination
(protected object).
In traffic reinjection, the static-route next-hop address on DefensePro to the destination is
configured as the tunnel’s remote-side IP address. DefensePro identifies the next hop interface as a
tunnel and then encapsulates clean packets with the tunnel header. The encapsulated packets are
forwarded by DefensePro according to the tunnel header, using simple IP forwarding to its next-hop
address.
A means for resolving the tunnel next-hop IP interface is required. One option is to configure a static
route to the tunnel destination address in DefensePro.
When an attack is detected and traffic towards a protected host reaches the DefensePro, the device
cleans the traffic according to security settings of the protected object, and then forwards the traffic
encapsulated in a tunnel to the tunnel endpoint—usually at the routing element closest to the
protected object. As a result, the inject-to router performs its routing decisions on the tunnel
interface endpoint and not on the destination address.
Note: GRE redundancy can be used only when GRE tunnel is the selected loop-prevention method.
Caution: For DefensePro to support GRE tunnel interfaces, you must enable Inspect
Encapsulated GRE Traffic (Configuration perspective, Setup > Advanced Parameters >
Tunneling Inspection > Inspect Encapsulated GRE Traffic).
Parameter Description
Network Type Values: IPv4, IPv6
Default: IPv4
Tunnel IP Address The IP address of the tunnel.
Parameter Description
Prefix Length The prefix length that defines the subnet attached to this IP
interface.
Values: 0–128
Description A description of the tunnel
Parameter Description
Source IP The source IP address (IPv4) for the packets in the primary tunnel.
Destination IP The destination IP address (IPv4) for the packets in the primary
tunnel.
Parameter Description
Source IP The source IP address (IPv4) for the packets in the secondary
tunnel.
Destination IP The destination IP address (IPv4) for the packets in the secondary
tunnel.
Tunnel Redundancy Specifies whether to enable tunnel redundancy for the tunnel.
Tunnel Keepalive Specifies whether to enable tunnel keepalive messages to maintain
tunnel monitoring and selection for the tunnel.
Note: For more information on the Device Operation Mode, see Configuring the Device Operation
Mode for DefensePro, page 156.
The neighbor cache keeps track of the neighbors on the local links with which DefensePro is in
contact. The neighbor cache is the IPv6 parallel of the ARP table. The neighbors are either
dynamically discovered using neighbor-discovery protocol or statically configured.
Parameter Description
Interface Index The interface identifier for neighbor-discovery cache entry.
IP Address The IP address (IPv6) of the neighboring node.
MAC Address The MAC address corresponding to the IPv6 address of the neighboring
node.
Type (Read-only) The type of the Neighbor Cache entry.
Values:
• Dynamic
• Invalid
• Other
• Static
Default: Static
Parameter Description
Admin Status Specifies whether to enable BGP.
Values: enable, disable
Default: disable
Local AS Number The Autonomous System number of the DefensePro device.
Values: 1–65,535
Initial Connection Delay The time, in seconds, to wait at device startup before establishing BGP
connections.
Values: 15–120
Default: 15
BGP Internal Loopback The IP address of the BGP Internal Loopback peer.
Parameter Description
Peer IP Address The IP address of the remote peer.
Peer Default Next Hop The IPv4 address of the default next hop.
IPv6 Next Hop The IPv6 address of the IPv6 next hop.
Admin Status Enables or disables the BGP peer.
Values: Enable, Disable
Default: Enable
Connect Retry Time The interval, in seconds, at which DefensePro tries to re-establish a
BGP connection with the remote peer after a TCP failure event.
Default: 120
Hold Time The hold time, in seconds, for BGP connection establishment. During
the hold time, a peer must receive a KEEPALIVE or an UPDATE
message from the remote peer to consider the BGP connection active.
This value is placed in an OPEN message sent to the peer by the BGP
speaker, and is compared with the Hold Time field in an OPEN message
received from the peer when determining the Hold Time with the peer.
Values:
• 0—DefensePro does not send KEEPALIVE, and DefensePro does
not expect KEEPALIVE messages from remote peer.
• 1– 65,535
Default: 90
Keep-Alive Time The time, in seconds, used by DefensePro for sending KEEPALIVE
messages to the remote peer.
The value of this object only determines the frequency of the
KEEPALIVE messages relative to the specified Hold Time; the actual
time interval for the KEEPALIVE messages is specified by the Keep-
Alive Time.
Values:
• 0—DefensePro does not send KEEPALIVE messages after the BGP
connection has been established.
• 1– 65,535
Default: 30
Peer State (Read-only) The state of the peer.
Parameter Description
Remote AS (Read-only) The remote AS of the peer.
Last Error (Read-only) The last error code and subcode seen by the peer on the
connection. If no error has occurred, the value for this field is
No error. Otherwise, the first byte of this two-byte octet string
contains the error code, and the second byte contains the subcode.
MD5 Secret The MD5 secret of the peer.
4-Byte Support Specifies whether AS numbers encoded as a 4-byte entity are
supported.
No-Advertise Specifies whether the BGP-speaking router does not advertise the
route to any peer, internal or external.
No-Export Specifies whether not to advertise to external BGP (eBGP) peers,
keeping the route within the AS.
No-Peer Specifies whether to advertise to peers and constrain prefix
propagation only to transit providers—that is, the prefix is advertised
from AS to AS only if there is a transit/customer relationship.
Parameter Description
IP Address The IP address peer.
Network Type Values: IPv4, IPv6
Default: IPv4
Destination Network The IP address of the destination network.
Destination Prefix Enables or disables the BGP peer.
Values: 1–32
Default: 16
Status Enables or disables the route.
Values: Enable, Disable
Default: Enable
Parameter Description
Enable DNS Client Specifies whether the DefensePro device operates as a DNS client
to resolve IP addresses.
Values: Enable, Disable
Default: Disable
Primary DNS Server The IP address of the primary DNS server to which DefensePro
sends queries.
Alternative DNS Server The IP address of the alternative DNS to which DefensePro sends
queries.
Static DNS Table
The static DNS hosts.
Parameter Description
Enable Web Access Specifies whether to enable HTTP access to DefensePro.
Default: Disabled
L4 Port The port to which WBM is assigned.
Default: 80
Web Help URL The location (path) of the Web help files.
Parameter Description
Enable Secured Web Access Specifies whether to enable HTTPS access to DefensePro.
Default: Disabled
Caution: This checkbox must be selected to enable full
communication between APSolute Vision and DefensePro.
L4 Port The port through which HTTPS gets requests.
Default: 443
Certificate The SSL certificate used by the HTTPS server for encryption.
Caution: For security reasons, Radware advises replacing the out-
of-the-box certificate issued by Radware with a certificate issued
by a Certificate Authority (CA) of your choice.
Caution: Changing the certificate requires a reboot to take effect.
Parameter Description
Enable Telnet Specifies whether to enable Telnet access to DefensePro.
Default: Disabled
L4 Port The TCP port used by the Telnet.
Default: 23
Session Timeout The time, in minutes, that DefensePro maintains a connection during
periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1–120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout can be up
to 10 seconds longer than the configured time.
Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 10–60
Default: 30
Parameter Description
Enable SSH Specifies whether to enable SSH access to DefensePro.
Default: Disabled
L4 Port The source port for the SSH server connection.
Default: 22
Parameter Description
Session Timeout The time, in minutes, that DefensePro maintains a connection during
periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1–120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout can be up
to 10 seconds longer than the configured time.
Authentication Timeout The timeout, in seconds, required to complete the authentication
process.
Values: 10–60
Default: 10
Parameter Description
Enable Web Services Specifies whether to enable access to Web services.
Default: Enabled
Parameter Description
Port (Read-only) The name of the physical port.
SNMP Access When selected, allows access to the port using SNMP.
Telnet Access When selected, allows access to the port using Telnet.
SSH Access When selected, allows access to the port using SSH.
Web Access When selected, allows access to the port using WBM.
SSL Access When selected, allows access to the port using SSL.
Notes
• The default Authentication Mode is Local User Table—without RADIUS. To modify the
configuration, in the Configuration perspective Device Security tab navigation pane, select
Users Table. Then, in the Advanced Parameters tab, from the Authentication Mode drop-down
list, select the option you require, and click Submit.
• The DefensePro devices must have access to the RADIUS server and must allow device access.
Parameter Description
Timeout The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1
Retries The number of connection retries to the RADIUS server, after the
RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2
Client Lifetime The duration, in seconds, of client authentication. If the client logs
in again during the lifetime, DefensePro will not re-authenticate
the client with the RADIUS server. If the client logs in again after
the lifetime expires, DefensePro re-authenticates the client.
Default: 30
Parameter Description
L4 Port The access port number of the primary RADIUS server.
Values: 1645, 1812
Default: 1645
Secret The authentication password for the primary RADIUS server.
Maximum characters: 100
Note: When DefensePro stores the Secret, it is encrypted.
Therefore, the length of the Secret in the configuration file is
longer than the number of characters that you configured.
Verify Secret When defining the password, reenter it for verification.
Server IP Address Type Values: IPv4, IPv6
Server IP Address The IP address of the primary RADIUS server.
Parameter Description
L4 Port The access port number of the backup RADIUS server.
Values: 1645, 1812
Default: 1645
Secret The authentication password for the backup RADIUS server.
Maximum characters: 100
Note: When DefensePro stores the Secret, it is encrypted.
Therefore, the length of the Secret in the configuration file is
longer than the number of characters that you configured.
Verify Secret When defining the password, reenter it for verification.
Server IP Address Type Values: IPv4, IPv6
Server IP Address The IP address of the backup RADIUS server.
Notes
• The default Authentication Mode is Local User Table—without TACACS+. To modify the
configuration, in the Configuration perspective Device Security tab navigation pane, select
Users Table. Then, in the Advanced Parameters tab, from the Authentication Mode drop-down
list, select the option you require, and click Submit.
• The DefensePro devices must have access to the TACACS+ server and must allow device access.
Parameter Description
Server IP Address The IP address of the primary TACACS+ server.
L4 Port The access port number of the primary TACACS+ server.
Values: 1–65,000
Default: 49
Secret The authentication password for the primary TACACS+ server.
Maximum characters: 64
Note: When DefensePro stores the Secret, it is encrypted.
Therefore, the length of the Secret in the configuration file is
longer than the number of characters that you configured.
Verify Secret The authentication password for the primary TACACS+ server.
Parameter Description
Server IP Address The IP address of the backup TACACS+ server.
L4 Port The access port number of the backup TACACS+ server.
Values: 1–65,000
Default: 49
Parameter Description
Secret The authentication password for the backup TACACS+ server.
Maximum characters: 64
Note: When DefensePro stores the Secret, it is encrypted.
Therefore, the length of the Secret in the configuration file is
longer than the number of characters that you configured.
Verify Secret The authentication password for the backup TACACS+ server.
Parameter Description
Timeout The time, in seconds, that the device waits for a reply from the
TACACS+ server before a retry, or, if the Retries value is
exceeded, before the device acknowledges that the server is
offline.
Values: 1–10
Default: 1
Retries The number of connection retries to the TACACS+ server, after the
TACACS+ server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup TACACS+ server is used.
Values: 1, 2, 3
Default: 2
Client Lifetime The duration, in seconds, of client authentication. If the client logs
in again during the lifetime, DefensePro will not re-authenticate
the client with the TACACS+ server. If the client logs in again after
the lifetime expires, DefensePro re-authenticates the client.
Default: 30
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the
APSolute Vision are discarded.
Note: When you add a Radware device to APSolute Vision using SNMPv3, the username and
authentication details must match one of the users configured on the device.
The following topics describe the procedures to configure SNMP on a selected device:
• Configuring SNMP Supported Versions, page 100
• Configuring DefensePro SNMP Users, page 100
• Configuring SNMP Community Settings, page 102
Parameter Description
Supported SNMP Versions The currently supported SNMP versions.
Supported SNMP Versions The SNMP versions supported by the SNMP agent after resetting the
after Reset device. Select the SNMP version to support. Clear the versions that
are not supported.
Note: For general information on the SNMP Group Table, see Configuring the SNMP Group
Table, page 103.
8. In the Configuration perspective, select Setup > Device Security > SNMP > Access.
9. Do the following:
a. Verify the following that there is a row in the table with the following values:
• Group Name is initial.
• Security Model is User Based.
• Security Level is Authentication and Privacy.
• Read View Name is iso.
• Write View Name is iso.
b. If any of the verification criteria in step a is false, and an entry accordingly, and then, click
Submit.
Note: For general information on the Access configuration, see Configuring SNMP Access
Settings, page 104.
Parameter Description
User Name The username, also known as a security name.
Maximum characters: 18
Authentication Protocol The protocol used during authentication process.
The option that you select must match the configuration in the Device
Properties dialog box (see Table 65 - Device Properties: SNMP
Parameters, page 8). For example, if Authentication Protocol is
MD5 in the device properties, the option here must be MD5—and, if
Authentication Protocol is SHA in the device properties, the option
here must be SHA.
Values:
• MD5
• SHA
Default: None
Caution: None is not a valid value.
Authentication Password The authentication password.
Privacy Protocol The algorithm used for encryption.
Values:
• DES—The device uses Data Encryption Standard.
• AES—The device uses Advanced Encryption Standard.
Default: None
Caution: None is not a valid value.
Privacy Password The user privacy password.
Note: You cannot change the community string associated with the username that you are
currently using.
Parameter Description
Index A descriptive name for this entry. This name cannot be modified after
creation.
Default: public
Community Name The community string.
Default: public
Security Name The security name identifies the SNMP community used when the
notification is generated.
Default: public
Transport Tag Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. The target addresses identified by
this tag are defined in the SNMP Target Addresses table. At least one entry
in the SNMP Target Addresses table must include the specified transport tag.
If no tag is specified, addresses are not checked when an SNMP request is
received or when a trap is sent.
Parameter Description
Group Name The name of the SNMP group.
Security Model The SNMP version that represents the required security model. Security
models are predefined sets of permissions that can be used by the groups.
These sets are defined according to the SNMP versions. By selecting the SNMP
version for this parameter, you determine the permissions set to be used.
Values:
• SNMPv1
• SNMPv2c
• User Based (SNMPv3)
Default: SNMPv1
Security Name If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.
Parameter Description
Group Name The name of the group.
Security Model Security models are predefined sets of permissions that can be used by
the groups. These sets are defined according to the SNMP versions.
Select the SNMP version that represents the required Security Model to
determine the permissions set to be used.
Values:
• SNMPv1
• SNMPv2c
• User Based—That is, SNMPv3
Default: SNMPv1
Parameter Description
Security Level The security level required for access.
Values:
• No Authentication—No authentication or privacy are required.
• Authentication and No Privacy—Authentication is required, but
privacy is not required.
• Authentication and Privacy—Both authentication and privacy are
required.
Default: No Authentication
Read View Name The name of the View that specifies which objects in the MIB tree are
readable by this group.
Write View Name The name of the View that specifies which objects in the MIB tree are
writable by this group.
Notify View Name The name of the View that specifies which objects in the MIB tree can be
accessed in notifications (traps) by this group.
Parameter Description
Name A descriptive name for this entry, for example, the type of notification.
Tag A string that defines the target addresses that are sent this notification. All
the target addresses that have this tag in their tag list are sent this
notification.
Parameter Description
View Name The name of this entry.
Sub-Tree The Object ID of a subtree of the MIB.
Type Specifies whether the object defined in the entry is included or excluded in the
MIB view.
Values: Included, Excluded
Default: Included
Parameter Description
Name The name of the target parameters entry.
Maximum characters: 32
Message Processing The SNMP version to use when generating SNMP notifications.
Model Values: SNMPv1, SNMPv2c, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.
Security Model The SNMP version that represents the required Security Model.
Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to
be used.
Values:
• SNMPv1
• SNMPv2c
• User Based—That is, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.
Security Name If the User Based security model is used, the security name identifies the
user that is used when the notification is generated. For other security
models, the security name identifies the SNMP community used when the
notification is generated.
Security Level Specifies whether the trap is authenticated and encrypted before it is sent.
Values:
• No Authentication—No authentication or privacy are required.
• Authentication and No Privacy—Authentication is required, but privacy
is not required.
• Authentication and Privacy—Both authentication and privacy are
required.
Default: No Authentication
Parameter Description
Name The name of the target address entry.
IP Address and L4 Port The IP address of the management station (APSolute Vision server)
[IP-port number] and TCP port to be used as the target of SNMP traps. The format of the
values is <IP address >-<TCP port>, where <TCP port> must be
162. For example, if the value for IP Address and L4 Port is 1.2.3.4-
162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is
the port number for SNMP traps.
Note: APSolute Vision listens for traps only on port 162.
Mask A subnet mask of the management station.
Tag List Specifies sets of target addresses. Tags are separated by spaces. The
tags contained in the list may be either tags from the Notify table or
Transport tags from the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network device, the tag list identifies the targets to which
a notification is sent.
Default: v3Traps
Target Parameters Name The set of target parameters to be used when sending SNMP traps.
Target parameters are defined in the Target Parameters table.
Send Security-Event Traps Specifies whether DefensePro sends security-event traps to the target
address. Security events include all events related to attack detection
and mitigation: start, ongoing, occurred, sampled, and terminated.
Default: Enabled
Parameter Description
Send Health-Event Traps Specifies whether DefensePro sends device-health–event traps to the
target address. Device-health events include all events related to
device health, for example, temperature, fan failure, CPU, tables,
resources, and so on.
Default: Enabled
Send Audit-Event Traps Specifies whether DefensePro sends audit-event traps to the target
address. Audit events include all events related to user operations, for
example, login attempts and configuration changes.
Default: Enabled
Parameter Description
User Name The name of the user.
Password The password of the user. Then, repeat to verify.
Email Address The e-mail address of the user to which notifications will be sent.
Minimal Severity for The minimum severity level of traps sent to this user.
Sending Traps Values:
• None—The user receives no traps.
• Info—The user receives traps with severity info or higher.
• Warning—The user receives Warning, Error, and Fatal traps.
• Error—The user receives Error and Fatal traps.
• Fatal—The user receives Fatal traps only.
Default: None
Parameter Description
Enable Configuration Tracing When selected, the specified user receives notifications of
configuration changes made in the device.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The device gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
• Name of the MIB variable that was changed.
• New value of the variable.
• Time of configuration change.
• Configuration tool that was used (APSolute Vision, Telnet, SSH,
WBM).
• User name, when applicable.
Access Level The user’s level of access to the WBM and CLI.
Default: Read-Write
Parameter Description
Authentication Mode The method for of authenticating a user’s access to the device.
Values:
• Local User Table—The device uses the User Table to authenticate
access.
• RADIUS and Local User Table—The device uses the RADIUS
servers to authenticate access. If the request to the RADIUS
server times out, the device uses the User Table to authenticate
access.
• TACACS+ and Local User Table —The device uses the TACACS+
servers to authenticate access. If the request to the TACACS+
server times out, the device uses the User Table to authenticate
access.
Default: Local User Table
Note: After a protection feature is enabled on a device, the device requires a reboot. However, you
need to reboot only once after enabling features within the same navigation branch.
Parameter Description
Enable Application Security Specifies whether DefensePro uses Application Security
Protection Protection.
If the protection is disabled, enable it before setting up the
protection profiles.
Caution: Changing the setting of this parameter requires a
reboot to take effect.
Reassemble Fragmented TCP Specifies whether DefensePro tries to reassemble fragmented
Packets TCP packets.
Default: Enabled
Encoding The encoding (the language and character set) to use for
detecting security events.
Parameter Description
Enable Session Drop Mechanism Specifies whether DefensePro drops all session packets when a
signature was detected in one of the session packets.
Security Tracking Tables Free-Up How often, in milliseconds, the device clears unnecessary
Frequency entries from the table, and stores information about newly
detected security events.
Values: 0–65,535
Default: 1250
Notes
• DoS Shield protection is enabled by default.
• This feature is also supported on management interfaces.
DoS Shield profiles prevent the following:
• Known TCP, UDP, and ICMP floods
• Known attack tools available over the Internet
• Known floods created by bots, which are automated attacks
DoS Shield protection uses signatures from the Radware Signatures database. This database is
continuously updated and protects against all known threats.
Radware Signature profiles include all DoS Shield signatures as part of the signature database and
Radware predefined profiles that already include DoS Shield protection. To create a profile that
includes DoS Shield protection, you configure a profile with the Threat Type attribute set to
Floods.
Radware also supplies a predefined profile, the All-DoS-Shield profile, which provides protection
against all known DoS attacks. The All-DoS-Shield profile is applied when a DoS-only solution is
required. Note that if the DoS Shield Radware-defined profile is applied, you cannot apply other
Signature profiles in the same security policy.
To prevent denial of service, DoS Shield samples traffic flowing through the device and limits the
bandwidth of traffic recognized as a DoS attack with predefined actions.
Most networks can tolerate sporadic attacks that consume negligible amounts of bandwidth. Such
attacks do not require any counteraction. An attack becomes a threat to the network when it starts
to consume large amounts of the network’s bandwidth. DoS Shield detects such events using an
advanced sampling algorithm for optimized performance, acting automatically to solve the problem.
The DoS Shield considers two protection states:
• Dormant state—Indicates that Sampling mechanism is used for recognition prior to active
intervention. A protection in Dormant state becomes active only if the number of packets
entering the network exceeds the predefined limit.
• Active state—Indicates that the action is implemented on each packet matching the Attack
Signature, without sampling.
DoS Shield counts packets matching Dormant and Active states. Samples of the traffic are compared
with the list of protections in Dormant state. When a specified number of packets is reached, the
status of the protection changes to Active.
The DoS Shield module uses two processes working in parallel. One process statistically monitors
traffic to check if any dormant protection has become active. Then, when DoS Shield detects the
protection as active, the module compares each packet that passes through the device to the list of
Currently Active Protections. The module compares some of the packets that do not match the
Active signature with the Dormant protections list. The module forwards the rest of the packets to
the network without inspection.
Parameter Description
Enable DoS Shield Specifies whether the DoS Shield feature is enabled.
Note: If the protection is disabled, enable it before configuring the
protection profiles.
Sampling Time How often, in seconds, DoS Shield compares the predefined thresholds
for each dormant attack to the current value of packet counters
matching the attack.
Values: 1–15
Default: 5
Note: If the sampling time is very short, there are frequent
comparisons of counters to thresholds, so regular traffic bursts might
be considered attacks. If the sampling time is too long, the DoS Shield
mechanism cannot detect real attacks quickly enough.
Packet Sampling Ratio The packet-sampling rate. For example, if the specified value is 5001,
the DoS Shield mechanism checks 1 out of 5001 packets.
Values: 1–50,000
Default: 5001
The main advantage of BDoS Protection is the ability to detect statistical traffic anomalies and
generate an accurate DoS-attack footprint based on a heuristic protocol information analysis. This
ensures accurate attack filtering with minimal risk of false positives. The default average time for a
new signature creation is between 10 and 18 seconds. This is a relatively short time, because flood
attacks can last for minutes and sometimes hours.
Notes
• In DefensePro 8.x versions, this feature is not supported on management interfaces.
• In DefensePro 6.x and 7.x versions, this feature is also supported on management interfaces.
• DefensePro 7.x versions, which run on the x420 platform, can handle up to 32 BDoS attacks in
the DME. Beyond this number of attacks, DefensePro handles attacks in software, according to
the internal hardware instances.
Parameter Description
Enable BDoS Protection Specifies whether BDoS Protection is enabled.
Caution: Changing the setting of this parameter requires a
reboot to take effect.
Parameter Description
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one
week.
If traffic rates legitimately fluctuate (for example, TCP or UDP
traffic baselines change more than 50% daily), set the learning
response to one month. Use a one-day period for testing
purposes only.
Values: Day, Week, Month
Default: Week
Enable Traffic Statistics Sampling Specifies whether the BDoS module uses traffic-statistics
sampling during the creation phase of the BDoS footprint. When
the parameter is enabled, and the BDoS module is trying to
generate a real-time signature and there is a high rate of traffic,
the device evaluates only a portion of the traffic. The BDoS
module tunes the sampling factor automatically, according to the
traffic rate. The BDoS module screens all traffic at low traffic
rates (below 100K PPS) and only a portion of the traffic at higher
rates (above 100K PPS).
Default: Enabled
Note: For best performance, Radware recommends that the
parameter be Enabled.
Footprint Strictness When the Behavioral DoS module detects a new attack, the
module generates an attack footprint to block the attack traffic.
If the Behavioral DoS module is unable to generate a footprint
that meets the footprint-strictness condition, the module issues
a notification for the attack but does not block it. The higher the
strictness, the more accurate the footprint. However, higher
strictness increases the probability that the device cannot
generate a footprint.
Values:
• High—Requires at least two Boolean AND operators and no
other Boolean OR value in the footprint. This level lowers the
probability for false positives but increases the probability for
false negatives.
• Medium—Requires at least one Boolean AND operator and
no more than two additional Boolean OR values in the
footprint.
• Low—Allows any footprint suggested by the Behavioral DoS
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Default: Low
Notes:
• DefensePro always considers the checksum field and the
sequence number fields as High Footprint Strictness fields.
Therefore, a footprint with only a checksum or sequence
number is always considered as High Footprint Strictness.
• Table 76 - Footprint Strictness Examples, page 117, shows
examples of footprint strictness requirements.
Parameter Description
These settings affect periodic attack behavior. The settings are used to effectively detect and block
these attack types.
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Blocking State stays below the hard-coded threshold in the Blocking state. When the
time elapses, DefensePro declares the attack to be terminated.
Values: 45–300
Default: 45
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Anomaly or Non- stays below the hard-coded threshold in the Anomaly state or the
Strictness State Non-strictness state. When the time elapses, DefensePro declares the
attack to be terminated.
Values: 45–300
Default: 45
Learning Suppression The percentage of the specified bandwidth, below which, DefensePro
Threshold suppresses BDoS-baseline learning.
The Learning Suppression Threshold feature helps preserve a good
BDoS-baseline value in scenarios where, at times, DefensePro
handles very little traffic.
There are two typical scenarios where, at times, DefensePro handles
very little traffic:
• Out-of-path deployments—In an out-of-path deployment, when
traffic is diverted through DefensePro for mitigation. During an
attack, the traffic is diverted and routed through DefensePro.
During peacetime, no traffic passes through DefensePro (except
for maintenance messages). When no traffic is diverted to
DefensePro, the BDoS learning must be suppressed to prevent
extremely low values affecting the baseline and ultimately
increasing the susceptibility to false positives.
• Environments where traffic rates change dramatically throughout
the day.
The specified bandwidth refers to the Outbound Traffic and
Inbound Traffic parameters under the Network Protection tab,
BDoS Profiles > Outbound Traffic|Inbound Traffic.
The Learning Suppression Threshold applies to all BDoS profiles
and controllers, but DefensePro calculates the threshold per Network
Protection policy and specified Direction (Network Protection tab,
Network Protection Policy > Direction). For One Way policies, the
Learning Suppression Threshold considers the inbound bandwidth.
DefensePro treats Two Way policies as two policies, so the Learning
Suppression Threshold calculates the bandwidth for each policy
(inbound/outbound).
Values:
• 0—Specifies that BDoS profiles use no Learning Suppression
Threshold.
• 1–50
Default: 0
Parameter Description
Always Include Destination Specifies whether DefensePro always includes the destination–IP-
IP Address in Footprints address field in BDoS footprints. Enabling this option is intended for
advanced users with specific cases. Typically, this option is for
managed security-service providers (MSSPs) who need to distinguish
between attacks targeting separate customers within the same BDoS
policy.
Default: Disabled
Caution: Enabling this option entails certain risks. One risk is that
if for some reason the destination–IP-address fields cannot be part
of the footprint, DefensePro enters the Anomaly state and forwards
the traffic through the device without further processing.
Note: When this option is enabled, the Footprint Strictness
calculation ignores the destination–IP-address field.
Reset BDoS Baseline Click to reset the BDoS baseline. Then, select whether to reset the
baseline for all Network Protection policies that contain a BDoS
profile, or for a specific Network Protection policy that contains a
BDoS profile; and then, click Submit.
Resetting baseline-learned statistics clears the baseline traffic
statistics and resets default normal baselines. Reset the baseline
statistics only when the characteristics of the protected network have
changed entirely and bandwidth quotas need to be changed to
accommodate the network changes.
you want to configure footprint bypass, and click the (Search) button. The table displays
the bypass types and values for the selected attack protection.
Parameter Description
Footprint Bypass Controller (Read-only) The selected attack protection for which you are
configuring footprint bypass.
Bypass Field (Read-only) The selected bypass type to configure.
Bypass Status The bypass option.
Values:
• Bypass—The Behavioral DoS module bypasses all possible
values of the selected Bypass Field when generating a footprint.
• Accept—The Behavioral DoS module bypasses only the specified
values (if such a value exists) of the selected Bypass Field
when generating a footprint.
Bypass Values If the value of the Bypass Status parameter is Accept, when
generating the footprint, the Behavioral DoS mechanism does not
use the specified Bypass Values of the corresponding selected
Bypass Field. The valid Bypass Values vary according to the selected
Bypass Field. Multiple values in the Bypass Values field must be
comma-delimited.
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
Anti-Scanning Protection protects against malicious, scanning activity, which includes zero-day self-
propagating network worms, horizontal scans, and vertical scans. When Anti-Scanning Protection is
enabled, upon detecting an attack, the protection implements the blocking footprint rule for a
predefined, initial blocking duration. When the protection identifies repeated scanning activities from
the same source, the protection extends the blocking duration based on a dynamic blocking-
duration mechanism. This mechanism includes a random factor that sets an unpredictable blocking
duration. When a source continues to scan the network, the device can restart the global Maximal
Blocking Duration.
Caution: In some cases, you may find that network elements legally perform scanning as part of
their normal operation. It is recommended to place such elements in the White List to avoid
interruption or network operation.
Notes
• A self-propagating worm is an attack that spreads by itself using network resources. This worm
uses a random-IP-address-generation technique (that is, network scanning) to locate a
vulnerable host to infect. When a vulnerable host is identified, the worm immediately executes
its code on this host, thereby infecting the computer with the worm’s malicious code. Then, the
infected hosts initiate similar scanning techniques and infect other hosts, propagating
exponentially.
• Horizontal scans scan for a specific port or ports across a range of IP addresses.
Parameter Description
Enable Anti-Scanning Specifies whether Anti-Scanning Protection is enabled. Anti-Scanning
Protection Protection prevents zero-day self-propagating network worms, horizontal
scans, and vertical scans.
Default: Disabled
Default for DefensePro 7.x versions: Disabled
Caution: Changing the setting of this parameter requires a reboot to
take effect.
Enable Protection for Specifies whether Anti-Scanning Protection blocks slow scans, which can
Very Slow Scans result in very long blocking periods. When enabled, Anti-Scanning
Protection adapts the blocking interval based on the scanner-activity
frequency. Thus, the device will detect the scanner activity again before
the blocking duration elapses. The blocking duration is calculated as the
time between scanning events multiplied by the Attack Trigger value.
Radware recommends using this option only in exceptional circumstances,
when one scan attempt in 20 minutes is considered a security threat.
Default: Disabled
Enable High Port Specifies whether the Anti-Scanning Protection emphasizes inspecting
Response scans aimed at ports greater than 1024 (that is, usually unassigned
ports).
Values:
• Enabled—The Anti-Scanning Protection emphasizes inspecting scans
aimed at ports greater than 1024. Select this checkbox when using
applications that utilize standard system ports (that is, port values
less than 1024).
• Disabled—The Anti-Scanning Protection treats all the scan activities
equally. Clear this checkbox when using applications utilizing non-
standard ports (that is, port values greater than 1024).
Default: Enabled
Note: When the parameter is enabled and you have legitimate
applications using high-range ports, the DefensePro device is prone to
more false positives.
Parameter Description
Maximal Blocking The maximum time, in seconds, that the Anti-Scanning Protection blocks
Duration the source of a scan—if that source continues to scan the network.
Values: 20–3600
Default: 80
Note: This setting overrides the maximum time set in the Suspend
table parameters.
Caution: Increasing the value to higher than the default makes
DefensePro work harder, and thus, makes overload more likely.
(Lowering the value to below the default makes DefensePro work less
hard in most cases.)
Note: Some DefensePro versions have all the global SYN Flood Protection parameters on the SYN
Flood Protection tab.
Caution: Changing the setting of this parameter requires a reboot to take effect.
3. Click Submit.
4. In the Configuration perspective, select Setup > Security Settings > SYN Flood Protection
> SYN Flood Protection Parameters.
5. Configure the parameters, and then, click Submit.
Parameter Description
Tracking Time The time, in seconds, during which the number of SYN packets
directed to a single protected destination must be lower than the
Termination Threshold to cause the attack state to terminate for
that destination.
Values: 1–10
Default: 5
Minimum Allowed SYN The minimum time, in seconds, for the SYN-packet
Retransmission Time retransmission in the Safe-Reset authentication mechanism to
consider the retransmission to be valid.
Values: 2–15
Default: 2
Note: For more information, see Managing SYN Protection
Profile Parameters, page 224.
Maximum Allowed SYN The maximum time, in seconds, for the SYN-packet
Retransmission Time retransmission in the Safe-Reset authentication mechanism to
consider the retransmission to be valid.
Values: 3–15
Default: 4
Note: For more information, see Managing SYN Protection
Profile Parameters, page 224.
Parameter Description
DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156).
For more information on the SSL Mitigation feature, see Configuring SSL Mitigation Policies in
DefensePro 6.x and 7.x Versions, page 92 and the DefensePro SSL Attack Mitigation Technical
Implementation Guide.
Enable SSL Mitigation Specifies whether the device enables the SSL Mitigation
mechanism with an Alteon device.
Note:
Alteon MNG IP The IP address of the Alteon management port.
Parameter Description
Health-Check Port The health-check port (that is, the SNMP Traps port) on the
Alteon device.
DefensePro Assigned Ports The table that displays the pair of static-forwarding ports.
Double-click an entry to open the dialog box where you can
modify the inbound port and/or the outbound port.
In addition to being able to specify a port, you can specify a link
aggregation. (A link aggregation may also be referred to as a
trunk.) If you specify a link aggregation, it must be configured
already in the Link Aggregation table (see Configuring Link
Aggregation of Ports in the DefensePro Setup, page 77). Using
link aggregation combines physical network links into a single
logical link for increased capacity and availability. In a link-
aggregation scenario, traffic is divided between the ports that are
up, and if one of the ports is down, the traffic continues to flow
using the port that is up.
Note: The DefensePro CLI includes commands for configuring Out-of-State Protection and viewing
the state. For example, the CLI includes commands for viewing the status of graceful-startup
periods. For more information, refer to the relevant CLI Reference Manual.
Caution: Some CLI commands are intended for internal use only—for example, for use by Radware
Technical Support.
DefensePro implements a graceful-startup period for Out-of-State Protection actions for the
following scenarios:
• After startup or reboot when the selected Startup Mode is Graceful—This timer is the
Startup Timer parameter in the Out-of-State Protection global parameters (in the procedure
below). Default: 1800 seconds (30 minutes).
• When an Update Policies action finishes—This graceful-startup period is configurable only
in the CLI. Default: 30 seconds.
• When the Session table is no longer full—This graceful-startup period is hard-coded. Value:
1800 seconds (30 minutes).
• When a member of a high-availability cluster fails over to its peer—This graceful-startup
period is hard-coded. Value: 1800 seconds (30 minutes).
Parameter Description
Enable Out-of-State Protection Specifies whether the DefensePro enables Out-of-State Protection
configuration and learning.
Default: Enabled
Activate (Without Reboot) Values:
(This parameter is available • Enabled—Activate Out-of-State Protection actions
only after selecting the Enable immediately.
Out-of-State Protection • Disabled—Deactivate Out-of-State Protection actions
checkbox.) immediately.
When the selected Startup Mode is Off or Graceful, to start Out-
of-State Protection after startup immediately (with no learning of
traffic and sessions), select the Activate (Without Reboot)
checkbox.
When the Activate (Without Reboot) checkbox is selected and
the Update Policies action starts, DefensePro clears the checkbox
and suspends Out-of-State Protection actions for 30 seconds.
These 30 seconds give DefensePro some time to learn traffic and
sessions, thereby reducing the chances of false positives.
When the Activate (Without Reboot) checkbox is selected and
the selected Startup Mode is Graceful, after startup, the
Activate (Without Reboot) checkbox is cleared for the duration
of the Startup Timer. After the Startup Timer has elapsed, the
Activate (Without Reboot) checkbox is automatically selected
(that is, enabled again).
When the Activate (Without Reboot) checkbox is selected and
the selected Startup Mode is Off, after startup, the Activate
(Without Reboot) checkbox is cleared.
Parameter Description
Startup Mode The behavior of the device after startup.
(This parameter is available Values:
only after selecting the Enable • On—Start Out-of-State Protection action immediately after
Out-of-State Protection startup (with no time to learn traffic and sessions). Sessions
checkbox.) that started before startup get dropped. Only new, valid
sessions are allowed.
• Off—Do not start Out-of-State Protection after startup or
reboot.
• Graceful—After startup, start learning sessions (and updating
the Session table) for the time specified by the Startup Timer
parameter. Then, begin Out-of-State Protection actions.
Default: Graceful
Note: When the value is Off or Graceful, to start Out-of-State
Protection immediately after startup (with no learning of traffic
and sessions), select the Activate (Without Reboot)
checkbox.
Startup Timer When the selected Startup Mode is Graceful, this parameter
(This parameter is available specifies the time, in seconds, after startup or reboot, that the
only after selecting the Enable DefensePro delays Out-of-State Protection actions and only
Out-of-State Protection registers all sessions in the Session table, including sessions whose
checkbox.) initiation was not registered. After this time, the Out-of-State
Protection module inspects packets and decides whether a packet
is out of state. DefensePro then takes action according to the
configuration of the matching Network Protection policy and Out-
of-State Protection profile.
Values: 0–65,535
Default: 1800 (30 minutes)
Parameter Description
Enable HTTP Mitigator Specifies whether the HTTP Mitigator is enabled on the device.
HTTP flood protection must be enabled to set HTTP flood protection
parameters.
Default: Enabled
Learning Period before The time, in days, the HTTP Mitigator takes to collect the data
Activation needed to establish the baseline that HTTP Mitigation uses.
Values: 0–65,536
Default: 7
Learning Mode The learning mode of the HTTP Mitigator.
Values:
• Continuous Only—The learning process about the traffic
environment is continuous.
• Automatic—The HTTP Mitigator can switch to 24x7 learning
when it detects a recurring pattern per hour of the day of the
week in a period of 4, 8, or 12 weeks (based on sensitivity).
Learning Sensitivity The period from which the HTTP Mitigator establishes baselines.
Select the time unit based on the site characteristics. For example, if
the site traffic fluctuates during the course of a day, but fluctuates
the same way each day, select Day; but if there are significant
fluctuations between the days of the week, select Week.
Values: Day, Week, Month
Default: Week
Mitigation Failure Condition The number of automatic attempts the device makes before
announcing it cannot mitigate the attack.
Values: 1–100
Default: 3
DefensePro detects attacks based on the frequency and quantity of SIP reply codes.
DefensePro performs analysis of authentication, call initiation, registration processes, and reply
codes per source IP address and the SIP URI (SIP FROM).
A SIP server can send replies and error responses to clients either on the same connection or open a
new connection for this purpose. This is also applicable for UDP, where either the same flow or a new
one is used. To support such environments, the SIP Server Cracking protection can monitor all
outgoing messages from the protected server to the SIP Application Port Group or from the SIP
Application Port Group.
Before you configure global SIP Cracking Protection, you must configure a profile that includes SIP
protection. For more information, see Configuring Server Cracking Profiles for Server Protection,
page 17.
Parameter Description
Tracking Type The data that the SIP Cracking feature monitors.
Values: SIP-URI, Source IP, Both
Application Code for Reset The SIP error code that is sent back to the source IP address.
Values:
• Ambiguous—Event number 485. Request-URI is ambiguous/not
assigned.
• Busy Everywhere—Event number 600. All possible destinations are
busy.
• Busy Here—Event number 486. User busy.
• Decline—Event number 603. Call rejected.
• Forbidden—Event number 403.
• Not Acceptable Error—Event number 406. Client Failure Response.
The resource identified by the request is only capable of generating
response entities that have content characteristics but not
acceptable according to the Accept header field sent in the
request.
• Not Acceptable Fail—Event number 606. Global Failure Response.
The user’s agent was contacted successfully but some aspects of
the session description, such as the requested media, bandwidth,
or addressing style, were not acceptable)
• Not Acceptable Here—Event number 488. Some aspects of the
session description of the Request-URI is not acceptable.
• Not Found—Event number 404. The user does not exist at the
specified domain.
• Request Terminated—Event number 487. Request has terminated
by bye or cancel.
• Temporarily Unavailable—Event number 480. The user is currently
unavailable.
Default: Not Acceptable Error
Parameter Description
Detect Error Codes in Enables detection of error codes on sessions that originate from the
Server Originated Sessions server to the client.
Default: Disabled
Note: The Packet Anomaly Protection module inspects traffic before the BDoS Protection module.
Therefore, the BDoS Protection module is unaware of anomalous packets that the Packet Anomaly
module detects and drops (Action is Drop) or passes through (Report Action is Bypass). (For
more information on the Action and Report Action parameters, see Table 84 - Packet-Anomaly
Protection Parameters, page 128.)
Enabling and Disabling the Packet Trace Feature for Packet Anomaly Protection
When the Packet Trace feature is enabled for Packet Anomaly Protection, the device sends
anomalous packets to the specified physical port.
You enable or disable the Packet Trace feature for all the packet-anomaly protections configured on
the device.
Notes
• DefensePro does not support the Packet Trace feature when the Device Operation Mode is IP
(see Configuring the Device Operation Mode for DefensePro, page 156).
• When this feature is enabled, for the feature to take effect, the global setting must be enabled
(Configuration perspective, Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet Trace on Physical Port).
• A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for Packet Anomaly Protection
1. In the Configuration perspective, select Setup > Security Settings > Packet Anomaly.
2. Select or clear the Packet Trace checkbox, and then, click Submit.
Parameter Description
ID (Read-only) The ID number for the packet-anomaly protection. The ID
is a Radware ID that appears in the trap sent to APSolute Vision
Security logs.
Protection Name (Read-only) The name of the packet-anomaly protection.
Action The action that the device takes when the packet anomaly is detected.
The action is only for the specified packet-anomaly protection.
Values:
• Drop—The device discards the anomalous packets and issues a
trap.
• Report—The device issues a trap for anomalous packets. If the
Report Action is Process, the packet goes to the rest of the
device modules. If the Report Action is Bypass, the packet
bypasses the rest of the device modules.
• No Report—The device issues no trap for anomalous packets. If
the Report Action is Process, the packet goes to the rest of the
device modules. If the Report Action is Bypass, the packet
bypasses the rest of the device modules.
Note: Click Drop All to set the Action for all packet-anomaly
protections to Drop. Click Report All to set the Action for all
packet-anomaly protections to Report. Click No Report All to set
the Action for all packet-anomaly protections to No Report.
Risk The risk associated with the trap for the specific anomaly.
Values: Info, Low, Medium, High
Default: Info
Report Action The action that the DefensePro device takes on the anomalous packets
when the specified Action is Report or No Report. The Report
Action option is only for the specified packet-anomaly protection.
Values:
• Bypass—The anomalous packets bypass the device.
• Process—The DefensePro modules process the anomalous
packets. If the anomalous packets are part of an attack,
DefensePro can mitigate the attack.
Note: You cannot select Process for the following packet-anomaly
protections:
• 104—Invalid IP Header or Total Length
• 107—Inconsistent IPv6 Headers
• 131—Invalid L4 Header Length
Anomaly Description
Unrecognized L2 Format Packets with more than two VLAN tags or MPLS labels, L2
broadcast, or L2 multicast traffic.
ID: 100
Default Action: No Report
Default Risk: Low
Default Report Action: Process
Note: This anomaly cannot be sampled.
Incorrect IPv4 Checksum The IP packet header checksum does not match the packet
header.
ID: 103
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Caution: When and the specified Action is Drop, DefensePro
does not drop all the PA 103 packets; approximately 50 per
second pass through. Also, DefensePro does not support
sampling packets that match PA 103.
Note: This anomaly cannot be sampled.
Invalid IPv4 Header or Total The IP packet header length does not match the actual header
Length length, or the IP packet total length does not match the actual
packet length.
When the Device Operation Mode is IP (see Configuring the
Device Operation Mode for DefensePro, page 156), the Action
must be Drop.
ID: 104
Default Action: Drop
Default Risk: Low
Report Action: Bypass1
TTL Equal to 0 The TTL field value is less than or equal to 1.
When the Device Operation Mode is IP (see Configuring the
Device Operation Mode for DefensePro, page 156), the Action
must be Drop.
ID: 105
Default Action when Device Operation Mode is Transparent:
Report
Default Action when Device Operation Mode is IP: Drop
Default Action: Report
Default Risk: Low
Default Report Action: Process
Anomaly Description
Inconsistent IPv6 Headers Inconsistent IPv6 headers.
When the Device Operation Mode is IP (see Configuring the
Device Operation Mode for DefensePro, page 156), the Action
must be Drop.
ID: 107
Default Action: Drop
Default Risk: Low
Report Action: Bypass1
IPv6 Hop Limit Reached IPv6 hop limit is not be greater than 1.
When the Device Operation Mode is IP (see Configuring the
Device Operation Mode for DefensePro, page 156), the Action
must be Drop.
ID: 108
Default Action when Device Operation Mode is Transparent:
Report
Default Action when Device Operation Mode is IP: Drop
Default Risk: Low
Default Report Action: Process
Unsupported L4 Protocol Traffic other than UDP, TCP, ICMP, or IGMP.
ID: 110
Default Action: No Report
Default Risk: Low
Default Report Action: Process
Invalid TCP Flags The TCP flags combination is not according to the standard.
ID: 113
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Source or Dest. Address same as The IP packet source address or destination address is equal to
Local Host the local host.
ID: 119
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Source Address same as Dest The source IP address and the destination IP address in the
Address (Land Attack) packet header are the same. This is referred to as a LAND, Land,
or LanD attack.
ID: 120
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Anomaly Description
L4 Source or Dest. Port Zero The Layer 4 source port or destination port equals zero.
ID: 125
Default Action: Drop
Default Risk: Low
Default Report Action: Bypass
Invalid L4 Header Length The length of the Layer 4, TCP/UDP/SCTP header is invalid.
ID: 131
Default Action: Drop
Default Risk: Low
Report Action: Bypass1
DNS Flood Protection can detect statistical anomalies in DNS traffic and generate an accurate attack
footprint based on a heuristic protocol information analysis. This ensures accurate attack filtering
with minimal risk of false positives. The default average time for a new signature creation is between
10 and 18 seconds. This is a relatively short time, because flood attacks can last for minutes and
sometimes hours.
Before you configure DNS Flood Protection profiles, ensure that DNS Flood Protection is enabled. You
can also change the default global device settings for DNS Flood Protection. The DNS Flood
Protection global settings apply to all the Network Protection policies with DNS Flood profiles on the
device.
Parameter Description
Enable DNS Flood Protection Specifies whether DNS Flood Protection is enabled.
Caution: Changing the setting of this parameter requires a reboot
to take effect.
Learning Response Period The initial period from which baselines are primarily weighted.
The default and recommended learning response period is one week.
If traffic rates legitimately fluctuate (for example, TCP or UDP traffic
baselines change more than 50% daily), set the learning response to
one month. Use a one day period for testing purposes only.
Values: Day, Week, Month
Default: Week
Footprint Strictness When the DNS Flood Protection module detects a new attack, the
module generates an attack footprint to block the attack traffic. If the
module is unable to generate a footprint that meets the footprint-
strictness condition, the module issues a notification for the attack
but does not block it. The higher the strictness, the more accurate the
footprint. However, higher strictness increases the probability that the
module cannot generate a footprint.
Values:
• High—Requires at least two Boolean AND operators and no other
Boolean OR value in the footprint. This level lowers the probability
for false positives but increases the probability for false
negatives.
• Medium—Requires at least one Boolean AND operator and no
more than two additional Boolean OR values in the footprint.
• Low—Allows any footprint suggested by the DNS Flood Protection
module. This level achieves the best attack blocking, but
increases the probability of false positives.
Default: Low
Note: The DNS Flood Protection module always considers the
checksum field and the sequence number fields as High Footprint
Strictness fields. Therefore, a footprint with only a checksum or
sequence number is always considered as High Footprint
Strictness. Table 89 - DNS Footprint Strictness Examples, page 134
shows examples of footprint strictness requirements.
Parameter Description
When the protection is enabled and the device detects that a DNS-flood attack has started, the
device implements the Mitigation Actions in escalating order—in the order that they appear in the
tab. If the first enabled Mitigation Action does not mitigate the attack satisfactorily (after a certain
Escalation Period), the device implements the next more-severe enabled Mitigation Action—and so
on. As the most severe Mitigation Action, the device always implements the Collective Rate Limit,
which limits the rate of all DNS queries to the protected server.
Enable Signature Challenge Specifies whether the device challenges suspect DNS queries that
match the real-time signature.
Default: Enabled
Note: A DNS Flood Protection profile that is configured with the
Passive Challenge Method challenges only A and AAAA query
types. A DNS Flood Protection profile that is configured with the
Active Challenge Method challenges all DNS query types. For more
information, see Configuring DNS Flood Protection Profiles for
Network Protection, page 231.
Enable Signature Rate Limit Specifies whether the device limits the rate of DNS queries that
match the real-time signature.
Default: Enabled
Enable Collective Challenge Specifies whether the device challenges all unauthenticated DNS
queries to the protected server.
Default: Enabled
Note: A DNS Flood Protection profile that is configured with the
Passive Challenge Method challenges only A and AAAA query
types. A DNS Flood Protection profile that is configured with the
Active Challenge Method challenges all DNS query types. For more
information, see Configuring DNS Flood Protection Profiles for
Network Protection, page 231.
Enable Collective Rate Limit (Read-only) The device limits the rate of all DNS queries to the
protected server.
Value: Enabled
Parameter Description
These settings affect periodic attack behavior. The settings are used to effectively detect and block
these attack types.
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Blocking State stays below the hard-coded threshold in the Blocking state. When the
time elapses, DefensePro declares the attack to be terminated.
Values: 45–300
Default: 45
Duration of Non-attack The time, in seconds, at which the degree of attack falls below and
Traffic in Anomaly or Non- stays below the hard-coded threshold in the Anomaly state or the
Strictness State Non-strictness state. When the time elapses, DefensePro declares
the attack to be terminated.
Values: 45–300
Default: 45
Parameter Description
Enable DNS Protocol Specifies whether the device checks each DNS query for DNS protocol
Compliance Checks compliance and drops the non-compliant queries.
(This parameter is available Default: Disabled
only after enabling the SDM
table.)
Reset DNS Baseline Click to reset the DNS baseline. Then, select whether to reset the
baseline for all Network Protection policies that contain a DNS profile,
or for a specific Network Protection policy that contains a DNS profile;
and then, click Submit.
Resetting baseline-learned statistics clears the baseline traffic
statistics and resets default normal baselines. Reset the baseline
statistics only when the characteristics of the protected network have
changed entirely and bandwidth quotas need to be changed to
accommodate the network changes.
configure footprint bypass, and click the (Search) button. The table displays the bypass
fields for the selected DNS query type.
3. To edit bypass type settings, double-click the corresponding row.
4. Configure the footprint bypass parameters for the selected bypass field, and then, click Submit.
Parameter Description
Footprint Bypass (Read-only) The selected DNS query type for which you are configuring
Controller footprint bypass.
Bypass Field (Read-only) The selected Bypass Field to configure.
Bypass Status The bypass option.
Values:
• Bypass—The DNS Flood Protection module bypasses all possible
values of the selected Bypass Field when generating a footprint.
• Accept—The DNS Flood Protection module bypasses only the specified
values (if such a value exists) of the selected Bypass Field when
generating a footprint.
Bypass Values Used if the value of the Bypass Status parameter is Accept. DNS Flood
Protection bypasses only the values of a selected Bypass Type, while it
may use all other values. These values vary according to the Bypass Field
selected. The values in the field must be comma-delimited.
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
Use the Service Discovery feature in a Network Protection policy to identify HTTP servers in a
specified network and protect the discovered servers with the default HTTP-flood-mitigator profile.
The Service Discovery mechanism discovers HTTP servers by identifying HTTP responses. Therefore,
in order to use Service Discovery, DefensePro needs to be in a topology where it can inspect both
HTTP requests and HTTP responses.
The details of the discovered servers are contained in the Server Protection table.
When a discovered server is no longer active for a specified period, the Service Discovery
mechanism can remove the server from the table.
To implement the Service Discovery feature, when you configure a Network Protection policy, you
specify the Service Discovery profile to use in the policy.
Caution: The Service Discovery mechanism does not create audit events when adding or removing
servers.
Parameter Description
Enable Service Discovery Specifies whether the DefensePro device uses Service Discovery
feature.
Default: Enabled
Tracking Time The time, in minutes, that the Service Discovery mechanism tracks a
server sending HTTP responses. The Service Discovery mechanism
uses the Tracking Time and the specified number of HTTP responses
during the Tracking Time to determine whether to protect the server.
Values: 1–60
Default: 5
Revalidation Time How often, in days, the Service Discovery mechanism revalidates the
discovered servers.
Values: 0–365
Default: 7
Parameter Description
Accept Weak SSL Ciphers Specifies whether the device allows management connections over
secure protocols with ciphers shorter than 128 bits.
Default: Enabled
Parameter Description
Enable Overload Mechanism Specifies whether the device uses the overload-protection
mechanism, which identifies and reports overload conditions, and
acts to reduce operations with high resource consumption.
Radware recommends that the overload-protection mechanism
always be enabled.
DefensePro device uses the overload-protection mechanism to
prevent the following:
• SME Overload—When the overload occurs in the string-matching
engine (SME), the accelerator reduces the number of new
sessions sent to the SME. The existing sessions continue to pass
through the SME and are inspected. Features that require the
SME, including some of the attack signatures, will not be applied
to some of the sessions.
• Master Overload—When the overload occurs in the Master CPU,
only a percentage of the traffic is processed by the CPU.
Behavioral DoS footprint analysis is done on sampled data,
ensuring the continuation of the feature, but SYN Protection does
not work.
• Accelerator Overload—When the overload occurs in the
Accelerator CPU, only a percentage of the traffic is inspected,
while the rest passes through using bypass modes. Inspected
traffic is passed to the Master and SME if they are not
overloaded.
• System Wide Overload—If all offload operations have failed to
prevent overloaded conditions, then a full bypass is
implemented. Every device application is bypassed, including
Statistics, Security, and so on.
Before the overload-protection mechanism is triggered, the device
might drop packets.
Note: When the device is overloaded and resolved to wire bypass
mode (the highest overload-prevention possibility), it stays in that
mode for 600 seconds (by default).
SRP Management Host IP The IP address to which the device sends Statistics Reporting
Address Protocol (SRP) data, for example, the APSolute Vision server IP
address. SRP is a private Radware protocol for efficient transmission
of statistical data for ACL and BWM.
Parameter Description
Update Policies Mode Values:
• Mitigate—During an Update Policies operation, DefensePro
processes traffic as follows:
— Packet Anomaly Protection remains active except for
anomalies whose specified Report Action is Process.
— BDoS Protection continues to protect except for a short time
when traffic bypasses DefensePro processing.
— SYN Protection continues to defend against any ongoing SYN-
flood attack that was identified before the Update Policies
action. However, when the Transparent Proxy
Authentication Method is configured, traffic bypasses
DefensePro processing. In addition, traffic bypasses
DefensePro processing when HTTP Authentication is
enabled and the traffic is HTTP.
— White List and Black List rules remain active if there was no
configuration change that affects any White List or Black List
rule.
— The Packet Reporting and Packet Sampling modules are not
functional until the Update Policies action is completed.
• Bypass—During an Update Policies operation, all traffic bypasses
DefensePro processing.
• Drop—During an Update Policies operation, DefensePro drops all
traffic—regardless of policy, port, or any other parameter.
Default: Mitigate
Parameter Description
Enable FTP Enables/disables FTP Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time The Data Session Aging Time, in seconds.
Default: 0
Parameter Description
Enable TFTP Enables/disables TFTP Dynamic Protocol.
Default: Enabled
Data Session Aging Time The Data Session Aging Time, in seconds.
Default: 0
Parameter Description
Enable Rshell Enables/disables Rshell Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time Enter a value for Data Session Aging Time, in seconds.
Parameter Description
Enable Rexec Enables/disables Rexec Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
Data Session Aging Time The Data Session Aging Time, in seconds.
Parameter Description
Enable H.225 Enables/disables H.225 Dynamic Protocol.
Default: Enabled
Control Session Aging Time The Control Session Aging Time, in seconds.
Default: 0
H.245 Data Session Aging The Data Session Aging Time, in seconds.
Time Default: 0
Parameter Description
Enable SIP Enables/disables SIP Dynamic Protocol.
Session Initiation Protocol (SIP) is an IETF standard for initiating an
interactive user session involving multimedia elements such as video,
voice, chat, gaming, and so on. SIP can establish, modify, or
terminate multimedia sessions or Internet telephony calls.
When a policy for SIP is configured to block traffic from one direction,
it is not possible to open a SIP connection from another direction (SIP
uses the same port number for both source and destination).
Default: Disabled
Signaling Session Aging The Signaling Session Aging Time, in seconds.
Time When the clients communicate directly with each other, or work with
non-standard SIP ports, increase the aging time of the Signaling
Session Aging Time parameter.
Default: 20
RTCP Session Aging Time The RTCP Session Aging Time, in seconds.
Default: 0
TCP Segments Aging Time The SIP TCP Segments Aging Time, in seconds.
Default: 5
Caution: Radware strongly recommends that you perform any device tuning only after consulting
with Radware Technical Support.
Note: Radware recommends performing a memory check before rebooting the device. When
you click Check Available Memory, a message box displays, which notifies you whether there
is enough memory on the device, and, if not, how much memory is required.
Parameter Description
IP Fragmentation Table The maximum number of IP fragments that the device stores.
Values: 1–256,000
Default: 10,240
Session Table The maximum number of sessions that the device can track.
Values: 20–4,000,000
Default: 2, 700,000
Session Resets Entries The maximum number of sessions that the device tracks to send a
RESET when Send Reset to Destination of Aged TCP
Connection is enabled in the Session table.
Values: 1–10,000
Default: 1000
Routing Table The maximum number of entries in the Routing table.
Values: 20–32,767
Default: 64
Pending Table The maximum number of new simultaneous dynamic sessions the
DefensePro Bandwidth Management (BWM) module can open. The
BWM module uses this table for the following protocols to prepare a
session entry from the control traffic (to the data traffic): SIP, FTP/
TFTP, H.225, and RTSP. The table becomes full when there are too
many messages in it. When the table is full, DefensePro opens
sessions with the Session table, and BWM does not work as
expected.
Values: 16–16,000
Default: 1024
Note: You can print the table with the following command:
device dynamic-protocols internal pending-table
Parameter Description
SIP Call Table The maximum number of SIP calls the device can track.
Values: 16–256,000
Default: 1024
TCP Segmentation Table The maximum number of TCP Segments. This parameter is used
when SIP Protocol is enabled and SIP is running over TCP.
Values: 1–32,768
Default: 256
Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several TCP
sessions to one destination address.
Each security table is responsible for clearing tables of old entries that are no longer required, and
ensuring that traffic is properly classified and inspected.
Note: Radware recommends performing a memory check before rebooting the device. When
you click Check Available Memory, a message box is displays, which notifies you whether
there is enough memory on the device, and, if not, how much memory is required.
Parameter Description
Max. Number of Signatures The maximum number of user-configurable IPS signatures and
Configured by User RSA signatures. DefensePro can store up to 500 concurrent RSA
signatures.
Values: 10–10,000
Default: 100
Note: RSA signatures on the device accumulate until the
device ages them. The device ages RSA signatures according
to the specified aging times, Phishing Signatures Aging, Drop
Points Aging, and Malicious Download Aging. If the Max.
Number of Signatures Configured by User is greater than
500, and number of RSA signatures reaches 500, you cannot
add any new RSA signature. If you must add new RSA
signatures immediately, you can reduce the aging time, add
the RSA signature, and increase the aging time as appropriate.
Max. Number of Entries in The maximum number of entries for reports on active concurrent
Counters Report Tracking Signatures attacks.
Values: 100–64,000
Default: 20,000
Parameter Description
Note: Each tuning value applies the same to both of the internal hardware instances.
Max. Number of HTTP Mitigator The maximum number of suspect sources in HTTP Mitigation
Suspect Sources policies.
Values: 1000–500,000
Default: 100,000
Max. Number of Server The maximum number of entries in the Server Protection policy.
Protection Servers Values: 100–10,000
Default: 350
Note: You can configure up to 280 Server Protection policies
that include an HTTP Flood protection profile. You can
configure up to 350 Server Protection policies that do not
include an HTTP Flood protection profile. By default,
DefensePro can protect up to 350 servers (with discrete IP
addresses) that are protected with Server Cracking profiles,
but you can tune a DefensePro device to support up to 10,000
servers (using the Max. Number of Server Protection
Servers parameter).
Max. Number of BDoS Policies The maximum number of configurable Behavioral DoS policies.
Values: 1–200
Default: 50
Max. Number of DNS Policies The maximum number of configurable DNS Flood Protection
policies.
Values: 1–200
Default: 50
Parameter Description
Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device
Pairs stores for anti-scanning purposes.
Values: 10,000–1,000,000
Default: 50,000
Max. Number of Entries in The maximum number of sessions in which a Destination address
Counter Target Table is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 100–65,536
Default: 65,536
Max. Number of Entries in The maximum number of sessions in which a source address is
Counter Source Table tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.
Values: 100–65,536
Default: 65,536
Max. Number of Entries in The maximum number of sessions in which Source and
Counter Source and Target Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Values: 100–65,536
Default: 65,536
Max. Number of Concurrent The maximum number of filters tracked.
Active DoS Shield Protections DoS Shield filters use thresholds for activation. The table—the
New Count Per Filter (NCPF) table—counts the number of times
traffic matches a DoS Shield signature per policy. When the
number of packets exceeds the predefined limit, it is identified as
an attack.
Values: 100–16,000
Default: 10,000
Parameter Description
Max. Number of Entries in The maximum number of entries for concurrent active Server
Counters Server Cracking Cracking protections.
Protection When the Server Cracking protection feature is enabled,
DefensePro uses one entry in this table whenever DefensePro
receives a response from the server that can indicate a potential
Server Cracking attack. The entry includes the IP address of the
potential attacker, the protected server, and the protocol. The
entry remains in use as long as DefensePro receives such server
responses.
Values: 100–65,536
Default: 100
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 100–64,000
Default: 100
Max. Number of Source IPs in The maximum number of hosts that the Suspend table is able to
Suspend Table block simultaneously.
This value affects the abilities of various protections, such as
Anti-Scanning, Server Cracking, and SYN protection.
Values: 1000–100,000
Default: 10,000
Max. Number of Concurrent (Read-only) This parameter is not used.
Connection PPS Attacks
Max. Number of Addresses in (Read-only) This parameter is not used.
Quarantine Table
Note: Radware recommends performing a memory check before rebooting the device. When
you click Check Available Memory, a message box is displayed, which notifies you whether
there is enough memory on the device, and, if not, how much memory is required.
Parameter Description
SYN Protection Table The number of entries in the table that stores data regarding the
delayed binding process. An entry exists in the table from the
time a client starts the three-way handshake until the handshake
is complete.
Values: 10–500,000
Default: 200,000
SYN Protection Requests Table The number of entries in the table that stores the ACK, or data
packet, the client sends, until the handshake with the server is
complete and the packet is sent to the server.
The Request table and the SYN Protection tables are
approximately the same size, whereas the Triggers table is much
smaller.
Values: 10–500,000
Default: 200,000
SYN Protection Signature The number of entries in the table that stores destination IP
Detection Entries addresses and destination ports in SYN Flood Protection profiles.
Values: 1000–20,000
Default: 1000
Note: There are several reasons that might cause the table to
become full, including the following:
• Too many services in the protected networks—This might
happen in extremely large networks.
• Too many protected services—If there are too many services
running in the protected network, or if all TCP ports are
protected by SYN Protection, this may cause problems in
networks that use multiple TCP ports for providing a service
such as gaming applications, which use numerous high TCP
ports.
• A vertical TCP-SYN flood—If the attackers are using an attack
technique that repeatedly performs high-rate scans on the
entire protected range.
The following are possible solutions to this problem:
• Apply the protection only to networks that have protected
services and not to normal enterprise host computers.
• Remove some of the protected protocols—If you are
unnecessarily protecting all TCP ports by SYN protection,
remove SYN protection and apply the policy only on relevant
services.
• Increase the table size—Note that increasing the table size
consumes memory allocation and therefore requires system
reboot.
SYN Statistics Entries The number of entries in the SYN Flood Statistics table.
Values: 1000–20,000
Default: 1000
Note: Radware recommends performing a memory check before rebooting the device. When
you click Check Available Memory, a message box is displayed, which notifies you whether
there is enough memory on the device, and, if not, how much memory is required.
Parameter Description
HTTP Authentication Table Size The number of sources in the HTTP Authentication table per
instance. (That is, this value applies the same to both of the
internal hardware instances.) DefensePro uses the HTTP
Authentication table in HTTP Flood profiles and the HTTP
Authentication feature in a SYN Protection profile.
Values: 500,000–2,000,000
Default: 2,000,000
Parameter Description
HTTP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the
HTTP Authentication table.
Values: 60–3600
Default: 1200
TCP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the
TCP Authentication table.
Values: 60–3600
Default: 1200
(This parameter is available only The time, in minutes, that the device keeps idle sources in the
in 6.x and 7.x versions.) DNS Authentication table.
Values: 1–60
Default: 20
Note: The DNS Authentication Table Aging text box is
empty if DNS Flood Protection has not been enabled on the
device (Configuration perspective, Setup > Security
Settings > DNS Flood Protection > Enable DNS Flood
Protection). You can, however, enter a value even if DNS
Flood Protection is not enabled, and the value will persist.
Note: Radware recommends performing a memory check before rebooting the device. When
you click Check Available Memory, a message box is displayed, which notifies you whether
there is enough memory on the device, and, if not, how much memory is required.
Parameter Description
Max. Number of Networks The maximum number of entries in the table for ranges.
Values: 32–10,000
Default: 256
Max. Number of Discrete IP The maximum number of entries in the table for IP addresses
Addresses per Network that are allocated to a network.
Values: 16–1024
Default: 64
Max. Number of Subnets per The maximum number of entries in the table for network
Network subnets.
Values: 16–1024
Default: 64
Max. Number of MAC Groups The maximum number of entries in the table for MAC groups.
Values:16–2048
Default: 128
Max. Number of Filter Entries The maximum number of entries in the table for basic filters.
Values:512–2048
Default: 512
Max. Number of AND Groups The maximum number of entries in the advanced filters table for
AND groups.
Values: 256–2048
Default: 256
Max. Number of OR Groups The maximum number of entries in the advanced filters table for
OR groups.
Values: 256–2048
Default: 256
Parameter Description
Max. Number of Application The maximum number of entries in the table for application port
Ports Groups groups.
Values: 32–2000
Default: 512
Max. Number of Content Entries The maximum number of content entries in the table.
Values: 16–4096
Default: 256
Note: Radware recommends performing a memory check before rebooting the device. When
you click Check Available Memory, a message box is displayed, which notifies you whether
there is enough memory on the device, and, if not, how much memory is required.
Parameter Description
SDM Table Size The size of the SDM table.
Values: Small, Medium, Large
Default: Medium
Parameter Description
Enable Session Table Specifies whether the device uses the Session table.
Default: Enabled
Parameter Description
Note: When the Access Control List (ACL) feature is enabled, aging times are determined by the
relevant ACL parameters.
Idle TCP-Session Aging Time The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 1–7200
Default: 100
Idle UDP-Session Aging Time The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 1–7200
Default: 100
Idle SCTP-Session Aging Time The time, in seconds, that the Session table keeps idle SCTP
sessions.
Values: 1–7200
Default: 100
Idle ICMP-Session Aging Time The time, in seconds, that the Session table keeps idle ICMP
sessions.
Values: 1–7200
Default: 100
Idle GRE-Session Aging Time The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 1–7200
Default: 100
Idle Other-Protocol-Session The time, in seconds, that the Session table keeps idle sessions
Aging Time of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 1–7200
Default: 100
Incomplete TCP Handshake How long, in seconds, the device waits for the three-way
Timeout handshake to complete. When the timeout elapses, the device
deletes the session and, if the Send Reset to Destination of
Aged TCP Connection checkbox is selected, sends a reset
packet to the server.
Values:
• 0—The device uses the specified Session Aging Time.
• 1–10—The TCP handshake timeout in seconds.
Default: 10
Parameter Description
Remove Session Entry at Specifies whether the device removes sessions from the Session
Session End table after receiving a FIN or RST packet if no additional packets
are received on the same session within the Remove Session
Entry at Session End Timeout period.
Default: Enabled
Remove Session Entry at When Remove Session Entry at Session End is enabled, the
Session End Timeout time, in seconds, after which the device removes sessions from
(This option is available only if the Session table after receiving a FIN or RST packet if no
Remove Session Entry at additional packets are received on the same session.
Session End is enabled.) Values: 0–60
Default: 5
Send Reset to Destination of Specifies whether the DefensePro device sends a RST packet to
Aged TCP Connection the destination of aged TCP sessions.
Values:
• Enabled—DefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
• Disabled—DefensePro ages the session normally (using short
SYN timeout), but the destination might hold the session for
quite some time.
Default: Disabled
Session-Table-Full Action The action that the device takes when the Session table is at full
capacity.
Values:
• Allow new traffic—The device bypasses new sessions until
the session table has room for new entries.
• Block new traffic—The device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold The percentage of capacity of the Session table when the device
starts issuing alerts.
Default: 95
Alert-Stop Threshold The percentage of full capacity of the Session table when the
device stops issuing alerts.
Default: 90
Parameter Description
Lookup Mode The layer of address information that is used to categorize
packets in the Session table.
Values:
• Full L4 —An entry exists in the Session table for each source
IP, source port, destination IP, and destination port
combination of packets passing through the device.
• L4 Destination Port—Enables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session table resources (only one entry for each port
that is secured).
Default: Full L4
Caution: Radware recommends that you always use the
Full L4 option. When Session Table Lookup Mode is Layer
4 Destination Port, the following protections do not work:
• ACL
• Anti Scanning
• Connection Packet Rate Limit
• Connection Rate Limit
• HTTP Mitigator
• HTTP Replies Signatures
• Out-of-State protection
• Server Cracking
• SYN Protection
Disable Session Aging Specifies whether the device ages sessions in the Session table.
(This option is available only Default: Disabled
when Lookup Mode is L4
Destination Port.)
Caution: Increasing a value to higher than the default makes DefensePro work harder, and thus,
makes overload more likely. (Lowering a value to below the default makes DefensePro work less
hard in most cases.)
When the suspension time has reached the maximum length allowed, it remains constant for each
additional suspension.
Parameter Description
Minimal Aging Timeout The time, in seconds, for which DefensePro suspends first-time
offending source IP addresses.
Default: 10
Maximal Aging Timeout The maximal time, in seconds, for which DefensePro suspends a
specific source. Each time DefensePro suspends the same source, the
suspension length doubles until it reaches the Maximal Aging
Timeout.
Default: 600
Maximum Entries with Same The number of times DefensePro suspends the same source IP
Source IP address before DefensePro suspends all traffic from that source IP
address—regardless of the specified Suspend Action. For example,
if the value for this parameter is 4 and the specified Suspend Action
is SrcIP-DstIP-SrcPort-DstPort, DefensePro suspends all traffic
from a source IP address that had an entry in the Suspend list more
than four times, even if the destination IP address, source port, and
destination ports were different for the previous updates to the
Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
• 0—The device does not implement the feature.
• 1–10
Default: 0
Parameter Description
Task Name ab corrected The name of the schedule.
Frequency How often the event occurs.
Values: daily, once, weekly
Default: once
Time The time on the designated day in the format hhmm.
When multiple days are selected, the value is the same for all the
configured days.
Date If the event frequency is once, configure the date that the event
occurs in the DD/MM/YYYY format.
Days of Week If the selected event frequency is weekly, select the day or days the
event occurs.
Caution: Changing the configuration of this feature takes effect only after a device reset.
Parameter Description
You can configure the device to inspect the traffic using the common Layer 2 tunneling protocols,
VLAN (802.1Q) and MPLS. Inspecting these types of L2 tunnels, as part of the protection criteria, is
essential in environments such as for Managed Security Service Providers (MSSP).
Inspect VLAN (802.1Q) and MPLS Traffic Specifies whether the device inspects this type of
traffic.
Default: Disabled
Parameter Description
Inspect Encapsulated GRE Traffic Specifies whether the device inspects this type of
traffic.
When the Device Operation Mode is IP, this option
must be enabled to support GRE tunnels.
Default: Disabled
Inspect Encapsulated L2TP Traffic Specifies whether the device inspects this type of
traffic.
Default: Disabled
Inspect Encapsulated GTP Traffic Specifies whether the device inspects this type of
traffic.
Default: Disabled
Inspect Encapsulated IP-in-IP Traffic Specifies whether the device inspects this type of
traffic.
Default: Disabled
Parameter Description
Apply Black and White List Rules to the Specifies whether the device apply Black List and
Encapsulated Headers White List rules to the encapsulated headers.
Default: Disabled
Support MPLS-RD in Network Protections Specifies whether the device implements MPLS-RD in
its network protections.
Default: Disabled
Bypass IPsec Traffic Specifies whether the device bypasses IPsec traffic
(that is, whether the device passes-through IPsec
traffic).
Default: Enabled
Notes
• Changing the configuration of this feature takes effect only after a device reset.
• By default, the Device Operation Mode is set to Transparent mode. In IP mode, some
features are not supported. If you change to IP mode, DefensePro automatically disables the
features that are not supported.
Note: For an illustration that shows an in-line installation of DefensePro IPS in an enterprise, see
Figure 2 - Typical DefensePro Deployment, page 23.
Note: For an illustration that shows DefensePro IPS in an out-of-path deployment, see Figure 3 -
Out-of-Path DefensePro Deployment, page 24.
Parameter Description
Device Operation Mode Values:
• Transparent
• IP
Caution: Changing the setting of this parameter requires a
reboot to take effect.
Enable Challenge Persistency on Values:
Origin Port • Enabled—DefensePro sends challenges through the port
(This parameter is available only from which the traffic was received. Enable this option in
when Device Operation Mode is topologies where DefensePro may receive attack packets
IP.) from a client through multiple routers.
• Disabled—DefensePro sends challenges according to the L3
routing table.
Default: Disabled
Caution: If the option is enabled, DefensePro automatically
disables the option if Device Operation Mode changes to
Transparent.
Note: Instead of configuring each individual device, Radware recommends configuring the APSolute
Vision server to convey the syslog messages from all devices.
Parameter Description
Enable Syslog Server Specifies whether the syslog server is enabled.
Default: Enabled
Syslog Server The IP address or hostname of the device running the syslog service
(syslogd).
Source Port The syslog source port.
Default: 514
Note: Port 0 specifies a random port.
Destination Port The syslog destination port.
Default: 514
Facility The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
• Distinguish between different devices
• Define rules that split messages
Values:
• Authorization Messages • Local Use 6
• Clock Daemon • Local Use 7
• Clock Daemon2 • Log Alert
• FTP Daemon • Log Audit
• Kernel Messages • Mail System
• Line Printer Subsystem • Network News Subsystem
• Local Use 0 • NTP Daemon
• Local Use 1 • Syslogd Messages
• Local Use 2 • System Daemons
• Local Use 3 • User Level Messages
• Local Use 4 • UUCP
• Local Use 5
Default: Local Use 6
Send Security-Event Specifies whether the device sends security-event reports to the syslog
Reports to Syslog server. Security events include all events related to attack detection and
mitigation: start, ongoing, occurred, sampled, and terminated.
Default: Enabled
Send Health-Event Specifies whether the device sends device-health–event reports to the
Reports to Syslog syslog server. Device-health events include all events related to device
health, for example, temperature, fan failure, CPU, tables, resources, and
so on.
Default: Enabled
Parameter Description
Send Audit-Event Specifies whether the device sends audit-event reports to the syslog
Reports to Syslog server. Audit events include all events related to user operations, for
example, login attempts and configuration changes.
Default: Enabled
Note: Typically, in the context of DefensePro signaling, NOCs are carriers, and SOCs are managed-
security-service providers (MSSPs).
When signaling is enabled:
• DefensePro exposes situational data through its SOAP interface. The data includes device-health
information, traffic statistics, and management information. Under normal circumstances—that
is, when there is no attack, the SOAP queries and responses get through. However, during
attacks, the pipe may be saturated, and the SOAP queries and responses get lost.
• When DefensePro detects an attack, DefensePro sends signals to a specified syslog server. The
signals include the attack events and, optionally, additional attack data.
For information on the SOAP API and syslog signals, see the DefensePro Signaling API Integration
Guide.
You configure signaling policies to send signals to a syslog server configured in the DefensePro
device. The configuration of each signaling policy specifies the Network Protection policies, Server
Protection policies, and protection types.
Parameter Description
Enabled Specifies whether the signaling policy is enabled.
Values: Enabled, Disabled
Default: Enabled
Policy ID A numerical identifier for the signaling policy.
Values: 1–100
Policy Name The name of the signaling policy.
Maximum characters: 80
Syslog Server The syslog server to which DefensePro sends the attack alert
signals.
Customer Name The name of the customer, which is included in the alert
messages.
Maximum characters: 32
Customer Description The description of the customer, which is included in the alert
messages. This description can include, for example, details of the
specific device or environment.
Maximum characters: 100
Pipe Size The total size, in Mbps, of the ISP link of the customer. DefensePro
uses this value to calculate the pipe-utilization percentage, which
is included in attack alerts.
Signaling Mode Values:
• Events and Data—Attack signals contain the basic attack
alerts and the additional metadata for the alert events.
• Events Only—Attack signals contain the basic attack alerts
only.
All Network Policies Specifies whether the signaling policy sends signals for all enabled
Network Protection policies or only for specific Network Protection
policies -- that is, a Network-Policy Source Group.
Default: Enabled
Network-Policies Group ID The ID of the Server-Protection Group, which defines specific
(This parameter is available Server Protection policies for the signaling policy. For more
only when the All Network information, see the procedure To configure a Server Source
Policies checkbox is cleared.) Group for the signaling policy, page 161.
All Servers Specifies whether the signaling policy sends signals for all enabled
Server Protection policies or only for specific rule groups.
Default: Enabled
Server-Protection Group ID The ID of the Network-Policies Group ID, which define specific
(This parameter is available Server Protection policies.
only when the All Servers
checkbox is cleared.)
Parameter Description
Source Group ID The identifier of the group.
Maximum characters: 3
Network Policy Names The Network Protection policy.
Parameter Description
Source Group ID The identifier of the group.
Maximum characters: 3
Server Name The Server Protection policy.
Note: To prevent overloading the managed device and prevent degraded performance, the feature
is disabled by default.
Note: You can specify the event types (security, device-health, and audit) for each targeted syslog
server and targeted SNMP address—in the configuration of the respective object (see Configuring
DefensePro Syslog Settings, page 157 and Configuring SNMP Target Addresses, page 108).
In addition, DefensePro can provide the APSolute Vision server sampled captured packets that were
identified by the DefensePro device as part of the specific attack. DefensePro sends these packets to
the specified IP address, encapsulated in UDP packets.
Notes
• DefensePro does not provide sampled captured packets from suspicious sources that DefensePro
challenged. (DefensePro supports an option to challenge sources in HTTP Flood Protection, SYN
Flood Protection, DNS Flood Protection, and SSL Protection.)
• DefensePro does not provide sampled GRE-encapsulated captured packets.
You can also configure DefensePro devices to send captured attack packets along with the attack
event for further offline analysis. Packet reporting and SRP use the same default port, 2088.
To configure the advanced reporting settings in DefensePro 6.x versions and 7.x
versions 7.40 and later
1. In the Configuration perspective, select Setup > Reporting Settings > Advanced Reporting
Settings.
2. Configure the parameters, and then, click Submit.
Parameter Description
Note: The parameters in this tab apply only to the reporting of security events.
Report Interval The frequency, in seconds, the reports are sent though the
reporting channels.
Values: 1–65,535
Default: 5
Maximal Number of Alerts per The maximum number of attack events that can appear in
Report each report (sent within the reporting interval).
Values: 1–2000
Default: 1000
Note: If an attack generates a large number of traps,
DefensePro might not send traps from other attacks.
Report per Attack Aggregation The number of events for a specific attack during a reporting
Threshold interval, before the events are aggregated to a report.
When the number of the generated events exceeds the
Aggregation Threshold value, the IP address value for the
event is displayed as 0.0.0.0, which specifies any IP address.
Values: 1–50
Default: 5
L4 Port for Reporting The port used for packet reporting and SRP.
Values: 1–65,535
Default: 2088
Enable Sending Traps Specifies whether DefensePro uses the traps reporting
channel.
Default: Enabled
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Traps the specified risk value or higher are reported.
Default: Low
Enable Sending Syslog Specifies whether DefensePro uses the syslog reporting
channel.
Default: Enabled
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Syslog the specified risk value or higher are reported.
Default: Low
Enable Sending Terminal Echo Specifies whether DefensePro uses the Terminal Echo
reporting channel.
Default: Disabled
Parameter Description
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Terminal Echo the specified risk value or higher are reported.
Default: Low
Minimal Risk Level for Sending The minimal risk level for the reporting channel. Attacks with
Email the specified risk value or higher are reported.
Default: Low
Enable Security Logging Specifies whether DefensePro uses the security logging
reporting channel.
Parameter Description
Minimum Severity for Sending Traps The minimal severity for the sending of traps for device-
health and audit events. Events with the specified severity
value or higher are reported. Device-health events include all
events related to device health, for example, temperature,
fan failure, CPU, tables, resources, and so on. Audit events
include all events related to user operations, for example,
login attempts and configuration changes.
Values (in order or severity):
• Debug
• Info
• Warning
• Error
• Fatal
Default: Info
Minimal Severity for Sending Syslog The minimal severity for the sending of syslog reports for
device-health events and audit events. Events with the
specified severity value or higher are reported. Device-health
events include all events related to device health, for
example, temperature, fan failure, CPU, tables, resources,
and so on. Audit events include all events related to user
operations, for example, login attempts and configuration
changes.
Values (in order or severity):
• Debug
• Info
• Warning
• Error
• Fatal
Default: Info
Table 122: Advanced Reporting: Packet Reporting and Packet Trace Parameters
Parameter Description
Enable Packet Reporting Specifies whether DefensePro sends sampled attack packets
along with the attack event.
Default: Enabled
Maximum Packets per Report The maximum number of packets that the device can send
within the Report Interval.
Values: 1–65,535
Default: 100
Destination IP Address The destination IP address for the packet reports.
Default: 0.0.0.0
Note: Only one destination IP address can be configured
for packet reporting, even when more than one APSolute
Vision server manages the device.
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the
feature and specifies the physical port to which the
DefensePro device sends identified attack traffic (when the
Packet Trace feature is enabled in the policy rule or profile).
Values:
• none—The Packet Trace feature is disabled.
• The physical, inspection ports (that is, excluding the
management ports)
Default: none
Caution: A change to this parameter takes effect only
after you update policies.
Note: DefensePro does not support this feature when the
Device Operation Mode is IP (see Configuring the Device
Operation Mode for DefensePro, page 156).
Maximum Length of Dropped The maximum length, in bytes, of dropped packets that the
Packets Packet Trace feature sends. DefensePro can limit the size of
Packet Trace sent packets only for dropped packets. That is,
when a rule is configured with Report Only (as opposed to
Block), the Packet Trace feature sends the whole packets.
If you are interested only in the packet headers of the
dropped packets, to conserve resources, modify the minimal
value, 64.
Values: 64–1550
Default: 1550
Caution: A change to this parameter takes effect only
after you update policies.
Maximum Rate The maximum number of packets per second that the Packet
Trace feature sends.
Values: 1–200,000
Default: 50,000
Caution: A change to this parameter takes effect only
after you update policies.
Parameter Description
Enable netForensics Reporting Specifies whether DefensePro sends reports using the
netForensics reporting agent.
Default: Disabled
Agent IP Address The IP address of the netForensics agent.
L4 Port The port used for netForensics reporting.
Values: 1–65,535
Default: 555
Parameter Description
Destination IP Address The target addresses for data reporting.
The table can contain up to 10 addresses. By default, when
there is room in the table, addresses are added automatically
when you add a DefensePro device to the tree in the device
pane.
Note: For information on how to manage and configure the actual cluster, see Managing
DefensePro Clusters for High Availability, page 56 and Configuring DefensePro High-Availability
Clusters, page 59.
Parameter Description
Cluster Member Specifies whether the device is a member of a two-node cluster for
high availability. If you clear the Cluster Member checkbox in the
configuration of the primary or secondary member, APSolute Vision
breaks the cluster (after you submit the changes).
Note: You can clear the Cluster Member checkbox in the
configuration of the secondary only when the primary member is
unavailable.
Peer Device The name of the other device in the cluster. The drop-down list
contains the names of all the DefensePro devices that are not part
of a cluster. When the device is a member of an existing high-
availability cluster, the drop-down list is unavailable.
Associated Management Ports Specifies the management (MNG) port or ports through which the
primary and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if the
cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.
Parameter Description
Heartbeat Timeout The time, in seconds, that the passive device detects no heartbeat
from the active device before the passive device becomes active.
Values: 10–30
Default: 10
Link Down Timeout The time, in seconds, after all links to the active device are
identified as being down before the devices switch states.
Values: 1–65,535
Default: 1
Note: If a dead link or idle line is detected on both cluster
members, there is no switchover.
Use Idle Line Detection Specifies whether the devices switch states due to an idle line
detected on the active device.
Default: Disabled
Note: If an idle line is detected on both cluster members, there
is no switchover.
Parameter Description
Idle Line Threshold The minimum bandwidth, in Kbit/s, that triggers a switchover when
the Use Idle Line Detection option is enabled.
Values: 512–4,294,967,295
Default: 512
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Idle Line Timeout The time, in seconds, with line bandwidth below the Idle Line
Threshold that triggers a switchover when the Use Idle Line
Detection option is enabled.
Values: 3–65,535
Default: 10
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Parameter Description
Baseline Sync. Interval The interval, in seconds, that the active device synchronizes the
BDoS and HTTP Mitigator baselines.
Values: 3600–86,400
Default: 3600
Note: The active device synchronizes the baselines also when
the cluster is created.
Switchover Sustain Timeout The time, in seconds, after a manual switchover that the cluster
members will not change states.
Values: 30–3600
Default: 180
Allow automatic failback sic Specifies whether the secondary device fails back to the primary
device when the primary device becomes available again.
After you create or modify a class, the configuration is saved in the APSolute Vision database. You
must activate the configuration to download it to the device. You can also view the current class
configurations on your device. After creation, you cannot modify the name of a class, or the
configuration of application, MAC, or physical port classes.
A Network class is identified by a name and defined by a network address and mask, or by a range
of IP addresses (from-to). For example, network net1 can be 10.0.0.0/255.0.0.0 and network net2
can be from 10.1.1.1 to 10.1.1.7; alternatively, network net1 can be 1234::0/32 and network net2
can be from 1234::0 to 1234:FFFF:FFFF:FFFF. The Network list allows either configuration.
Using classes enables you to define a network comprised of multiple subnets and/or IP ranges, all
identified with the same class name. For example, network net1 can be 10.0.0.0/255.255.255.0 and
10.1.1.1 to 10.1.1.7.
Parameter Description
Network Name The name of the Network class.
The network name is case-sensitive.
The network name cannot be an IP address.
Maximum characters: 64
Entry Type Specifies whether the network is defined by a subnet and mask, or by
an IP range.
Values: IP Mask, IP Range
Network Type Values: IPv4, IPv6
Network Address The network address.
Prefix The mask of the subnet, which you can enter in either of the
(This parameter displays following ways:
only when Entry Type is IP • A subnet mask in dotted decimal notation—for example,
Mask.) 255.0.0.0 or 255.255.0.0.
• An IP prefix, that is, the number of mask bits—for example, 8 or
16.
From IP The first IP address in the range.
(This parameter displays
only when Entry Type is IP
Range.)
To IP The last IP address in the range.
(This parameter displays
only when Entry Type is IP
Range.)
Note: DefensePro can protect management ports with Signature Protection or BDoS Protection
profiles. To ensure the effectiveness and integrity of an inbound network policy for the management
ports (MNG-1 and MNG-2), DefensePro generates a Physical Port class named Management. Only
Signature Protection and BDoS Protection can be configured on the management policy. The
Management physical port class (also referred to as a Port Group) is static (not configurable), and
you cannot configure a Physical Port class with just one management port. The Priority (see
Configuring Network Protection Policies, page 3) value of a network policy with the Management
Port Group is reserved to be always the highest in the device. In addition, the Network Protection
policy with Management Port Group must have the Packet Trace Configuration on Policy
Takes Precedence option enabled.
Caution: The ACL module cannot use a Service that includes a value for an Offset Mask Pattern
Condition (OMPC) or Content parameter.
Parameter Description
Name The name of the filter.
Protocol Values:
• IP
• TCP
• UDP
• ICMP
• NonIP
• ICMPV6
• SCTP
Default: IP
Source App. Port The Layer-4 source port for TCP, UDP, or SCTP traffic.
Values:
• dcerpc • privileged-services
• dns • radius
• ftp • rexec
• h225 • rshell
• http • rtsp
• https • sccp (skinny)
• imap • sip
• irc • smb
• ldap • smtp
• ms-sql-m • snmp
• ms-sql-s • ssh
• msn • ssl
• my-sql • sunrpc
• oracle • telnet
• ntp • tftp
• pop3
Parameter Description
Destination App. Port The Layer-4 destination port for TCP, UDP, or SCTP traffic.
Values:
• dcerpc • privileged-services
• dns • radius
• ftp • rexec
• h225 • rshell
• http • rtsp
• https • sccp (skinny)
• imap • sip
• irc • smb
• ldap • smtp
• ms-sql-m • snmp
• ms-sql-s • ssh
• msn • ssl
• my-sql • sunrpc
• oracle • telnet
• ntp • tftp
• pop3
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
Values:
• None
• IPv4 Header
• IPv6 Header
• IP Data
• L4 Data
• ASN1
• Ethernet
• L4 Header
OMPC Offset The location in the packet where the data starts being checked for specific
bits in the IP or TCP header.
Values: 0–1513
OMPC Mask The mask for OMPC data. The value must be defined according to the
OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
Parameter Description
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to
find. The value must be defined according to the OMPC Length parameter.
The OMPC Pattern must contain eight hexadecimal symbols. If the value
for the OMPC Length parameter is smaller than Four Bytes, you need to
pad the OMPC Pattern with zeros. For example, if OMPC Length is two
bytes, the OMPC Pattern can be abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Condition Values:
• None
• Equal
• Not Equal
• Greater Than
• Less Than
Default: None
OMPC Length Values:
• None
• One Byte
• Two Bytes
• Three Bytes
• Four Bytes
Default: None
Content Offset The location in the packet at which the checking of content starts.
Values: 0–1513
Content The value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ;
<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~.
Parameter Description
Content Type The specific content type to search for.
Values:
• None • Normalized URL—A normalized
• URL—A URL in the HTTP request URL in the HTTP request URI.
URI. • POP3 User—The POP3 User field
• Text—Text anywhere in the in the POP3 header.
packet. • URI Length—Filters according to
• Hostname—A hostname in the URI length.
HTTP header. The host names in • FTP Command—Parses FTP
the Hostname List of an L7 commands to commands and
Policy are not algorithmically arguments, while normalizing
related to a host name FTP packets and stripping Telnet
configured for a basic filter. opcodes.
• Header Field—A header field in • FTP Content—Scans the data
the HTTP header. transmitted using FTP,
• Expression—Text anywhere in normalizes FTP packets and
the packet represented by a strips Telnet opcodes.
regular expression specified in • Generic Url—The generic URL in
the Content field. the HTTP Request URI. No
• Mail Domain—The Mail Domain normalization procedures are
in the SMTP header. taken. GET/HEAD/POST is not
required when this type is
• Mail To—The Mail To SMTP selected. This is applicable for
header. protocols like SIP, BitTorrent,
• Mail From—The Mail From SMTP and so on.
header. • Generic Header—In the HTTP
• Mail Subject—The Mail Subject Request URI. No normalization
SMTP header. procedures are taken. GET/
HEAD/POST is not required
• File Type—The type of the
when this type is selected. This
requested file in the HTTP GET
is applicable for protocols like
command (for example, JPG,
SIP, BitTorrent, and so on.
EXE, and so on).
• Generic Cookie—In the HTTP
• Cookie—The HTTP cookie field.
Request URI. No normalization
The Content field includes the
procedures are taken. GET/
cookie name, and the Content
HEAD/POST is not required
Data field includes the cookie
when this type is selected. This
value.
is applicable for protocols like
SIP, BitTorrent, and so on.
Default: None
Content End Offset The location in the packet at which the checking of content ends.
Values: 0–1513
Content Data Refers to the search for the content within the packet.
Parameter Description
Content Coding The encoding type of the content to search for (as specified in the
Content field).
Values:
• None
• Case Insensitive
• Case Sensitive
• HEX
• International
Default: None
Note: The value of this field corresponds to the Content Type
parameter.
Content Data Coding The encoding type of the content data to search for (as specified in the
Content Data field).
Values:
• None
• Case Insensitive
• Case Sensitive
• HEX
• International
Default: None
Note: The value of this field corresponds to the Content Type
parameter.
Description A description of the filter.
Session Type The specific session type to search for.
Values:
• None • Rexec Control
• Ftp Control • Rexec Errors
• Ftp Data • Rexec All
• Ftp All • H225 Control
• Tftp Control • H245 session
• Tftp Data • H225 All
• Tftp All • SIP Signal
• Rshell Control • SIP Media Control
• Rshell Data • SIP Audio
• Rshell All • SIP All
Default: None
Session Type Direction The specific direction of the specified session type to search for.
Values: All, Request, Reply
Default: None
Parameter Description
Name The name of the filter.
Protocol Values:
• IP
• TCP
• UDP
• ICMP
• NonIP
• ICMPV6
• SCTP
Default: IP
Source App. Port The Layer-4 source port for TCP, UDP, or SCTP traffic.
Values:
• dcerpc • privileged-services
• dns • radius
• ftp • rexec
• h225 • rshell
• http • rtsp
• https • sccp (skinny)
• imap • sip
• irc • smb
• ldap • smtp
• ms-sql-m • snmp
• ms-sql-s • ssh
• msn • ssl
• my-sql • sunrpc
• oracle • telnet
• ntp • tftp
• pop3
Parameter Description
Destination App. Port The Layer-4 destination port for TCP, UDP, or SCTP traffic.
Values:
• dcerpc • privileged-services
• dns • radius
• ftp • rexec
• h225 • rshell
• http • rtsp
• https • sccp (skinny)
• imap • sip
• irc • smb
• ldap • smtp
• ms-sql-m • snmp
• ms-sql-s • ssh
• msn • ssl
• my-sql • sunrpc
• oracle • telnet
• ntp • tftp
• pop3
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative to.
Values:
• None
• IPv4 Header
• IPv6 Header
• IP Data
• L4 Data
• ASN1
• Ethernet
• L4 Header
OMPC Offset The location in the packet where the data starts being checked for specific
bits in the IP or TCP header.
Values: 0–1513
OMPC Mask The mask for OMPC data. The value must be defined according to the
OMPC Length parameter.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
Parameter Description
OMPC Pattern The fixed-size pattern within the packet that the OMPC rule attempts to
find. The value must be defined according to the OMPC Length parameter.
The OMPC Pattern must contain eight hexadecimal symbols. If the value
for the OMPC Length parameter is smaller than Four Bytes, you need to
pad the OMPC Pattern with zeros. For example, if OMPC Length is two
bytes, the OMPC Pattern can be abcd0000.
Values: Must comprise eight hexadecimal symbols
Default: 00000000
OMPC Condition Values:
• None
• Equal
• Not Equal
• Greater Than
• Less Than
Default: None
OMPC Length Values:
• None
• One Byte
• Two Bytes
• Three Bytes
• Four Bytes
Default: None
Content Offset The location in the packet at which the checking of content starts.
Values: 0–1513
Content The value of the content search.
Values: < space > ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ;
<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`
abcdefghijklmnopqrstuvwxyz{|}~.
Parameter Description
Content Type The specific content type to search for.
Values:
• None • Normalized URL—A normalized
• URL—A URL in the HTTP request URL in the HTTP request URI.
URI. • POP3 User—The POP3 User field
• Text—Text anywhere in the in the POP3 header.
packet. • URI Length—Filters according to
• Hostname—A hostname in the URI length.
HTTP header. The host names in • FTP Command—Parses FTP
the Hostname List of an L7 commands to commands and
Policy are not algorithmically arguments, while normalizing
related to a host name FTP packets and stripping Telnet
configured for a basic filter. opcodes.
• Header Field—A header field in • FTP Content—Scans the data
the HTTP header. transmitted using FTP,
• Expression—Text anywhere in normalizes FTP packets and
the packet represented by a strips Telnet opcodes.
regular expression specified in • Generic Url—The generic URL in
the Content field. the HTTP Request URI. No
• Mail Domain—The Mail Domain normalization procedures are
in the SMTP header. taken. GET/HEAD/POST is not
required when this type is
• Mail To—The Mail To SMTP selected. This is applicable for
header. protocols like SIP, BitTorrent,
• Mail From—The Mail From SMTP and so on.
header. • Generic Header—In the HTTP
• Mail Subject—The Mail Subject Request URI. No normalization
SMTP header. procedures are taken. GET/
HEAD/POST is not required
• File Type—The type of the
when this type is selected. This
requested file in the HTTP GET
is applicable for protocols like
command (for example, JPG,
SIP, BitTorrent, and so on.
EXE, and so on).
• Generic Cookie—In the HTTP
• Cookie—The HTTP cookie field.
Request URI. No normalization
The Content field includes the
procedures are taken. GET/
cookie name, and the Content
HEAD/POST is not required
Data field includes the cookie
when this type is selected. This
value.
is applicable for protocols like
SIP, BitTorrent, and so on.
Default: None
Content End Offset The location in the packet at which the checking of content ends.
Values: 0–1513
Content Data Refers to the search for the content within the packet.
Parameter Description
Content Coding The encoding type of the content to search for (as specified in the
Content field).
Values:
• None
• Case Insensitive
• Case Sensitive
• HEX
• International
Default: None
Note: The value of this field corresponds to the Content Type
parameter.
Content Data Coding The encoding type of the content data to search for (as specified in the
Content Data field).
Values:
• None
• Case Insensitive
• Case Sensitive
• HEX
• International
Default: None
Note: The value of this field corresponds to the Content Type
parameter.
Description A description of the filter.
Session Type The specific session type to search for.
Values:
• None • Rexec Control
• Ftp Control • Rexec Errors
• Ftp Data • Rexec All
• Ftp All • H225 Control
• Tftp Control • H245 session
• Tftp Data • H225 All
• Tftp All • SIP Signal
• Rshell Control • SIP Media Control
• Rshell Data • SIP Audio
• Rshell All • SIP All
Default: None
Session Type Direction The specific direction of the specified session type to search for.
Values: All, Request, Reply
Default: None
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3).
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy,
you need to activate the latest changes.
Parameter Description
AND Group Name The name of the AND Group.
Basic Filter Name The basic filter for this AND Group.
AND Group Type (Read-only)
Values:
• Static—The AND Group is predefined.
• Regular—The AND Group is user-defined.
Example
The basic filters F1, F2, and F3 have been individually configured. Filter AF1 is user-defined as:
AF1= {F1 AND F2 AND F3}. In order for a packet to match AF1, the packet must match all three
filters (F1, F2, and F3). Filter FG1 is user-defined as: FG1 = {AF1 OR F4 OR F6}. In order for a
packet to match FG1, the packet must match either filter AF1, basic filter F4, or basic filter F6.
Use the Modify OR Groups Table pane to create, modify, and delete the OR Group filters.
Caution: If you modify the configuration of a filter that is used in an existing and enabled policy,
you need to activate the latest changes.
Parameter Description
OR Group Name The name of the OR Group.
Filter Name The filter for this OR Group, which can be a Basic filter or an AND Group.
Filter Type Value: Basic Filter, AND Group
OR Group Type (Read-only)
Values:
• Static—The OR Group is predefined.
• Regular—The OR Group is user-defined.
Parameter Description
Ports Group Name The name of the Application Port Group.
To associate a number of ranges with the same port group, use the same
name for all the ranges that you want to include in the group. Each range
appears as a separate row with the same name in the Application Port
Group table.
Type of Entry (Read-only)
Values: System Defined, User Defined
From L4 Port The first port in the range.
To L4 Port The last port in the range.
To define a group with a single port, set the same value for the From L4
Port and To L4 Port parameters.
Parameter Description
VLAN Tags Group Name The name of the VLAN-tag group.
Group Mode The VLAN mode.
Values:
• Discrete—An individual VLAN tag, as defined in the interface
parameters of the device.
• Range—A group of sequential VLAN tag numbers, as defined in
the interface parameters of the device.
VLAN Tag The VLAN tag number.
(Discrete mode only)
VLAN Tag From The first VLAN tag in the range.
(for Range mode only) You cannot modify this field after creating the VLAN group.
VLAN Tag To The last VLAN tag in the range.
(for Range mode only)
Note: The terms Network Protection Policy, and network policy may be used interchangeably in
APSolute Vision and in the documentation.
There are two main types of network protections, intrusion preventions (see Table 135 - Intrusion
Prevention Protections, page 187) and denial-of-service protection (see Table 136 - Denial of
Service Protections, page 187). The set of supported protections depends on the DefensePro
version.
Protection Description
Signatures Prevents known application vulnerabilities and exploitation attempts,
and protects against known DoS/DDoS flood attacks.
DoS Shield Protects against known flood attacks and flood-attack tools that can
also cause a denial-of-service effect.
Anti-Scanning Prevents zero-day self-propagating network worms, horizontal scans,
and vertical scans.
Protection Description
Behavioral DoS (BDoS) Protects against zero-day DoS/DDoS-flood attacks.
Connection Limit Protects against connection flood attacks.
SYN Protection Protects against SYN-flood attacks using SYN cookies.
DNS Protection Protects against zero-day DNS-flood attacks.
Out-of-State Protection Detects out-of-state packets to provide additional protection for TCP-
session–based attacks.
Note: The classification includes the source and destination configuration, which defines the
inbound traffic and outbound traffic. If the packet data matches the source-to-destination
configuration, DefensePro considers the packet to be inbound. If the packet data matches the
destination-to-source configuration, DefensePro considers the packet to be outbound.
• The action applied when an attack is detected on the matching network segment. The action
defines the protection profiles applied to the network segment, and whether the malicious traffic
should be blocked. Malicious traffic is always reported.
Note: The terms Network Protection policy and network policy may be used interchangeably in
APSolute Vision and in the documentation.
In this version of DefensePro, you can configure up to 200 Network Protection policies.
You can export, edit, and import policies. The information of an exported policy is referred to as a
template. A template may also include baselines. For more information, see Using Configuration
Templates for Security Policies, page 279.
Before you configure a policy, ensure that you have configured the following:
• The Classes that will be required to define the protected network segment. For more
information, see Managing Classes, page 169.
• The Network Protection profiles—for more information see:
— Configuring Signature Protection for Network Protection, page 194
— Configuring BDoS Profiles for Network Protection, page 213
— Configuring Anti-Scanning Protection for Network Protection, page 217
— Configuring Connection Limit Profiles for Network Protection, page 218
— Configuring SYN Profiles for Network Protection, page 222
— Configuring DNS Flood Protection Profiles for Network Protection, page 231
— Configuring Out of State Protection Profiles for Network Protection, page 236
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it
does not download your configuration changes to the device. To apply changes onto the device, you
must activate the configuration changes. Activating the latest changes is also referred to as Update
Policies.
Caution: When using the DefensePro SOAP interface, to remove a protection profile from a
Network Protection policy, you must enter the value none for the profile.
Parameter Description
Enabled Specifies whether the policy is enabled.
Policy Name The name of the Network Protection policy.
Maximum characters: 64
Caution: The name must not include a comma (,).
Instance ID The identifier or the DefensePro internal software instance on which the
Network Protection policy runs.
Values: Instance 0, Instance 1
Default: Instance 0
Caution: DefensePro uses the specified Priority for all actions. That
is, the specified Priority takes precedence over all other Network
Protection parameters. For example, if you configure multiple policies
that include the same network addresses (sometimes referred to as
overlapping policies), DefensePro performs all actions according to
the specified Priority, even if the policies are configured for different
directions.
Parameter Description
Priority The unique priority of the Network Protection policy.
The highest value is the highest priority.
DefensePro processes each packet using one Network Protection policy.
When there are multiple policies whose classification specification
overlap, only the policy with the highest Priority processes the packet.
Values:
• 0—Specifies that DefensePro automatically sets the priority by
adding 10 to the highest existing value.
• 1–63,999
Default: 0
Caution: DefensePro uses the specified Priority for all actions. That
is, the specified Priority takes precedence over all other Network
Protection parameters. For example, if you configure multiple policies
that include the same network addresses (sometimes referred to as
overlapping policies), DefensePro performs all actions according to
the specified Priority, even if the policies are configured for different
directions.
Caution: If a policy exists with a priority greater than or equal to
63,990, you cannot create a new policy using APSolute Vision.
Note: The value 64,000 is reserved for the physical port class named
Management. For more information, see Configuring Physical Port
Classes, page 171.
SRC Network The IP address or predefined class object that defines the source of the
packets that the policy uses.
To specify any network, the field may contain the value any or be
empty.
DST Network The IP address or predefined class object that defines the destination of
the packets that the policy uses.
To specify any network, the field may contain the value any or be
empty.
Caution: If Instance ID is Instance 1, the destination network of
the policy must not include the IP address of the DefensePro-device
management port. Otherwise, unexpected behavior will occur.
Port Group The Physical Port class or physical port that the policy uses.
Values:
• A Physical Port class displayed in the Classes tab
• The physical ports on the device
• None
Caution: If you specify a management port or a Physical Port class
with a management port, the Network Protection policy can support
only Signature Protection and BDoS Protection.
Parameter Description
Direction The direction of the traffic to which the policy relates.
Values:
• One Way—The protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
• Two Way—The protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One Way
VLAN Tag Group The VLAN Tag class that the policy uses.
Values:
• A VLAN Tag class displayed in the Classes tab
• None
Note: If you specify a VLAN group, you cannot specify an MPLS RD
group.
Parameter Description
Protection Profiles (Displayed in the table, not the configuration) The profiles applied to the
network segment defined in this policy.
BDoS Profile The BDoS profile applied to the network segment defined in this policy.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
DNS Profile The DNS Protection profile applied to the network segment defined in
this policy.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Anti Scanning Profile The Anti-Scanning profile applied to the network segment defined in
this policy.
Notes:
• You can click the adjacent button to open the dialog box in which
you can add and modify profiles.
• This parameter is not available when the Device Operation Mode
is IP (see Configuring the Device Operation Mode for DefensePro,
page 156.
Signature Protection The Signature Protection profile applied to the network segment defined
Profile in this policy.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Connection Limit Profile The Connection Limit profile applied to the network segment defined in
this policy.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Parameter Description
Out of State Profile The Out of State profile applied to the network segment defined in this
policy.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Service Discovery Profile The Service Discovery profile that the Network Protection policy uses to
identify HTTP servers to protect.
Leave the field empty if you do not want to implement the Service
Discovery feature.
For more information, see Configuring Global Service Discovery,
page 135 and Configuring Service Discovery Profiles, page 29.
Notes:
• You can click the adjacent button to open the dialog box in which
you can add and modify profiles.
• This parameter is not available when the Device Operation Mode
is IP (see Configuring the Device Operation Mode for DefensePro,
page 156.
SYN Flood Profile The SYN Flood profile applied to the network segment defined in this
policy.
Note: You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
Action The default action for all attacks under this policy.
Values:
• Block and Report—The malicious traffic is terminated and a security
event is generated and logged.
• Report Only—The malicious traffic is forwarded to its destination
and a security event is generated and logged.
Default: Block and Report
Note: Signature-specific actions override the default action for the
policy.
Table 140: Network Protection Policy: Packet Reporting and Trace Settings Parameters
Parameter Description
Packet Reporting Specifies whether the device sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet
Reporting).
Packet Reporting Specifies whether the configuration of the Packet Reporting feature
Configuration on Policy here, on this policy, takes precedence over the configuration of the
Takes Precedence Packet Reporting feature in the associated profiles.
Table 140: Network Protection Policy: Packet Reporting and Trace Settings Parameters (cont.)
Parameter Description
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet Trace on
Physical Port). In addition, a change to this parameter takes effect
only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation Mode
for DefensePro, page 156).
Packet Trace Specifies whether the configuration of the Packet Trace feature here, on
Configuration on Policy this policy, takes precedence over the configuration of the Packet Trace
Takes Precedence feature in the associated profiles.
A change to this parameter takes effect only after you update policies.
When deleting one or more Network Protection policies, you have two options: Delete Policy Only,
and Delete Policy and Related Elements.
Caution: When you select multiple rows and select Delete Policy and Related Elements,
DefensePro performs an Update Policies action after each policy deletion. Therefore, it might
take a long time for all the deletions to complete—depending on the number of selected rows
and the complexity of the policies. You might not be able to perform any other actions until the
whole deletion process is complete.
Caution: Signatures for client-side vulnerabilities are prone to cause significant performance
degradation.
You can configure Signature Protection using a set of predefined signature profiles for field
installation or using user-defined signature profiles. The set of predefined signature profiles include
protections for a corporate gateway, for a LAN DMZ, for carrier links, and so on. These Radware
profiles are updated along with the weekly signature database, which is maintained by the Radware
Vulnerability Research Team (VRT). You cannot edit Radware signature profiles, but you can create a
new profile according the needs of your environment. For example, if you need to use only a small
set of custom signatures, you can create a new profile with those signatures and a new Threat Type
attribute (see Table 153 - Attribute Types, page 212).
Notes
• The Radware Vulnerability Research Team (VRT) is responsible for researching, handling, and
mitigating vulnerabilities, DDoS tools, and DDoS malware.
• If you require assistance creating a new signature, you can contact the relevant Radware
department—according to your service agreement.
• The difference between the system-defined, Signature Protection profiles All-DoS-Shield and
DoS-All are as follows:
— The All-DoS-Shield profile includes all DoS-flood signatures that have low complexity—that
is, without Application Security signatures. This profile provides protection against DoS
floods (high-rate and/or high-volume attacks).
— The DoS-All profile includes all types of DoS signatures: DoS-Shield signatures and
Application Security signatures. This profile provides the same protection as the All-DoS-
Shield profile with additional protection against application-level vulnerabilities and attack
tools including low-and-slow DoS attacks.
To configure Signature Protection profiles, Signature Protection must be enabled and global DoS
Shield parameters must be configured. For more information, see Configuring Global Signature
Protection, page 111 and Configuring Global DoS Shield Protection, page 112.
In this version of DefensePro, you can configure up to 300 Signature Protection profiles on a
DefensePro device.
Each rule in the profile can include one or more entries from the various attribute types.
Rules define a query on the Signatures database based on the following logic:
• Values from the same type are combined with logical OR.
• Values from different types are combined with logical AND.
Notes
• Rules in the profile are implicit. That is, when you define a value, the rule includes all signatures
that match a specific selected attribute plus all the signatures that have no attribute of that
type. This logic ensures that signatures that may be relevant to the protected network are
included—even if they are not associated explicitly (by VRT) with the application in the network.
• The difference between the system-defined, Signature Protection profiles All-DoS-Shield and
DoS-All are as follows:
— The All-DoS-Shield profile includes all DoS-flood signatures that have low complexity—that
is, without Application Security signatures. This profile provides protection against DoS
floods (high-rate. high-volume attacks).
— The DoS-All profile includes all types of DoS signatures: DoS-Shield signatures and
Application Security signatures. This profile provides the same protection as the All-DoS-
Shield profile with additional protection against slow-rate attacks and DoS vulnerability.
— To add a profile, click the (Add) button, and in the Profile Name text box, type the
name of the profile.
— To edit a profile, double-click the entry in the table.
— To display the list of signatures associated with the configured protections for the profile,
double-click the entry in the table, and then, click Show Matching Signatures.
3. Configure a rule for the profile as follows:
— To configure a new rule:
b. From the Attribute Type drop-down list, select the required value.
c. In the Attribute Value drop-down list, select or type the required value.
d. Click Submit.
— To edit the attribute value of a rule:
a. In the Attribute Type column of the table, move your mouse cursor to the relevant
attribute type of the relevant rule and click the little Add button. The Add Signature
Profile Rule tab opens, populated with the name of the rule and the name of the selected
attribute type.
b. In the Attribute Value drop-down list, select or type the required value.
c. Click Submit.
Note: Alternatively, to edit the attribute type and/or attribute value of an existing profile, you
can do the following (as supported in APSolute Vision version 3.20 and earlier):
Parameter Description
Profile Name The name of the signature profile.
Number of Matching Signatures (Read-only) The number of signatures that match the profile.
The number of matching signatures depends on the Match
Method of the Attribute Type (see Viewing and Modifying
Attribute Type Properties, page 213). The Match Method
Minimum is relevant only for the attribute types Complexity,
Confidence, and Risk, which have Attribute Values with
ascending-descending levels.
Minimum specifies that the Attribute Value includes the results
for the lower-level Attribute Values. For example, for the
attribute type Risk when the Match Method is Minimum, the
Attribute Value High matches only High, not Info, Low, or
Medium. Minimum is the default for Complexity, Confidence, and
Risk.
Show Matching Signatures This button appears only when editing a profile. Click to display
the list of signatures associated with the configured protections
for the profile.
Parameter Description
The table displays details of the configured rules for the selected profile. Each rule can contain
more than one attribute type, and each attribute type can contain one or more attribute values.
Rule Name The name of the signature profile rule.
Attribute Type The list of predefined attribute types, which are based on the
various aspects taken into consideration when defining a new
attack.
Attribute Value The value for the defined attribute type.
Caution: DefensePro may automatically add user-defined signatures to existing profiles even
without a full attribute match. If you configure any user-defined signature, you must specify
attributes in addition to the default attributes—the more the better. The default attributes of user-
defined signatures are only Risk and Confidence. Unless you specify additional attributes, all other
attributes in a user-defined signature are NULL. If all other attributes in a user-defined signature are
NULL, DefensePro matches the signature against existing static profiles (such as DoS-ALL, DoS-SSL,
Fraud and All-DoS-Shield), and treats the missing attributes in it (which are NULL) as existing, with
default values. This causes DefensePro to add the user-defined signature to static profiles, which is
improper. Therefore, Radware recommends that you specify as many additional attributes as
possible, and prevent DefensePro using your user-defined signature improperly.
Note: To view all signatures, clear the text boxes at the top of the table columns, and then,
To view Signature Protection signatures and filter the table by signature parameters
1. In the Configuration perspective, select Network Protection > Signature Protection >
Signatures.
2. Select the Filter by ID option button.
3. Enter the search criteria in the boxes under the column headings.
To view Signature Protection signatures and filter the table by attribute parameters
1. In the Configuration perspective, select Network Protection > Signature Protection >
Signatures.
2. Select the Filter by Attribute option button.
3. Enter the search criteria in the boxes under the column headings.
Note: For example, for Attribute Type, select from the list of predefined attribute types,
which are based on the various aspects taken into consideration when defining a new attack.
Parameter Description
Signature Name The name of the signature.
Maximum characters: 29
Signature ID (Read-only) The ID assigned to the signature by the system.
Enabled Specifies whether the signature can be used in protection profiles.
Tracking Time The time, in milliseconds, for measuring the Active Threshold.
When a number of packets exceeding the threshold passes through
the device within the configured Tracking Time period, DefensePro
considers the attack to be active.
Default: 1000
Parameter Description
Tracking Type Specifies how DefensePro determines which traffic to block or drop
when under attack.
Values:
• bobo2K
• Destination Count—Select this option when the defined attack
is destination-based—that is, the hacker is attacking a specific
destination, such as a Web server, for example, Ping Floods or
DDoS attacks.
• DHCP
• Drop All—Select this option when each packet of the defined
attack is harmful, for example, Code Red and Nimda attacks.
Caution: On devices without the SME, this option may have a
negative impact on performance.
• Fragments
• FTP Bounce
• Land Attack
• ncpsdcan
• Sampling—Select this option when the defined attack is based
on sampling, that is a DoS Shield attack.
• Source and Destination Count—Select this option when the
attack type is a source and destination-based attack—that is,
the hacker is attacking from a specific source IP to a specific
destination IP address, for example, Port Scan attacks.
• Source Count—Select this option when the defined attack is
source-based—that is, the attack can be recognized by its
source address, for example, a horizontal port scan, where the
hacker scans a certain application port (TCP or UDP) to detect
which servers are available in the network.
Default:
• Drop All—On devices with the SME.
• Sampling—On devices without the SME.
Parameter Description
Action Mode The action that DefensePro takes when an active attack is detected.
Values:
• Drop—DefensePro discards the packet.
• Report Only—DefensePro forwards the packet to the defined
destination.
• Reset Source—DefensePro sends a TCP-Reset packet to the
packet source IP address.
• Reset Destination—DefensePro sends a TCP-Reset packet to
the destination address.
• Reset Bidirectional—DefensePro sends a TCP-Reset packet to
both the packet source IP and the packet destination IP
address.
• HTTP 200 OK—DefensePro sends a 200 OK response using a
predefined page and leaves the server-side connection open.
• HTTP 200 OK and Reset Destination—DefensePro sends a 200
OK response using a predefined page and sends a TCP-Reset
packet to the server side to close the connection.
• HTTP 403 Forbidden—DefensePro sends a 403 Forbidden
response using a predefined page and leaves the server-side
connection open.
• HTTP 403 Forbidden and Reset Destination—DefensePro sends
a 403 Forbidden response using a predefined page and sends a
TCP-Reset packet to the server side to close the connection.
Default: Drop
Note: The HTTP Action Modes are available only in DefensePro
6.x versions 6.12 and later and 7.x versions 7.41 and later. For
more information on HTTP action modes, see HTTP Action Modes,
page 210
Suspend Action Specifies which session traffic the device suspends for the duration
of the attack.
Values:
• None—The suspend action is disabled for this attack.
• Source IP—All traffic from the IP address identified as the
source of this attack, is suspended.
• Source IP and Destination IP—Traffic from the IP address
identified as the source of this attack to the destination IP
under attack, is suspended.
• Source IP and Destination Port—Traffic from the IP address
identified as the source of this attack to the application
(destination port) under attack, is suspended.
• Source IP, Destination IP and Port—Traffic from the IP address
identified as the source of this attack to the destination IP and
port under attack, is suspended.
• Source IP and Port, Destination IP and Port—Traffic from the IP
address and port identified as the source of this attack to the
destination IP and port under attack, is suspended. With this
action, if Session Drop Mechanism is enabled, there will be no
entry of the session in the Suspend Table.
Parameter Description
Direction The protection inspection path. The protections can inspect the
incoming traffic only, the outgoing traffic only, or both.
Values: Inbound, Outbound, Inbound & Outbound
Default: Inbound & Outbound
Activation Threshold The number of attack packets allowed in each Tracking Time
period.
When the value for Tracking Type is Drop All, DefensePro ignores
this parameter.
Default: 50
Drop Threshold The attack packets per Tracking Period after an attack has been
detected, above which DefensePro starts dropping excessive traffic.
When the value for Tracking Type is Drop All, the profile ignores
this parameter.
Default: 50
Termination Threshold The number of attack packets per Tracking Period below which
the profile changes the attack from active mode to inactive mode.
When the value for Tracking Type is Drop All, DefensePro ignores
this parameter.
Default: 50
Packet Reporting Enables the sending of sampled attack packets to APSolute Vision
for offline analysis.
Default: Disabled
Exclude Source IP Address The source IP address or class object whose packets the profile
does not inspect.
For DefensePro 7.x versions 7.42 and later—To specify any
network, the field may contain the value any or be empty.
For DefensePro versions other than 7.x versions 7.42 and later—If
you specify a value for Exclude Source IP Address, the value for
Exclude Destination IP Address cannot be None. To exclude
only by source IP address, for Exclude Source IP Address, type
any.
Default: Empty
Parameter Description
Exclude Destination IP The destination IP address or class object whose packets the profile
Address does not inspect.
For DefensePro 7.x versions 7.42 and later—To specify any
network, the field may contain the value any or be empty.
For DefensePro versions other than 7.x versions 7.42 and later—If
you specify a value for Exclude Destination IP Address, the
value for Exclude Source IP Address cannot be None. To exclude
only by destination IP address, for Exclude Destination IP
Address, type any.
Default: Empty
Packet Trace Specifies whether the DefensePro device sends attack packets to
the specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Trace on Physical Port). In addition, a change
to this parameter takes effect only after you update policies.
Note: DefensePro does not support this feature when the
Device Operation Mode is IP (see Configuring the Device
Operation Mode for DefensePro, page 156).
Parameter Description
(Read-only) A description of the static signature.
You cannot configure a description for a user-defined signature.
Parameter Description
Filters are components of a protection, each containing one specific attack signature, that scan and
classify predefined traffic. Filters match scanned packets with attack signatures in the Signatures
database.
For each custom protection, you define custom filters. You cannot use filters from other protections
when customizing protection definitions.
To add a filter, select Add New Filter.
To edit a filter, select the filter and select Edit Filter.
Note: For more information, see Table 142 - Signature Protection Profiles Parameters, page
198.
Parameter Description
The attributes that you select for the signature determine the attack characteristics used in the rule
creation process.
The attributes in the Attributes Table tab are defined in the Attributes tab (see Configuring
Signature Protection Attributes, page 211).
Parameter Description
Each filter has a specified name and specified protocol-properties parameters.
Filter Name The name of the signature filter.
Protocol The protocol used.
Values:
• ICMP
• ICMPv6
• IP
• Non IP
• TCP
• UDP
Default: IP
Caution: Do not choose the Non IP option. It produces unexpected
results.
Source Application Port The source application port or Application port-group class that the filter
(This parameter is applies on UDP or TCP traffic.
available only when the Note: For information on Application port-group classes, see
Protocol is UDP or Configuring Application Classes, page 184.
TCP.)
Destination Application The destination application port or Application port-group class that the
Port filter applies on UDP or TCP traffic.
(This parameter is Note: For information on Application port-group classes, see
available only when the Configuring Application Classes, page 184.
Protocol is UDP or
TCP.)
Parameter Description
Packet parameters are used to match the correct packet length in different layers.
Packet Size Type Specifies whether the length is measured for Layer 2, Layer 3, Layer 4 or
Layer 7 content.
Values:
• L2—The complete packet length is measured, including Layer 2
headers.
• L3—The Layer 2 data part of the packet is measured (excluding the
Layer 2 headers).
• L4—The Layer 3 data part of the packet is measured (excluding the
Layer 2/Layer 3 headers).
• L7—The L4 data part of the packet is measured (excluding the
Layer 2/Layer 3/Layer 4 headers).
• None
Default: None
Packet Size Length The range of values for packet length.
The size is measured per packet only.
The size is not applied on reassembled packets.
Fragmentation of Layer 4–Layer 7 packets may result in tails that do not
contain the Layer 4–Layer 7 headers. The check is bypassed, as no match
with Type = L4–L7 is detected.
Parameter Description
Offset Mask Pattern Condition (OMPC) parameters are a set of attack parameters that define rules
for pattern lookups. The OMPC rules look for a fixed size pattern of up to four bytes that uses fixed
offset masking. This is useful for attack recognition, when the attack signature is a TCP/IP header
field or a pattern in the data/payload in a fixed offset.
OMPC Condition The OMPC condition.
Values:
• Equal
• Greater Than
• Not Applicable
• Less Than
• Not Equal
Default: Not Applicable
Parameter Description
OMPC Length The length of the OMPC (Offset Mask Pattern Condition) data.
Values:
• Not Applicable
• 1 Byte
• 2 Bytes
• 3 Bytes
• 4 Bytes
Default: 1 Byte
OMPC Offset The location in the packet from where data checking starts looking for
specific bits in the IP/TCP header.
Values: 0–65,535
Default: 0
OMPC Offset Relative to Specifies to which OMPC offset the selected offset is relative.
Values:
• None
• IP Header
• IP Data
• L4 Data
• L4 Header
• Ethernet
Default: None
OMPC Pattern The fixed size pattern within the packet that OMPC rules attempt to find.
Values: A combination of hexadecimal numbers (0–9, a–f). The value is
defined by the OMPC Length parameter.
The OMPC Pattern definition contain eight symbols. When the OMPC
Length is less than four bytes, complete it with zeros.
For example, when the OMPC Length is two bytes, the OMPC Pattern
can be abcd0000.
Default: 00000000
OMPC Mask The mask for the OMPC data.
Values: A combination of hexadecimal numbers (0–9, a–f). The value is
defined by the OMPC Length parameter.
The OMPC Mask definition contains eight symbols. When the OMPC
Length value is less than four bytes, complete it with zeros.
For example, When the OMPC Length is two bytes, the OMPC Mask can
be abcd0000.
Default: 00000000
Parameter Description
The Content parameters define the rule for a text/content string lookup for attack recognition,
when the attack signature is a text/content string within the packet payload. The Content
parameters are available only for TCP, UDP, and ICMP.
Content Type Enables you to search for a specific content type, which you select from a
long list.
For the list of valid values, see Table 152 - Content Types, page 209.
Default: N/A—The device does not filter the content based on type.
Content Encoding Application Security can search for content in languages other than
English, for case-sensitive or case-insensitive text, and hexadecimal
strings.
Values:
• Not Applicable
• Case Insensitive
• Case Sensitive
• Hex
• International
Default: Not Applicable
Note: The value of this field applies to the Content Type parameter.
Content The value of the content search, except for HTTP headers, cookies, and
FTP commands.
Values: <space> ! " # $ % & ' ( ) * + , -. / 0 1 2 3 4 5 6 7 8 9 : ; < = > ?
@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcd
efghijklmnopqrstuvwxyz{|}~
Content Offset The location in the packet from which the content is checked. The offset
location is measured from the beginning of the UDP or TCP header.
Values: 0–65,535
Default: 0
Content Max Length The maximum length to be searched within the selected Content Type.
Values: 0–65,535
Default: 0
Note: The Content Max Length value must be equal to or greater
than the Offset value.
Content Data Encoding Application Security can search for data in languages other than English,
for case-sensitive or case-insensitive data, and hexadecimal strings.
Values:
• Not Applicable
• Case Insensitive
• Case Sensitive
• HEX
• International
Default: Not Applicable
Note: The value of this field applies to the Content Type parameter.
Parameter Description
Content Data The content type for the content search.
Values:
• HTTP Header—The value of the HTTP Header. The header is defined by
the Content field.
• Cookie—The cookie value. The cookie is defined by the Content field.
• FTP Command—The FTP command arguments. The FTP command is
defined by the Content field.
Distance Range A range that defines the allowable distance between two content
characters. When the distance exceeds the specified range, it is
recognized as an attack.
Regular Expression Specifies whether the Content field value is formatted as a regular
Content expression (and not as free text to search). You can set a regex search for
all content types.
Regular Expression Specifies whether the Content Data value is formatted as a regular
Content Data expression (and not as free text to search).
Table 152 - Content Types, page 209 describes the content types that you can configure the device
to examine as part of the attack signature.
To locate all the policies and profiles that use a specific signature
1. In the Configuration perspective, select Network Protection > Signature Protection >
Signatures.
2. Select the signature.
3. Click Find Usages.
Note: You can use the DefensePro CLI or WBM to manage the page for the responses of the HTTP
Action Modes.
Tip: Radware AppWall (version 5.9.1 and later) and DefensePro can engage in signaling for HTTP
attack detection and mitigation. Signaling from AppWall involves generating a custom signature in
DefensePro, with the source IP address of the detected attacker. The signaling starts automatically
when AppWall detects a Web attack. You configure the Action Mode of the AppWall-generated
custom signature in the AppWall configuration. When you use AppWall and DefensePro in a CDN
environment, Radware recommends configuring AppWall to configure the (DefensePro) custom
signature with one of the HTTP Action Modes.
Note: You can view properties of attribute types, and for the attribute types Complexity,
Confidence, and Risk, you can also specify the Match Method (Minimum or Exact). For more
information, see Viewing and Modifying Attribute Type Properties, page 213.
Attributes are derived from the Signatures database and are added dynamically with any update.
— To view all attributes, select All and click the (Search) button.
— To view attributes for a single attribute type, select the attribute type and click
To change the Match Method for Complexity, Confidence, and Risk attribute types
1. In the Configuration perspective, select Network Protection > Signature Protection >
Attributes > Attribute Type Properties.
2. Double-click the attribute type.
3. From the Match Method drop-down list, select Minimum or Exact.
4. Click Submit.
Recommended settings for policies that include Behavioral DoS profiles are as follows:
• Configure rules containing Behavioral DoS profiles using Networks with source = Any, the public
network, and destination = Protected Network. It is recommended to create multiple Behavioral
DoS rules, each one protecting a specific servers segment (for example, DNS servers segment,
Web server segments, Mail servers segments, and so on). This assures optimized learning of
normal traffic baselines.
• It is not recommended to define a network with the Source and Destination set to Any, because
the device collects statistics globally with no respect to inbound and outbound directions. This
may result in lowered sensitivity to detecting attacks.
• When a rule’s Direction is set to One Way, the rule prevents incoming attacks only. When a
rule’s Direction is set to Two Way, the rule prevents both incoming and outgoing attacks. In both
cases, the traffic statistics are collected for incoming and outgoing patterns to achieve optimal
detection.
You can configure footprint bypass to bypass specified footprint types or values. For more
information, see Configuring BDoS Footprint Bypass, page 117.
Parameter Description
Profile Name The name of the BDoS profile.
Enable Transparent Specifies whether transparent optimization is enabled.
Optimization Some network environments are more sensitive to dropping packets
(for example, VoIP). Therefore, it is necessary to minimize the
probability that legitimate traffic is dropped by the IPS device. This
transparent optimization can occur during BDoS closed-feedback
iterations until a final footprint is generated.
Note: When transparent optimization is enabled, the profile does
not mitigate the attack until the final footprint is generated, which
takes several seconds.
Parameter Description
SYN Flood Select the network-flood protection types to apply.
TCP ACK + FIN Flood
TCP RST Flood
TCP SYN + ACK Flood
TCP Fragmentation Flood
UDP Flood
UDP Fragmentation Flood
ICMP Flood
IGMP Flood
Parameter Description
Inbound Traffic The maximum inbound traffic bandwidth, in Kbit/s, expected on your
links. DefensePro derives the initial baselines from the bandwidth
and quota settings.
Values: 1–2,147,483,647
Caution: You must configure this setting to start Behavioral DoS
protection.
Note: For the definition of inbound traffic and outbound traffic,
see Configuring Network Protection Policies, page 188.
Outbound Traffic The maximum outbound traffic bandwidth, in Kbit/s, expected on
your links. DefensePro derives the initial baselines from the
bandwidth and quota settings.
Values: 1–2,147,483,647
Caution: You must configure this setting to start Behavioral DoS
protection.
Note: For the definition of inbound traffic and outbound traffic,
see Configuring Network Protection Policies, page 188.
Parameter Description
Radware recommends that you initially leave these fields empty so that the default values will
automatically be used. To view default values after creating the profile, double-click the entry in the
table. You can then adjust quota values based on your network performance.
Caution: When you change the a bandwidth setting (Inbound Traffic or Outbound Traffic),
the quota settings automatically change to the default values appropriate for the bandwidth.
Note: The total quota values may exceed 100%, as each value represents the maximum volume
per protocol.
Default Quota Restores the hard-coded default values to all the quotas.
(button)
Parameter Description
TCP The maximum expected percentage of TCP traffic out of the total
traffic.
UDP The maximum expected percentage of UDP traffic out of the total
traffic.
ICMP The maximum expected percentage of ICMP traffic out of the total
traffic.
IGMP The maximum expected percentage of IGMP traffic out of the total
traffic.
Parameter Description
UDP Packet Rate Sensitivity The packet-rate detection sensitivity—that is, to what extent the
BDoS engine considers the UDP PPS-rate values (baseline and
current).
This parameter is relevant only for only for BDoS UDP protection.
Values:
• Disable
• Low
• Medium
• High
Default: Low
Note: In certain legacy versions, this parameter is labeled Level
Of Regularization.
Table 159: BDoS Profile: Packet Reporting and Trace Setting Parameters
Parameter Description
Packet Report Specifies whether the profile sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Note: When this feature is enabled, for the feature to take effect,
the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings
> Packet Reporting and > Enable Packet Reporting).
Packet Trace Specifies whether the profile sends attack packets to the specified
physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Trace on Physical Port). In addition, a change
to this parameter takes effect only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation
Mode for DefensePro, page 156).
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
Worm-propagation prevention and anti-scanning prevent zero-day self-propagating network worms,
horizontal scans, and vertical scans.
DefensePro’s Anti-Scanning protection detects and prevents the worm propagation activity.
Anti-Scanning profiles defend against the following threats:
• TCP horizontal scans
• TCP vertical scans
• TCP stealth scans
• UDP horizontal scans
• UDP vertical scans
• Ping sweep
Caution: In some cases, you may find that network elements legally perform scanning as part of
their normal operation. It is recommended to place such elements in the White List to avoid
interruption or network operation.
— To add a profile, click the (Add) button. Then, enter the profile name and click Submit.
— To edit a profile, double-click the entry in the table.
3. To add Connection Limit protections to the profile, in the Edit Connection Limit Profile dialog box
protections table, do the following:
4. To define additional Connection Limit protections for the profile, click Go To Protection Table.
For more information, see Configuring Connection Limit Protections, page 219.
Note: A Connection Limit profile should include all the Connection Limit attacks that you want
to apply in a network policy.
Parameter Description
Profile Name (Read-only) The name of the Connection Limit profile.
Connection Limit Protection Lists the Connection Limit Protection Name and Protection ID for
Table each protection applied for the selected profile.
To add a protection
Parameter Description
Protection ID (Read-only) The ID number assigned to the Connection Limit
protection.
Protection Name A descriptive name for easy identification when configuring and
reporting.
Parameter Description
Application Port Group The Layer 4 port or class object that defines the application you want
Name to protect.
To specify any port, the field may contain the value any or be empty.
Note: You can click the adjacent button to open the dialog box in
which you can add a class.
Protocol The Layer 4 protocol of the application you want to protect.
Values: TCP, UDP
Default: TCP
Number of Connections The maximum number of new TCP connections, or new UDP sessions,
per second, allowed for each source, destination or source-and-
destination pair. All additional sessions are dropped. When the
threshold is reached, attacks are identified, and DefensePro
generates a security event.
Values: 0–100,000,000
Default: 50
Tracking Type The counting rule for tracking sessions.
Values:
• Source and Target Count—Sessions are counted per source IP
and destination IP address combination.
• Source Count—Sessions are counted per source IP address.
• Target Count—Sessions are counted per destination IP address.
Default: Source Count
Note: When Tracking Type is Target Count, the Suspend
Action can only be None.
Action Mode The action when an attack is detected.
Values:
• Drop—The packet is discarded.
• Report-only—The packet is forwarded to the destination IP
address.
• Reset Source—Sends a TCP-Reset packet to the packet source IP
address.
Default: Drop
Risk The risk assigned to this attack for reporting purposes.
Values: High, Info, Low, Medium
Default: Medium
Parameter Description
Suspend Action Specifies which session traffic the device suspends for the attack
duration.
Values:
• None—Suspend action is disabled for this attack.
• Source IP—All traffic from the IP address identified as the source
of this attack is suspended.
• Source IP + Destination IP—Traffic from the IP address identified
as the source of this attack to the destination IP address under
attack is suspended.
• Source IP + Destination Port—Traffic from the IP address
identified as the source of this attack to the application
(Destination port) under attack is suspended.
• Source IP + Destination IP and Port—Traffic from the IP address
identified as the source of this attack to the destination IP
address and port under attack is suspended.
• Source IP and Port + Destination IP and Port—Traffic from the IP
address and port identified as the source of this attack to the
destination IP address and port under attack is suspended.
Default: None
Note: When Tracking Type is Target Count, the Suspend Action
can only be None.
Table 162: Connection Limit Protection: Packet Reporting and Packet Trace Parameters
Parameter Description
Packet Report Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Reporting).
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Trace on Physical Port). In addition, a change to
this parameter takes effect only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation
Mode for DefensePro, page 156).
— To add a profile, click the (Add) button. Enter the profile name and click Submit.
— To edit a profile, double-click the entry in the table.
3. To add a SYN flood protection to the profile, do the following:
Note: A SYN profile should contain all the SYN flood protections that you want to apply in a
Network Protection policy.
Parameter Description
Profile Name (Read-only) The name of the profile.
SYN Protection Table Contains the protections applied for the selected profile.
To add a protection, in the table, click the (Add) button, select the
protection name, and click Submit.
Note: In each Network Protection policy, you can use only one
SYN profile. Therefore, ensure that all the protections that you
want to apply to a rule are contained in the profile the policy.
Go To Protection Table Opens the Syn Protections dialog box in which you can add and
modify SYN protections.
Parameter Description
Protection Name A name for easy identification of the attack for configuration and
reporting.
Note: Predefined SYN Protections are available for the most
common applications: FTP, HTTP, HTTPS, IMAP, POP3, RPS, RTSP,
SMTP, and Telnet. The thresholds are predefined by Radware. You
can change the thresholds for these attacks.
Protection ID (Read-only) The ID number assigned to the protection.
Application Port Group The group of TCP ports that represent the application that you want
to protect. Select from the list predefined port groups, or leave the
field empty to select any port.
Activation Threshold A number of SYN packets received per second at a certain destination
above which DefensePro starts the mitigation actions.1
Values: 1–150,000
Default: 2500
Termination Threshold A number of SYN packets received per second at a certain destination
for specified Tracking Time2 below which DefensePro stops the
mitigation actions.1
Values: 0–150,000
Default: 1500
Risk The risk level assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High
Default: Low
Source Type (Read-only) Specifies whether the SYN protection is a predefined
(static) or user-defined (user) protection.
1 – The number that DefensePro uses depends on whether you use Transparent Proxy or
Safe-Reset.
2 – You can configure this value at Setup > Security Settings > SYN Flood Protection>
Tracking Time.
Parameter Description
Profile Name (Read-only) The name of the profile.
Parameter Description
Authentication Method The Authentication Method that DefensePro uses at the transport layer.
When DefensePro is installed in an ingress-only topology, select the
Safe-Reset method.
Values:
• Safe-Reset—When DefensePro receives a SYN packet, DefensePro
responds with an ACK packet with an invalid Sequence Number field
as a cookie. If the client responds with RST and the cookie,
DefensePro discards the RST packet, and adds the source IP address
to the TCP Authentication Table. The next SYN packet from the same
source (normally, a retransmit of the previous SYN packet) passes
through DefensePro, and the session is approved for the server.
DefensePro saves the source IP address for a specified time.
• Transparent Proxy—When DefensePro receives a SYN packet,
DefensePro replies with a SYN ACK packet with a cookie in the
Sequence Number field. If the response is an ACK that contains the
cookie, DefensePro considers the session to be legitimate. Then,
DefensePro opens a connection with the destination and acts as
transparent proxy between the source and the destination.
Default when Device Operation Mode is Transparent: Transparent
Proxy
Default when Device Operation Mode is IP: Safe-Reset
Notes:
• For more information on Operation Mode, see Configuring the
Device Operation Mode for DefensePro, page 156.
• To configure Minimum Allowed SYN Retransmission Time and
Maximum Allowed SYN Retransmission Time, in the
Configuration perspective, select Setup > Security Settings >
SYN Flood Protection Settings.
Use TCP Reset for Specifies whether DefensePro uses the TCP-Reset method for HTTP,
Supported Protocols HTTPS, SMTP, and custom-protocol traffic instead of the Authentication
Method.
Radware recommends enabling this option in symmetric and ingress-
only environments that include HTTP, HTTPS, and SMTP traffic.
Default: Disabled
Note: For more information on the TCP-Reset method, see TCP
Reset, page 227.
HTTP Authentication
Use HTTP Authentication Specifies whether DefensePro authenticates the transport layer of HTTP
traffic using SYN cookies and then authenticates the HTTP application
layer using the specified HTTP Authentication Method.
Values:
• Enabled—DefensePro authenticates the transport layer of HTTP
traffic using SYN cookies, and then, authenticates the HTTP
application layer using the specified HTTP Authentication Method.
• Disabled—DefensePro handles HTTP traffic using the specified TCP
Authentication Method.
Default: Disabled
Parameter Description
HTTP Authentication The method that the profile uses to authenticate HTTP traffic at the
Method application layer.
Values:
• 302-Redirect—DefensePro authenticates HTTP traffic using a 302-
redirect response code.
• JavaScript—DefensePro authenticates HTTP traffic using a
JavaScript object, which DefensePro generates.
• Advanced JavaScript—DefensePro authenticates HTTP traffic using
an obfuscated and polymorphic challenge, which can overcome
advanced attack tools.
Default: 302-Redirect
Notes:
• Some attack tools are capable of handling 302-redirect responses.
The 302-Redirect HTTP Authentication Method is not effective
against attacks that use those tools. The JavaScript HTTP
Authentication Method requires an engine on the client side that
supports JavaScript, and therefore, the JavaScript option is
considered stronger. However, the JavaScript option has some
limitations, which are relevant in certain scenarios.
• Limitations when using the JavaScript HTTP Authentication Method:
— If the browser does not support JavaScript calls, the browser will
not answer the challenge.
— When the protected server is accessed as a sub-page through
another (main) page only using JavaScript, the user session will
fail (that is, the browser will not answer the challenge).1
1 – For example, if the protected server supplies content that is requested using a
JavaScript tag, the DefensePro JavaScript is enclosed within the original JavaScript
block. This violates JavaScript rules, which results in a challenge failure. In the following
example, the request accesses a secure server. The returned challenge page contains
the <script> tag again, which is illegal, and therefore, it is dropped by the browser
without making the redirect.
<script>
setTimeout(function(){
var js=document.createElement(“script”);
js.src=”http://mysite.site.com.domain/service/
appMy.jsp?dlid=12345”;
document.getElementsByTagName(“head”)[0].appendChild(js);
},1000);
</script>
TCP Reset
Radware recommends enabling the TCP-Reset option in symmetric and ingress-only environments
that include HTTP, HTTPS, and SMTP traffic.
Caution: When DefensePro implements the TCP-Reset mechanism, according to the relevant RFCs
(for HTTP, HTTPS, and SMTP), a new connection must be initiated automatically when the original
connection is reset (in this case, by the TCP-Reset mechanism). For browsers that fully comply with
this aspect of the RFCs, the connection will be re-initiated automatically, and the user will experience
a delay of approximately three seconds with no additional latency expected during the
authentication period. (The authentication period is determined by the TCP Authentication Table
Aging parameter, which, by default, is 20 minutes.) For browsers that do not fully comply with this
aspect of the RFCs, legitimate users will receive a notification that the connection is reset and will
need to manually retry the connection. After the retry, the users will be able to browse with no
additional latency expected during the authentication period.
When the Use TCP Reset for Supported Protocols checkbox is selected, DefensePro uses the
TCP-Reset authentication method for HTTP, HTTPS, SMTP, and custom-protocol traffic instead of the
specified Authentication Method (Transparent Proxy or Safe-Reset).
Custom-protocol refers to traffic that you define for the TCP-Reset method to handle. To enable you
to do this, DefensePro exposes two, system-defined Application Port Groups: TCPReset-ACK and
TCPReset-Data. These Application Port Groups are dummy groups, which are defined with Layer 4
port 0 (zero). (For the procedure to define custom-protocol traffic, see the procedure To define
custom-protocol traffic for the TCP-Reset method, page 228.)
When DefensePro implements the TCP-Reset method, DefensePro tries to match packets to a
relevant Application Port Group according to the following order:
1. HTTP
2. HTTPS
3. SMTP
4. TCPReset-Data
5. TCPReset-ACK
DefensePro handles packets in a session according to the first packet that matched one of the
relevant Application Port Groups.
When the TCP-Reset option is enabled, DefensePro does the following:
1. When it receives a SYN packet, DefensePro replies with a SYN-ACK packet with a cookie in the
Sequence Number field using the original destination IP address and MAC, without any
additional authentication parameters (cookies).
2. If the response is an ACK with the cookie:
— In HTTP or HTTPS traffic or custom-protocol traffic with the TCPReset-Data Application Port
Group, DefensePro waits for the first data packet from the client. (If DefensePro receives an
ACK with no data before the first data packet, DefensePro drops the packet.) When the
DefensePro device receives data, it replies with a RST packet, and saves the source IP
address in the TCP Authentication table.
— For SMTP or custom-protocol traffic with the TCPReset-ACK Application Port Group,
DefensePro replies with a RST packet, and saves the source IP address in the TCP
Authentication table.
Note: HTTP, HTTPS, and SMTP sources respond automatically to a RST packet by re-sending a
SYN—that is, the source automatically retries to open the connection with the protected server.
Legitimate clients are expected to retry and open a new connection towards the protected
server.
3. DefensePro checks each SYN packet against the entries in the TCP Authentication table. If there
is a match, DefensePro forwards the packet to the other DefensePro inspection modules and
later forwards the SYN packet to the destination as-is, so the protected server will open a
connection with the source.
4. Once DefensePro has authenticated a source, DefensePro does not challenge the source again
during the authentication period. (The authentication period is determined by the TCP
Authentication Table Aging parameter, which, by default, is 20 minutes).
Notes
• If DefensePro receives multiple SYNs from the same source, DefensePro implements the TCP-
Reset authentication process per SYN packet, until one of the connections is authenticated.
• DefensePro always uses the TCPReset-Data behavior (step 2 above) for traffic through ports
included in HTTP Application Port Group and HTTPS Application Port Group.
• DefensePro always uses the TCPReset-ACK behavior (step 2 above) for traffic through ports
included in SMTP Application Port Group.
• When you select both the Use HTTP Authentication and the Use TCP Reset For Supported
Protocols checkboxes, DefensePro uses the HTTP Authentication method, not the TCP-Reset
method—except for when SSL Mitigation is enabled.
• When SSL Mitigation is enabled (see Configuring Global SYN Flood Protection, page 103),
DefensePro always uses the TCP-Reset method, regardless of other SYN Protection profile
configuration.
Table 167: DefensePro Challenge Behavior for Various Configuration and Traffic Permutations
Transparent Proxy No N/A Server-initiated data3 SYN minus ACK Transparent Proxy
Transparent Proxy Yes N/A HTTP SYN Transparent Proxy to client only, then
HTTP Authentication
Transparent Proxy Yes Yes HTTPS SYN TCP-Reset, then HTTP Authentication4
Transparent Proxy Yes N/A Non-HTTP with client- SYN minus data Transparent Proxy
initiated data2
Transparent Proxy Yes N/A Non-HTTP with SYN minus ACK Transparent Proxy
server-initiated data3
TCP Reset Yes No HTTPS, SMTP, custom- SYN TCP-Reset, then HTTP Authentication4
enabled4 —with protocol traffic4
Safe-Reset or
Transparent Proxy
1 – That is, SSL Mitigation is enabled globally (Setup > Security Settings > SYN Flood Protection Settings > Enable SSL
Mitigation) and configured for the Network Protection policy.
2 – Client-initiated data refers to protocols in which the client sends the first data (for example, HTTP, HTTPS, and RTSP).
3 – Server-initiated data refers to protocols in which the server sends the first data.
4 – For more information about the TCP-Reset feature and custom-protocol traffic, see Managing SYN Protection Profile Parameters,
page 224.
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156).
DefensePro can mitigate SSL-flood attacks with SSL Mitigation policies. When SYN Protection is
triggered for TCP port 443 protection and the SYN Protection profile is configured with the Use
HTTP Authentication checkbox selected (Configuration perspective, Network Protection > SYN
Protection Profiles > Profiles Parameters), an active SSL Mitigation policy challenges new SSL
connections using a Safe-Reset method. To decrypt and re-encrypt the SSL packets during the
challenge process, DefensePro uses the SSL engine of a specified Alteon platform. DefensePro allows
traffic from validated clients to pass through the DefensePro device to the protected server.
The DefensePro SSL Mitigation mechanism works as follows:
1. The DefensePro device receives a SYN packet from a client on port 443.
2. DefensePro responds with an ACK packet with an invalid Sequence Number field as a cookie.
3. If the client responds with RST and the cookie, DefensePro discards the packet, and adds the
source IP address to the TCP Authentication Table.
4. The DefensePro device passes the next SYN packet from the same source to the SSL engine of
the specified Alteon platform.
5. The Alteon device performs the SSL handshake with the client.
6. The DefensePro device passes the following HTTPS GET or POST request from the same source
to the SSL engine of the Alteon device.
7. The Alteon device communicates with the DefensePro device to generate an encrypted
challenge.
8. The DefensePro device sends the encrypted HTTPS challenge to the client.
9. The DefensePro device receives a valid response from the client and considers the connection to
be legitimate.
10. The DefensePro device adds the source IP address to the HTTP Authentication Table.
11. The DefensePro device passes the encrypted HTTPS response to the SSL engine of the Alteon
device.
12. The Alteon device communicates with the DefensePro device to generate an encrypted
termination message.
13. The next SYN packet from the validated source passes through the DefensePro device to the
server that is under attack, and DefensePro acts as a transparent proxy for the remainder of the
session.
Parameter Description
Name The name of the policy.
SSL VIP The IPv4 virtual IP address on the Alteon device.
SSL Server IP Address The IPv4 address of the SSL server specified on the Alteon device.
VIP MAC The MAC address of the Alteon device.
Network Policy Name The name of the existing Network Protection policy.
State Specifies whether the policy is active.
Values: active, inactive
Default: active
Parameter Description
Name The name of the profile.
Table 170: DNS Protection Profile: Query Protections and Quotas Parameters
Parameter Description
Radware recommends that you initially leave these fields empty so that the default values will
automatically be used. To view default values after creating the profile, double-click the entry in the
table. You can then adjust quota values based on your network performance.
Note: The total quota values may exceed 100%, as each value represents the maximum volume
per protocol.
A Query For each DNS query type to protect, specify the quota—the maximum
expected percentage of DNS traffic out of the total DNS traffic—and
MX Query
select the checkbox in the row.
PTR Query
AAAA Query
Text Query
SOA Query
NAPTR Query
SRV Query
Other Queries
Get Default Quotas Configures all the quotas with the hard-coded default values after you
have specified the Expected DNS Query Rate.
Expected DNS Query The expected rate, in queries per second, of DNS queries.
Rate
Parameter Description
Use Manual Triggers Specifies whether the profile uses user-defined DNS QPS thresholds
instead of the learned baselines.
Default: Disabled
Activation Threshold The number of total queries per second, per protected destination
network—after the specified Activation Period—above which, DefensePro
considers there to be an ongoing attack.
When DefensePro detects an attack, it starts challenging all sources.
Above the specified Max QPS (see below), DefensePro limits the rate of
total QPS towards the protected network.
Values: 0–4,000,000
Default: 0
Activation Period The number of consecutive seconds that the DNS traffic on a single
connection exceeds the Activation Threshold that determines when
DefensePro considers an attack to be in progress.
Values: 1–30
Default: 3
Parameter Description
Termination Threshold The maximum number of queries per second—after the specified
Termination Period—on a single connection that cause DefensePro to
consider the attack to have ended.
Values: 0–4,000,000
Default: 0
Note: The Termination Threshold must be less than or equal to the
Activation Threshold.
Termination Period The time, in seconds, that the DNS traffic on a single connection is
continuously below the Termination Threshold, which causes
DefensePro to consider the attack to have ended.
Values: 1–30
Default: 3
Max QPS The maximum allowed rate of DNS queries per second.
Values: 0–4,000,000
Default: 0
Escalation Period The time, in seconds, that DefensePro waits before escalating to the next
specified mitigation action.
Values: 0–30
Default: 3
Parameter Description
Packet Report Specifies whether DefensePro sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
Note: When this feature is enabled, for the feature to take effect, the
global setting must be enabled (Configuration perspective, Setup >
Reporting Settings > Advanced Reporting Settings > Packet
Reporting and Packet Trace > Enable Packet Reporting).
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet Trace on
Physical Port). In addition, a change to this parameter takes effect
only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation Mode for
DefensePro, page 156).
Parameter Description
Note: The device implements the parameters in this tab only when the Manual Triggers option is
not enabled.
Profile Action The action that the profile takes on DNS traffic during an attack.
Values: Block & Report, Report Only
Default: Block & Report
Max Allowed QPS The maximum allowed rate of DNS queries per second, when the Manual
Triggers option is not enabled (that is, when the Use Manual Triggers
checkbox is cleared in the Manual Triggers tab).
Values: 0–4,000,000
Default: 0
Note: When the Manual Triggers option is enabled, the Max QPS
value specified in the Manual Triggers tab takes precedence.
Signature Rate-Limit The percentage of the DNS traffic that matches the real-time signature
Target that the profile will not mitigate above the baseline.
Values: 0–100
Default: 0
Challenge Method The method that the profile uses to authenticate DNS traffic.
Values:
• Passive—DefensePro authenticates DNS traffic based on discard of A
and AAAA queries.
• Active—DefensePro challenges unauthenticated DNS traffic by
shifting UDP traffic to TCP (with a TC flag). This challenge applies to
all DNS query types.
Default: Passive
Caution: Using the Active option, the entire connection path to, and
including, the DNS server(s) that the profile protects must support
TCP.
Notes:
• This parameter is effective only when Enable Signature Challenge
and/or Enable Collective Challenge are enabled globally
(Configuration perspective, Setup > Security Settings > DNS
Flood Protection > Mitigation Actions).
• For more information on the Challenge Methods and related
considerations, see DNS Challenge Methods, page 235.
• DefensePro stores sources from both methods in the SDM table.
When the same client retransmits a query within the specified period, DefensePro considers the
client to be legitimate.
Caution: When using the Active option, the entire connection path to, and including, the DNS
server(s) that the profile protects must support TCP.
The Active challenge method utilizes the DNS TC (truncated) bit. The TC bit is typically used by the
DNS server to indicate to the client that the response is too large for UDP, and it is required to use
TCP. When a DNS Flood Protection profile uses the Active challenge method, DefensePro considers a
client to be legitimate if the client opens a TCP connection to the server.
The Active challenge method works as follows:
1. DefensePro sends a DNS reply to the client with the TC bit set.
2. One of the following:
— The DNS client opens a TCP connection to port 53 with the same query that was sent over
UDP.
a. DefensePro validates the following values and adds the source to the authentication
table for future queries: Source IP address (32 bits) and DNS query name (3 bytes).
b. DefensePro passes the query to the DNS server.
c. DefensePro authenticates the source in the SYN Protection module (optional)—After the
TCP connection is created, using the SYN Protection module, DefensePro can implement
a Transparent Proxy–Authentication Method phase for TCP authentication of the
client. This phase enhances the authentication but introduces an additional, yet
tolerable, delay—especially, in the context of attack conditions. Radware recommends
using the out-of-the-box SYN protection: DNS (ID: 200009).
— The DNS client does not reply with a TCP connection.
a. DefensePro blocks the client from communicating with the protected DNS server.
b. DefensePro continues challenging new queries from the client.
The main advantages of the Active challenge method are as follows:
• The Active challenge method is compatible with all DNS query types.
• With the Active challenge method, a response from the client is forced according to the DNS
standard (RFC 1034 and RFC 1035).
• Active authentication over TCP helps verify that the client has a complete legitimate DNS stack
with both UDP and TCP support.
The Active challenge method can potentially increase the load on the protected DNS servers. The
challenge is only applied in the mitigation phase, during a DNS attack. In addition, DefensePro’s
action escalation mechanism first applies the challenge on the attack footprint, and only later on all
the queries (of a certain query type). All in all, the impact of the resulting load is expected to be
lower than the attack itself.
In terms of latency and user experience, legitimate DNS clients are authenticated based on their
initial query, and all subsequent queries from the same source, over UDP, pass directly to the server
unchallenged.
The Active challenge method, similar to all other DefensePro challenges, is based on the source IP
address of the client. That is, DefensePro authenticates a client using the client’s IP address.
There are some public DNS resolvers that change the source IP address with every new query—as
recommended in RFC 5452. Since these public DNS resolvers are legitimate, they are expected to
reply successfully to every challenge—that is, send the query over TCP. A query over TCP, with a
new IP address, is passed to the target DNS server, but the new source IP address is not
authenticated for subsequent queries.
In such scenarios, the TCP traffic load on the protected DNS servers increases. Radware
recommends using the out-of-the-box SYN protection: DNS (ID: 200009) and Connection Limit
Protection.
Parameter Description
Profile Name The name of the profile.
Activation Threshold The rate, in PPS, of out-of-state packets above which the profile
considers the packets to be part of a flood attack. When DefensePro
detects an attack, it issues an appropriate alert and drops the out-of-
state packets that exceed the threshold. Packets that do not exceed
the threshold bypass the DefensePro device.
Values: 1–250,000
Default: 5000
Termination Threshold The rate, in PPS, of out-of-state packets below which the profile
considers the flood attack to have stopped; and DefensePro resumes
normal operation.
Values: 0–249,999
Default: 4000
Profile Risk The risk—for reporting purposes—assigned to the attack that the
profile detects.
Values: Info, Low, Medium, High
Default: Low
Allow SYN-ACK Values:
• Enabled—The DefensePro device opens a session and processes
a SYN-ACK packet even when the DefensePro has identified no
SYN packet for the session. This option supports asymmetric
environments, when the first packet that DefensePro receives is
the SYN-ACK.
• Disabled—When the DefensePro device receives a SYN-ACK
packet and has identified no SYN packet for the session,
DefensePro passes through the SYN-ACK packet (unprocessed) if
the packet is below the specified activation threshold, and
DefensePro drops the packet if it is above the specified activation
threshold.
Default: Enabled
Enable Packet Trace Specifies whether the profile sends out-of-state packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Trace on Physical Port). In addition, a change to
this parameter takes effect only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation
Mode for DefensePro, page 156).
Parameter Description
Enable Packet Reporting Specifies whether the profile reports out-of-state packets.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Reporting). In addition, a change to this
parameter takes effect only after you update policies.
Profile Action The action that the profile takes when it encounters out-of-state
packets.
Values: Block and Report, Report Only
Default: Block and Report
Caution: When you configure the policy, APSolute Vision stores your configuration changes, but it
does not download your configuration changes to the device. To apply changes onto the device, you
must activate the configuration changes.
Parameter Description
Server Name The name of the server.
Maximum characters: 64
Note: The name of a server that the Service Discovery
mechanism discovered is in the following format:
<Inst>_<Number>_<NetworkProtectionPolicyName>
where:
• <Inst> is the identifier of the hardware instance, 0 or 1, on
which the Network Protection policy runs.
• <Number> is a number that DefensePro generates serially.
• <NetworkProtectionPolicyName> is the Network
Protection policy that discovered the server.
Example: 0_234_MyNetPolicyN
IP Range The IP address class object that defines the range of the
protected server(s). The drop-down list contains all the
configured Network classes (Configuration perspective, Classes
> Networks).
Note: You can assign an HTTP profile to a server definition that
contains one discrete IP address. You can assign a Server
Cracking profile to ranges, networks, and discrete IP
addresses. If HTTP Flood Profile contains a value, the User-
Defined Value option is selected read-only.
Enabled Specifies whether the protection is enabled.
HTTP Flood Profile The HTTP Flood profile to be activated against an attack.
Notes:
• You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
• You can assign an HTTP profile to a server definition that
contains one discrete IP address. If HTTP Flood Profile
contains a value, the User-Defined Value option is selected
read-only.
Parameter Description
Server Cracking Profile The Server Cracking profile to be activated against an attack.
Each DefensePro device supports up to 20 Server Cracking
profiles.
Notes:
• You can click the adjacent button to open the dialog box in
which you can add and modify profiles.
• This parameter is not available when the Device Operation
Mode is IP (see Configuring the Device Operation Mode for
DefensePro, page 156.
VLAN Tag Group The VLAN Tag Group of the traffic.
Note: You can click the adjacent button to open the dialog box
in which you can add and modify VLAN Tag groups.
Server Status The status of the server, especially in the context of the Service
Discovery mechanism.
Values:
• static—The server is a static member of the Server Protection
table, and it is protected if the State is active. If the server is
a discovered server, the Service Discovery mechanism does
not revalidate the server.
• ignored—The server is ignored, with no protection from the
device. The DefensePro device maintains no baselines or
associated HTTP profile configuration for the server.
• discovered—The Service Discovery mechanism discovered
the server, and it is protected if the State is active. The
Service Discovery mechanism revalidates the server
according to the specified Revalidation Time.revalidating—For
internal use only. The Service Discovery mechanism is
currently checking again whether the server meets the
Tracking-Time-Responses-per-Minute criteria.
• in evaluation—For internal use only. The Service Discovery
mechanism is currently checking whether the server meets
the Tracking-Time-Responses-per-Minute criteria.
• revalidating—For internal use only. The Service Discovery
mechanism is currently checking again whether the server
meets the Tracking-Time-Responses-per-Minute criteria.
Notes:
• For server entries that you create, you can only specify the
Server Status static or ignored.
• You can change the Server Status from discovered only to
static or ignored.
• You cannot change the Server Status once you specify
ignored. You can delete the server entry if required.
• For more information on the Service Discovery mechanism,
see Configuring Global Service Discovery and Configuring
Service Discovery Profiles.
Next Re-evaluation (Read-only) The time left, in dd:hh:mm format, before
DefensePro revalidates the profile.
Parameter Description
Policy The name of the Network Protection policy to which this Server
Protection policy belongs.
Table 176: Server Protection Policy: Packet Reporting and Trace Setting Parameters
Parameter Description
Packet Reporting Specifies whether the device sends sampled attack packets to
APSolute Vision for offline analysis.
Default: Disabled
When this feature is enabled here, for the feature to take effect,
the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings
> Packet Reporting and Packet Trace > Enable Packet
Reporting).
Packet Reporting Configuration Specifies whether the configuration of the Packet Reporting
on Policy Takes Precedence feature here, on this policy rule takes precedence over the
configuration of the Packet Reporting feature in the associated
profiles.
Packet Trace Specifies whether the DefensePro device sends attack packets to
the specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to
take effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace
> Enable Packet Trace on Physical Port). In addition, a
change to this parameter takes effect only after you update
policies.
Note: DefensePro does not support this feature when the
Device Operation Mode is IP (see Configuring the Device
Operation Mode for DefensePro, page 156).
Packet Trace Configuration on Specifies whether the configuration of the Packet Trace feature
Policy Takes Precedence here, on this policy, takes precedence over the configuration of
the Packet Trace feature in the associated profiles.
Caution: A change to this parameter takes effect only after
you update policies.
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
Each Server Protection policy can include one Server Cracking Protection profile. You can use Server
Cracking profiles for multiple Server Protection policies. A Server Cracking Protection profile
specifies the protections that DefensePro applies to protect application servers in your network
against cracking attempts and other vulnerability scans. For information on the default configuration
of each protection, see Viewing Radware-defined Server Cracking Protections, page 252.
Note: When a Server Cracking attack occurs, you can view it in the APSolute Vision Security
Dashboard and the Current Attacks table view. From both locations, you can drill down and view
attack details. For more information, see Using Real-Time Security Monitoring, page 335.
This section contains the following main topics:
• Server Cracking Protection Network Topography, page 243
• Server Cracking Attack Types, page 244
• Server Cracking Threats and Server Cracking Protection Strategies, page 245
• Server Cracking Mitigation with Server Cracking Protection, page 245
• Server Cracking Protection Technology, page 245
• Errors that Server Cracking Protection Monitors, page 248
• Server Cracking Protection Limitations, page 250
• Configuring Server Cracking Profiles for Server Protection, page 250
• Viewing Radware-defined Server Cracking Protections, page 252
Application-Vulnerability Scanning
Scanning attacks try to find services that are known to be vulnerable or actual vulnerabilities at the
application level. The attacker later exploits the vulnerable server or application vulnerability. The
scanners, which can be automatic or manual, send a legitimate request to the server. The request is
used to expose the existence of the vulnerability. As such, the scan will not trigger an IPS-based
signature. In most cases, the server will not be vulnerable and will respond with an error message.
Application scanning attempts are usually precursors to more serious exploitation attempts.
Scanning attempts generate a higher than normal error-response rate from the application. Blocking
such attempts helps prevent the vulnerabilities from being disclosed.
SIP Scanning
In Session Initiation Protocol (SIP) scanning, the attacker's aim is slightly different. While it is
possible to find vulnerable SIP implementations, the actual advantage of SIP scanning is to obtain a
list of SIP subscribers, which can be used to send SPIT (SPAM over Internet Telephony). An attacker
can use scripts to send SPIT messages to a guessed list of subscribers and harvest the existing
subscribers according to the received replies. SPIT can annoy subscribers and even disrupt service if
carried out in high volumes.
During the Attack state, the user is added to the Suspend table (a block list). When the user is
released from being blocked, the monitoring interval is set again.
Sensitivity Parameter
The Sensitivity parameter of each Server Cracking protection defines thresholds for the quantity and
frequency of server-side error messages. DefensePro tracks server-side error messages to trigger
attack detection. High sensitivity means that only a few cracking attempts trigger the protection,
while Minor means that a very high number of attempts trigger the protection. The default is
Medium.
During the Attack state, the attacker is added to the Suspend table, which is the list of blocked
sources. When the user is released from the Suspend table, the monitoring interval is set again.
There may be cases where you need to tune the value of the Sensitivity parameter. For example, if
you are protecting a Web server that is not maintained or not updated, it may generate HTTP-error
replies at an abnormal rate, which the device will falsely identify as an attack. In such a case, set
the sensitivity to Low.
Note: Application-scanning and brute-force attempts are usually generated through multiple L4
connections. If the attack attempts are using the same L4 connection (that is, a TCP or UDP
connection), the detection sensitivity will be automatically set to a higher value than those that are
specified in the above table. Thus, the quantity and frequency of attempts needed to trigger the
protection action will be lower.
Table 179: Sensitivity Levels for Cracking Indications (Single Layer 4 Connections)
Error Code Error Web Scan SIP/Web SIP Scan Additional Server Cracking Protection
Brute Force
0xc000006a STATUS_WRONG_PASSWORD Brute Force SMB
0xc000006d STATUS_LOGON_FAILURE Brute Force SMB
0xc0000022 STATUS_ACCESS_DENIED Brute Force SMB
48 Inappropriate Authentication Brute Force LDAP
49 Invalid Credentials Brute Force LDAP
50 Insufficient Access Rights Brute Force LDAP
400 Bad Request
401 Unauthorized
402 Payment Required
403 Forbidden
404 Not Found
405 Method Not Allowed
406 Not Acceptable
407 Proxy Authentication Required
408 Request Timeout
409 Conflict
410 Gone
411 Length Required
412 Precondition Failed
413 Request Entity Too Large
414 Request-URI Too Large
Error Code Error Web Scan SIP/Web SIP Scan Additional Server Cracking Protection
Brute Force
415 Unsupported Media Type
416 Unsupported URI Scheme
417 Unknown Resource-Priority
420 Bad Extension
421 Extension Required
423 Interval Too Brief
481 Call/Transaction Does Not Exist
483 Too Many Hops
485 Ambiguous
486 Busy Here
488 Not Acceptable Here
530 User not logged in Brute Force FTP
535 Authentication unsuccessful/ Brute Force SMTP
Bad username or password
550 Mailbox Unavailable SMTP Scan
1045 Access denied for user Brute Force MySQL
8003 Response, No such name Brute Force DNS
18456 Login Failed Brute Force MSSQL
“-ERR” General POP3 error Brute Force POP3
No - generic error code Brute Force IMAP
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
You configure Server Cracking profiles with Radware-defined protections.
Each DefensePro device supports up to 20 Server Cracking profiles.
Before you configure a Server Cracking profile, ensure the following:
• The Session table Lookup Mode is Full Layer 4. For more information, see Configuring
DefensePro Session Table Settings, page 149.
• Signature Protection is enabled and the global parameters are configured. For more information,
see Configuring Global Signature Protection, page 111.
Parameter Description
Profile Name The name of the Server Cracking profile.
Action The action that the device takes when an attack that matches the
configured protection occurs.
Values: Block and Report, Report Only
Default: Report Only
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration
perspective, Setup > Reporting Settings > Advanced
Reporting Settings > Packet Reporting and Packet Trace >
Enable Packet Trace on Physical Port). In addition, a change to
this parameter takes effect only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation
Mode for DefensePro, page 156).
Server Cracking Protection Contains the protections to be applied if there is an attack on the
table server. To configure a protection, see Configuring Server Cracking
Protections for a Server Cracking Profile, page 251.
Note: In each Server Cracking policy, you can use only one Server
Cracking profile. Therefore, ensure that all the protections that you
want to apply to a rule are contained in the profile specified for
that rule.
Parameter Description
Profile Name (Read-only) The name of the Server Cracking profile.
Server Cracking Protection (Read-only when modifying the configuration) The name of the
Name Server Cracking protection.
You can view the default configuration of each protection in Server
Cracking Protections pane (see Viewing Radware-defined Server
Cracking Protections, page 252).
For more information on the Server Cracking protections, see Server
Cracking Protection Technology, page 245.
Sensitivity The detection sensitivity of module. The sensitivity level defines
thresholds for the number and frequency of server-side error
messages.
Values: High, Medium, Low, Minor
Default: Medium
Note: For more information, see Sensitivity Parameter, page 246.
Risk The risk assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High
Parameter Description
Protection ID The unique identifying number.
Protection Name The name for the Protection. The Protection Name is used when DoS Shield
sends information about attack status changes.
Risk The risk assigned to this attack for reporting purposes.
Values: Info, Low, Medium, High
Sensitivity The detection sensitivity of module. The sensitivity level defines thresholds for
the number and frequency of server-side error messages. These messages are
tracked for attack detection. High sensitivity specifies that the protection
needs few cracking attempts to trigger the protection. Minor sensitivity
specifies that the device needs a very high number of attempts.
Values: High, Medium, Low, Minor
Default: Medium
Note: If you are protecting a Web server that is not maintained or not
updated, it may generate HTTP-error replies at an abnormal rate, which the
device will falsely identify as an attack. In such a case, set the sensitivity to
Low.
Parameter Description
Action Mode The action that the device takes when an attack is detected.
Direction The direction of the traffic to inspect. A protection may include attacks that
should be searched only for traffic from client to server or only on traffic from
server to client.
Values:
• Inbound—The Protection inspects traffic from policy Source to policy
Destination.
• Outbound—The Protection inspects traffic from policy Destination to policy
Source
• Inbound & Outbound—The Protection inspects all traffic between policy
Source to policy Destination
Suspend Action Specifies what traffic to suspend for a period of time.
Values:
• None—Suspend action is disabled for this attack.
• SrcIP—All traffic from the IP address identified as the source of the attack
is suspended.
• SrcIP, DestIP—Traffic from the IP address identified as the source of the
attack to the destination IP address under attack is suspended.
• SrcIP, DestPort—Traffic from the IP address identified as source of the
attack to the application (destination port) under attack is suspended.
• SrcIP, DestIP, DestPort—Traffic from the IP address identified as the
source of the attack to the destination IP address and port under attack is
suspended.
• SrcIP, DestIP, SrcPort, DestPort—Traffic from the IP address and port
identified as the source of the attack to the destination IP address and
port under attack is suspended.
Parameter Description
Profile Name The name of the profile.
Sensitivity Level When User-Defined Attack Triggers are not used, this parameter specifies
how sensitive the profile is to deviations from the baseline. High specifies
that the profile identifies an attack when the device detects only a small
deviation from the baselines.
Values:
• Minor
• Low
• Medium
• High
Default: Medium
Action The action that the profile takes when the profile detects suspicious traffic.
Values:
• Block and Report—Blocks and reports on the suspicious traffic.
• Report Only—Reports the suspicious traffic.
Default: Block and Report
Table 186: HTTP Flood Protection Profile: Automatic Attack Triggers Parameters
Parameter Description
GET and POST Request Specifies whether the profile identifies an HTTP flood attack when the rate
Rate of GET and POST requests exceeds the learned baseline.
Default: Enabled
Other Request-Type Specifies whether the profile identifies an HTTP flood attack when the rate
Request Rate of requests that are not GET or POST requests exceeds the learned
baseline.
Default: Enabled
If Outbound HTTP Bandwidth is enabled and Other Request-Type
Request Rate is disabled, an attack consisting of other (that is, not GET
or POST) requests may cause high outbound HTTP bandwidth
consumption. An attack consisting of other (that is, not GET or POST)
requests may cause high outbound HTTP bandwidth consumption also if
Outbound HTTP Bandwidth is enabled and Other Request-Type
Request Rate is enabled too but the rate does not exceed the threshold.
The high outbound HTTP bandwidth consumption may cause the Outbound
HTTP Bandwidth mechanism to consider the attack to be an anomaly, and
the profile will not mitigate it.
Outbound HTTP Specifies whether the profile identifies an HTTP flood attack when the
Bandwidth outbound HTTP bandwidth exceeds the learned baseline.
Default: Enabled
Requests-per-Source Specifies whether the profile identifies an HTTP flood attack when the rate
Rate of requests per source exceeds the learned baseline.
Default: Disabled
Requests-per- Specifies whether the profile identifies an HTTP flood attack when the rate
Connection Rate of requests per connection exceeds the learned baseline.
Default: Enabled
Table 187: HTTP Flood Protection Profile: User-Defined Attack Trigger Parameters
Parameter Description
Use the following Specifies whether the profile uses static, user-defined thresholds to
thresholds to identify identify when an attack is in progress or checks the server traffic and
HTTP flood attacks compares the traffic behavior to the baseline to identify when an attack is
in progress.
Default: Disabled
Get and POST Request- The maximum number of GET and POST requests allowed, per server per
Rate second.
Values:
• 0—The profile ignores the threshold.
• 1–4,294,967,296
Default: 0
Table 187: HTTP Flood Protection Profile: User-Defined Attack Trigger Parameters (cont.)
Parameter Description
Other Request-type The maximum number of requests that are not GET or POST (for example,
Request-Rate HEAD, PUT, and so on) allowed, per server per second.
Values:
• 0—The profile ignores the threshold.
• 1–4,294,967,296
Default: 0
If Outbound HTTP BW Trigger is enabled and Other Request-type Request-
Rate Trigger is disabled, an attack consisting of other (that is, not GET or
POST) requests may cause high outbound HTTP bandwidth consumption.
An attack consisting of other (that is, not GET or POST) requests may
cause high outbound HTTP bandwidth consumption also if Outbound HTTP
BW Trigger is enabled and Other Request-type Request-Rate Trigger is
enabled too but the rate does not exceed the threshold. The high
outbound HTTP bandwidth consumption may cause the Outbound HTTP
BW Trigger mechanism to consider the attack to be an anomaly, and the
profile will not mitigate it.
Outbound HTTP BW The maximum allowed bandwidth of HTTP responses in kilobits per
second.
Values:
• 0—The profile ignores the threshold.
• 1–4,294,967,296
Default: 0
Requests-per-Source The maximum number of requests allowed per source IP per second.
Values:
• 0—The profile ignores the threshold.
• 1–10,000
Default: 0
Requests-per- The maximum number of requests allowed from the same connection.
Connection Value:
• 0—The profile ignores the threshold.
• 1–10,000
Default: 0
Table 188: HTTP Flood Protection Profile: Suspicious Source Characterization Thresholds
Parameters
Parameter Description
Request-Rate The number of HTTP requests per second from a source that causes the
Threshold profile to consider the source to be suspicious.
Values: 1–65,535
Default: 5
Requests-per- The number of HTTP requests for a connection that causes the profile to
Connection Threshold consider the source to be suspicious.
Values: 1–65,535
Default: 5
Table 189: HTTP Flood Protection Profile: Packet Reporting and Trace Settings Parameters
Parameter Description
Packet Report Specifies whether the profile sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet Reporting).
Packet Trace Specifies whether the profile sends attack packets to the specified physical
port.
Default: Disabled
Caution: When this feature is enabled here, for the feature to take
effect, the global setting must be enabled (Configuration perspective,
Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet Trace on
Physical Port). In addition, a change to this parameter takes effect
only after you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation Mode for
DefensePro, page 156).
Parameter Description
When the protection is enabled and the profile detects that a HTTP-flood attack has started, the
device implements the mitigation actions in escalating order—in the order that they appear in the
tab. If the first enabled mitigation action does not mitigate the attack satisfactorily, after a certain
escalation period, the device implements the next more-severe enabled mitigation action—and so
on.
Escalation periods are not configurable.
Challenge Suspected Specifies whether the profile challenges HTTP sources that match the real-
Attackers time signature.
Default: Enabled
Table 190: HTTP Flood Protection Profile: Mitigation Settings Parameters (cont.)
Parameter Description
Challenge All Sources Specifies whether the profile challenges all HTTP traffic toward the
protected server.
Default: Enabled
Block Suspected Specifies whether the profile blocks all traffic from the suspect sources.
Attackers Default: Enabled
Challenge Mode Specifies how the profile challenges suspect HTTP sources.
Values:
• 302 Redirect—The device authenticates HTTP traffic using a 302-
Redirect response code.
• JavaScript—The device authenticates HTTP traffic using a JavaScript
object generated by the device.
• Advanced JavaScript—DefensePro authenticates HTTP traffic using an
obfuscated and polymorphic challenge, which can overcome advanced
attack tools.
• Cloud Authentication—DefensePro authenticates HTTP traffic using the
Radware cloud authentication service to handle headless-browser
DDoS attacks. This option requires a special license.
Default: 302 Redirect
Some attack tools are capable of handling 302-redirect responses. The
302-Redirect Challenge Mode is not effective against attacks that use
those tools. The JavaScript Challenge Mode requires an engine on the
client side that supports JavaScript, and therefore, the JavaScript option is
considered stronger. However, the JavaScript option has some limitations,
which are relevant in certain scenarios.
Limitations when using the JavaScript Challenge Mode:
• If the browser does not support JavaScript calls, the browser will not
answer the challenge.
• When the protected server is accessed as a sub-page through another
(main) page only using JavaScript, the user session will fail (that is,
the browser will not answer the challenge.) For example, if the
protected server supplies content that is requested using a JavaScript
tag, the DefensePro JavaScript is enclosed within the original
JavaScript block. This violates JavaScript rules, which results in a
challenge failure.
Example: The request in bold below accesses a secure server:
<script>
setTimeout(function(){
var js=document.createElement(“script”);
js.src=”http://mysite.site.com.domain/service/
appMy.jsp?dlid=12345“;
document.getElementsByTagName(“head”)[0].appendChil
d(js);
},1000);
</script>
The returned challenge page contains the <script> tag
again, which is illegal, and therefore, it is dropped
by the browser without making the redirect.
Note: DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
To implement the Service Discovery feature, when you configure a Network Protection policy, you
specify the Service Discovery profile to use in the policy.
Note: The Service Discovery profile can be specified in multiple Network Protection policies, which
may have overlapping network ranges. The Service Discovery mechanism protects the discovered
server only with the first policy that matches.
Parameter Description
Profile Name The name of the profile.
Maximum characters: 30
HTTP Profile The HTTP-flood mitigator profile for the server.
Notes:
• The server is protected with the profile configuration that exists when
the server is added to the Server Protection Policies table. If the
configuration of the profile changes, the new configuration protects
only the subsequently added/discovered servers.
• The profile configuration includes the parameters Action and Packet
Trace, but the DefensePro device ignores the values. Instead, the
device uses the Action and Packet Trace values that are configured
in the Network Protection policy.
Parameter Description
Responses per Minute The average number of HTTP responses per minute during the Tracking
Time (specified globally) that causes the Service Discovery mechanism to
protect the server. If the total value is reached before the Tracking Time
elapses (Responses per Minute × Tracking Time), the Service Discovery
mechanism adds the server to the Server Protection Policies table
immediately.
Values: 1–5000
Default: 100
Automatic Removal Specifies whether the Service Discovery mechanism removes the server
from the Server Protection Policies table if, after the Revalidation Time
the server does not meet the Tracking-Time-Responses-per-Minute
criteria.
Values: Yes, No
Default: No
Note: To utilize the full capacity with the highest performance, Radware recommends that you
configure Black List and White List rules using network masks rather than network ranges.
You can configure a White List rule from a specified source Network class or source IP address to
bypass (that is, be exempt from) specific protection modules—for example, Server Cracking. When
you specify specific protection modules in a White List rule, the device uses only the source Network
class or explicit source IP address.
Notes
• Since networks on the White List are not inspected, certain protections are not applied to
sessions in the opposite direction. For example, with SYN protection, this can cause servers to
not be added to known destinations due to ACK packets not being inspected.
• You can recreate a White List rule with the same name only after you update policies.
Parameter Description
Name The name of the rule.
Maximum characters: 64
Description The user-defined description of the rule.
Enable When selected, the rule is active.
Parameter Description
Source Network The source of the packets that the rule uses.
Values:
• A Network class displayed in the Classes tab
• An IP address
Source Port The source Application Port class or application-port number that the
rule uses.
Values:
• An Application Port class displayed in the Classes tab
• An application-port number
• None
Parameter Description
Destination Network The destination of the packets that the rule uses.
Values:
• A Network class displayed in the Classes tab
• An IP address
• any
Destination Port The destination Application Port class or application-port number that
the rule uses.
Values:
• An Application Port class displayed in the Classes tab
• An application-port number
• None
Physical Ports The Physical Port class or physical port that the rule uses.
Values:
• A Physical Port class displayed in the Classes tab
• The physical ports on the device
• None
VLAN Tag The VLAN Tag class that the rule uses.
Values:
• A VLAN Tag class displayed in the Classes tab
• None
Protocol The protocol of the traffic that the rule uses.
Values:
• Any
• GRE
• ICMP
• ICMPv6
• IGMP
• SCTP
• TCP
• UDP
• L2TP
• GTP
• IP in IP
Default: Any
Direction The direction of the traffic to which the rule relates.
Values:
• One-directional—The protection applies to sessions originating
from sources to destinations that match the network definitions
of the policy.
• Bi-directional—The protection applies to sessions that match the
network definitions of the policy regardless of their direction.
Default: One-directional
Parameter Description
Action (Read-only) The action for a White List rule is always Bypass.
Parameter Description
Black or White List Values:
Precedence • White List Takes Precedence—If a packet matches both a White
List rule and a Black List rule, DefensePro processes the packet as
belonging to the White List rule.
• Black List Takes Precedence—If a packet matches both a White
List rule and a Black List rule, DefensePro processes the packet as
belonging to the Black List rule.
Default: White List Takes Precedence
Note: To utilize the full capacity with the highest performance, Radware recommends that you
configure Black List and White List rules using network masks rather than network ranges.
Enabling and Disabling the Packet Trace Feature for Black List Rules
You enable or disable the Packet Trace feature for all the Black List rules on the device.
When the Packet Trace feature is enabled for Black Lists, the DefensePro device sends blacklisted
packets to the specified physical port.
Notes
• DefensePro does not support this feature when the Device Operation Mode is IP (see
Configuring the Device Operation Mode for DefensePro, page 156.
• When this feature is enabled, for the feature to take effect, the global setting must be enabled
(Configuration perspective, Setup > Reporting Settings > Advanced Reporting Settings >
Packet Reporting and Packet Trace > Enable Packet Trace on Physical Port).
• A change to the parameter takes effect only after you update policies.
To enable or disable the Packet Trace feature for all the Black List rules on the device
1. In the Configuration perspective, select Access Control > Black Lists and White Lists >
Black List.
2. Select or clear the Packet Trace checkbox, and then, click Submit.
Note: You can recreate a Black List rule with the same name only after you update policies.
Parameter Description
Name The name of the rule.
Maximum characters: 64
Description The user-defined description of the rule.
Enable When selected, the rule is active.
Default: Enabled
Parameter Description
Source Network The source of the packets that the rule uses.
Values:
• A Network class displayed in the Classes tab
• An IP address
• None
• any
Default: any
Source Port The source Application Port class or application-port number that the rule
uses.
Values:
• An Application Port class displayed in the Classes tab
• An application-port number
• None
Destination Network The destination of the packets that the rule uses.
Values:
• A Network class displayed in the Classes tab
• An IP address
• None
• any
Default: any
Destination Port The destination Application Port class or application-port number that the
rule uses.
Values:
• An Application Port class displayed in the Classes tab
• An application-port number
• None
Physical Ports The Physical Port class or physical port that the rule uses.
Values:
• A Physical Port class displayed in the Classes tab
• The physical ports on the device
• None
Parameter Description
VLAN Tag The VLAN Tag class that the rule uses.
Values:
• A VLAN Tag class displayed in the Classes tab
• None
Protocol The protocol of the traffic that the policy inspects.
Values:
• Any
• GRE
• ICMP
• ICMPv6
• IGMP
• SCTP
• TCP
• UDP
• IP in IP
Default: Any
Direction The direction to which the rule relates.
Values:
• One-directional—The protection applies to sessions originating from
sources to destinations that match the network definitions of the
policy.
• Bi-directional—The protection applies to all traffic that matches the
network definitions of the policy, regardless of which is defined as
source and which is defined as destination.
Default: One-directional
Parameter Description
Dynamic Specifies whether the rule implements the Expiration Timer.
Default: Disabled
Note: Changing the configuration of this option takes effect only after
you update policies (click Update Policies).
Entry Expiration Timer Specifies the hours and minutes remaining for the rule.
The maximum Expiration Timer is two hours.
The Expiration Timer can be used only with dynamic Black List rules. The
Expiration Timer for a static Black List rule must be set to 0 (zero hours
and zero minutes).
When the rule expires (that is, when the Entry Expiration Timer elapses),
the rule disappears from the Black List Policy table when the table
refreshes.
Parameter Description
Detector Security A DefensePro security module that can identify the root cause of the
Module black list rule. This parameter has no affect on the device operation.
Values:
• Admin—The default value in the context of a user-defined, dynamic
Black List rule.
• Vision Reporter
• Connection Limit
• Application Security
• Syn Protection
• HTTP Flood
• Behavioral DoS
• DNS Flood
Default: Admin
Detector An IP address that can identify the root cause of the black list rule
identify. This parameter has no affect on the device operation.
Parameter Description
Action (Read-only) The action for a Black List rule is always Drop.
Report Specifies whether the device issues traps for the rule.
Packet Report Specifies whether the device sends sampled attack packets to APSolute
Vision for offline analysis.
Default: Disabled
When this feature is enabled here, for the feature to take effect, the
global setting must be enabled (Configuration perspective, Setup >
Reporting Settings > Advanced Reporting Settings > Packet
Reporting and Packet Trace > Enable Packet Reporting).
• Non-TCP, Non-UDP and Non-ICMP session direction—According to the first L3 (IP) packet
in the flow.
• Non-IP direction—According to the first packet in the flow.
When ACL is enabled and activated, the device learns about the existing sessions for a specified
amount of time (by default, 10 minutes). During this learning period, the device accepts all sessions
regardless of any unknown direction. However, for the certain cases, ACL treats the session
according to the configured policies.
ACL treats the session according to the configured policies in the following cases:
• A new TCP session starts with a SYN packet.
• A new ICMP session starts with a request packet.
Caution: In a high-availability (HA) setup, when you enable ACL on the primary device, you must
reboot the device immediately. If you do not reboot, the secondary device may synchronize its
configuration and reboot automatically, causing traffic sent to the secondary device to be blocked in
the event of a switchover.
Notes
• Enabling ACL requires a device reboot.
• When the ACL feature is disabled, you cannot view or configure ACL policies.
Parameter Description
Enable ACL Specifies whether the ACL feature is enabled.
When you change this setting, the device requires an immediate
reboot.
Default: Disabled
The default configuration of the Default ACL policy drops (that is,
blocks) all traffic. Use the Default Policy Action parameter to specify
the action of the Default ACL policy when the device reboots.
Default Policy Action The action of the Default ACL policy when the device reboots after
(This parameter is available selecting the Enable ACL checkbox.
only when the ACL feature Values:
is disabled.) • Accept —When the device reboots after selecting the Enable ACL
checkbox, the Default ACL policy accepts all traffic.
• Drop—When the device reboots after selecting the Enable ACL
checkbox, the Default ACL policy drops all traffic.
• Current—When the device reboots after selecting the Enable
ACL checkbox, the Default ACL policy uses the Action option that
is currently specified.
Default: Current
Note: After clearing the Enable ACL checkbox and rebooting, the
Default Policy Action option reverts to Current.
Learning Period The time, in seconds, the device takes to learn existing sessions
before starting the protection.
During the learning period, the device accepts all sessions regardless
of any “unknown” direction.
However, for the following cases, ACL will treat the session according
to the configured policies:
• A new TCP session that starts with a SYN packet
• A new ICMP session that starts with a request packet
Values:
• 0—The protection starts immediately
• 1–4,294,967,295
Default: 600
TCP Handshake Timeout The time, in seconds, the device waits for the three-way handshake
to complete before the device drops the session.
TCP Timeout in Established The time, in seconds, an idle session remains in the Session table. If
State the device receives packets for a timed-out, discarded session, the
device considers the packets to be out-of-state and drops them.
Values: 60–7200
Default: 3600
TCP FIN Timeout The time, in seconds, the session remains in the Session table after
the device receives a FIN packet from both sides (from the client and
from the server).
Values: 1–600
Default: 10
Parameter Description
TCP RST Timeout The time, in seconds, the session remains in the Session table after
the device receives a TCP RST packet for the session.
Values: 1–600
Default: 30
TCP Mid Flow Mode Specifies what the device does with out-of-state packets.
Values: Drop, Allow
Default: Drop
TCP Reset Validation Mode Specifies the action that the device takes when RST packet validation
fails (that is, the packet sequence number is not within the permitted
range).
Values: Drop, Allow, Report Only
Default: Drop
UDP Timeout The time, in seconds, that the device keeps an idle UDP session open.
After the timeout, the session is removed from the Session table.
Values: 1–3600
Default: 180
Unsolicited ICMP Specifies whether the ACL module permits unsolicited ICMP reply
messages.
ICMP Timeout The time, in seconds, that the device keeps an idle ICMP session
open. After the timeout, the session is removed from the Session
table.
Values: 1–300
Default: 60
GRE Timeout The time, in seconds, that the device keeps an idle GRE session open.
After the timeout, the session is removed from the Session table.
Values: 1–7200
Default: 3600
SCTP Timeout The time, in seconds, that the device keeps an idle SCTP session
open. After the timeout, the session is removed from the Session
table.
Values: 1–7200
Default: 3600
Other IP Protocols Timeout The time, in seconds, that the device keeps an idle session of other IP
protocols (not UDP, not ICMP) open. After the timeout, the session is
removed from the Session table.
Values: 1–7200
Default: 600
Parameter Description
Interval for Sending The frequency, in seconds, that the device produces ACL reports.
Summary Reports Values: 1–600
Default: 60
Send Reports Using SRP When enabled, that the device sends ACL policy reports to the
APSolute Vision server.
Note: The Statistics Reporting Protocol (SRP) management host IP
address must be configured to send ACL policy reports. For more
information, see Configuring Advanced Settings in the Advanced-
Parameters Setup, page 136.
Max Number of Report The maximum number of detailed reports that the device generates
Traps per second.
Values: 1–100
Default: 10
Packet Trace Specifies whether the DefensePro device sends attack packets to the
specified physical port.
Default: Disabled
When this feature is enabled here, for the feature to take effect, the
global setting must be enabled (Configuration perspective, Setup >
Reporting Settings > Advanced Reporting Settings > Packet
Reporting and Packet Trace > Enable Packet Trace on Physical
Port). In addition, a change to this parameter takes effect only after
you update policies.
Note: DefensePro does not support this feature when the Device
Operation Mode is IP (see Configuring the Device Operation
Mode for DefensePro, page 156).
Parameter Description
Policy Name The name of the policy.
Maximum characters:
Policy Index The index number for the policy. DefensePro examines policies
according to the ascending order of index numbers.
Values: 1–4,294,967,295
Enabled When selected, the policy is active.
Description The user-defined description of the policy.
Activate Schedule The predefined event schedule that activates the policy.
Default: None
De-activate Schedule The predefined event schedule that deactivates the policy.
Default: None
Report Specifies whether the device issues traps for the policy.
Parameter Description
Protocol The protocol of the traffic that the policy inspects.
Values:
• Any
• TCP
• UDP
• GRE
• L2TP
• GTP
• IPinIP
• SCTP
• ICMP
• Other
Default: Any
Source The existing source Network class of the packets that the policy
inspects.
Values:
• The Network classes displayed in the Classes tab
• any
• any_ipv4
• any_ipv6
• None
Default: any
Parameter Description
Destination The existing destination Network class of the packets that the policy
inspects.
Values:
• The Network classes displayed in the Classes tab
• any
• any_ipv4
• any_ipv6
• None
Default: any
Physical Port Group The Physical Port class or physical port that the policy uses.
Values:
• A Physical Port class displayed in the Classes tab
• The physical ports on the device
• None
VLAN Tag Group The existing VLAN Tag class for the policy.
Values:
• The VLAN Tag classes displayed in the Classes tab
• None
Default: None
Service The Service for the policy. Services characterize traffic based on
(This parameter is available Layer-3–7 criteria. A Service is a configuration of a basic filter,
only when TCP or UDP is which may combine with logical operators to achieve more
selected for the Protocol sophisticated filters (AND Group filters and OR Group filters). You
parameter.) can choose from a long list of predefined basic filters.
Caution: The ACL module cannot use a Service that includes a
value for an Offset Mask Pattern Condition (OMPC) or Content
parameter.
Action The action that the policy takes on packets that match the
classification.
Values:
• Accept
• Drop
• Drop + RST Source
Default: Accept
Parameter Description
Source Quench The ICMP flags in the packets that the policy inspects. DefensePro
inspects only the packets with the selected flags.
TIME STAMP
You can specify ICMP flags only when ICMP is the specified protocol.
Information
Address Mask
Alternate Host Address
Domain
Router Advertisement
Router Solicitation
Destination Unreachable
REDIRECT
Time Exceeded
Parameter Problem
Echo
Packet Too Big
Home Agent
Note: When you have permissions to perform device configuration on a specific device, you must
lock the device before you can configure it. For more information, see Locking and Unlocking
Devices, page 55.
Tip: APSolute Vision provides many predefined Toolbox scripts for DefensePro, which automate and
streamline common configuration and management actions. For more information, see the APSolute
Vision User Guide or online help.
> In the device pane, select the device, and then, click Update Policies ( ).
To reboot a device
1. Lock the device.
2. In the Properties pane, click the (On-Off) button, which is part of the device picture.
3. Select Reset.
2. In the Properties pane, click the (On-Off) button, which is part of the device picture.
3. Select Shut Down.
— Click the (Disable Selected Ports) button (for a port, or ports, with the Admin Status Up)
— Click the (Enable Selected Ports) button (for a port, or ports, with the Admin Status
Down).
To generate a technical-support file and send it to a TFTP server using the CLI
> Enter the following command:
device enter-failure-state set <port> -fs <failure-state>
where port is the identifier of the physical port, and the value for the failure-state flag can be:
— 1 —enable
— 2 —disable
Example
device enter-failure-state set 2 -fs 1Sets the status of port 2 on the device to fail. The
port will fail to the state that is defined in the Static Forwarding table.
Caution: If the imported BDoS baseline or DNS baseline is below the minimum value in the
configuration of the corresponding profile, after an Update Policies action, DefensePro recalculates
the baseline(s) according to the configuration of the profile. (For information on the configuration of
profiles, see Configuring BDoS Profiles for Network Protection, page 213 and Configuring DNS Flood
Protection Profiles for Network Protection, page 231.)
Notes
• The terms Network Protection policy, and network policy may be used interchangeably in
APSolute Vision and in the documentation.
• You can import Network Protection policies from DefensePro platforms running supported 6.x
versions into platforms running supported 6.x or 7.x versions.
• You can import Network Protection policies from DefensePro platforms running supported 7.x
versions into platforms running supported 7.x versions.
• You can import Network Protection policies from DefensePro platforms running supported 8.x
versions into platforms running supported 8.x versions.
• You can import Server Protection policies from DefensePro platforms running supported 6.x
versions into platforms running supported 6.x versions.
• You can import Server Protection policies from DefensePro platforms running supported 7.x
versions into platforms running supported 7.x versions.
• APSolute Vision provides a predefined Toolbox script for exporting and importing DefensePro
configurations, DefensePro Export/Import Policies. For more information, see the APSolute
Vision User Guide or online help.
2. Select the Network Protection policy that you want to export, and click (Export).
3. Configure the parameters, and then click Submit.
Parameter Description
Download To Values:
• Client—DefensePro exports the template to the location specified in
the filepath or by browsing to the location with the Browse button.
• Server—DefensePro exports the template to the APSolute Vision
database.
Default: Server
Configuration Specifies whether DefensePro exports the template with the configuration
of the policy.
Default: Enabled
Parameter Description
DNS Baseline Specifies whether DefensePro exports the template with the current DNS
baseline of the policy.
Default: Enabled
BDoS Baseline Specifies whether DefensePro exports the template with the current BDoS
baseline of the policy.
Default: Enabled
User-Defined Signature Specifies whether DefensePro exports the template with the current user-
Protection Profile defined Signature Protection profile of the policy.
Default: Enabled
Save As The filepath when Download To is Client or the filename when
Download To is Server.
The default filename uses the following format (with no extension):
<DeviceName>_<PolicyName>_<date>_<time>
Example:
MyDefensePro_MyPolicy_2016.03.19_13.45.59
The date-time format is determined in the APSolute Vision Settings view
Preferences perspective, under General Settings > Display.
The file is saved on the server as a ZIP file; and on the local host, the file
is saved as a TXT file.
2. Select the policy that you want to export, and click (Export).
3. Configure the parameters, and then click Submit.
Parameter Description
Download To Values:
• Client—DefensePro exports the template to the location specified in
the filepath or by browsing to the location with the Browse button.
• Server—DefensePro exports the template to the APSolute Vision
database.
Default: Server
Download Via (Read-only) The transport method.
Value: HTTPS
Parameter Description
Configuration Specifies whether DefensePro exports the template with the configuration
of the policy.
Default: Enabled
HTTP Baseline Specifies whether DefensePro exports the template with the current HTTP
baseline of the policy.
Default: Enabled
Save As The filepath when Download To is Client or the filename when
Download To is Server.
The default filename uses the following format (with no extension):
<DeviceName>__<PolicyName>_<date>_<time>
Example:
MyDefensePro__MyPolicy_2015.03.19_13.45.59
The date-time format is determined in the APSolute Vision Settings view
Preferences perspective, under General Settings > Date and Time
Format.
The file is saved in the server as a ZIP file, and in the local host, the file is
saved as a TXT file.
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
Parameter Description
Source Device Name Values:
• Device name—Shows only the templates downloaded from the
selected device.
• Local—Shows only the templates uploaded from the local PC.
• System—Shows only the predefined templates.
Default: All
File Type Values:
• Server Protection—Shows the templates from Server Protection
policies.
• Network Protection—Shows the templates from Network Protection
policies.
File Name The filename that the filter uses. The value supports one or two
wildcards (*).
Examples:
• *pol* —Shows any filename containing the string pol.
• *pol —Shows any filename ending with the string pol.
• pol* —Shows any filename starting with the string pol.
To clear the template-list filter and show all of the stored templates
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
3. Click Clear.
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
3. Configure the filter as necessary (see the procedure To filter the display of the template list,
page 283).
4. Select the rows with the required templates (using standard Windows key combinations).
5. Select Send to Devices.
6. Configure the parameters, and then click Submit.
Parameter Description
Available Devices The DefensePro devices that you can select to update. Select devices
and use the arrows to move them to the other list as required.
Note: The list can contain only the devices that support the
templates features.
Selected Devices The DefensePro devices selected to update. Select devices and use
the arrows to move them to the other list as required.
Update Method Values:
• Append to Existing Configuration—The template adds the policy
and profile configurations, and any baselines, to the devices in the
Selected Devices list. If a policy or profile name exists in a
target device, the update fails.
• Overwrite Existing Configuration—The template adds the policy
and profile configurations, and any baselines, to the devices in the
Selected Devices list. If a policy or profile with the same name
exists in a target device, the template overwrites it.
Default: Overwrite Existing Configuration
Parameter Description
Install on Instance The identifier or the DefensePro hardware instance onto which to add
(This parameter is relevant the template.
only for DefensePro x420 Values: 0, 1
platforms.) Default: 0
Update Policies After Values:
Sending Configuration • Enabled—After successfully uploading a template to a device, an
Update Policies (activate latest changes) action is automatically
initiated.
• Disabled—After successfully uploading a template to a device, an
Update Policies (activate latest changes) action is required for the
configuration to take effect.
Default: Disabled
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
3. Configure the filter as necessary (see the procedure To filter the display of the template list,
page 283).
4. Select the rows with the required templates (using standard Windows key combinations).
5. Select Delete from Devices.
6. Configure the parameters, and then click Submit.
Parameter Description
Available Devices The DefensePro devices that you can select to update. Select devices
and use the arrows to move them to the other list as required.
Note: The list can contain only the devices that support the
templates features.
Table 209: Delete from Devices: Select Devices to Update Parameters (cont.)
Parameter Description
Selected Devices The DefensePro devices selected to update. Select devices and use
the arrows to move them to the other list as required.
Note: The list can contain only DefensePro devices running 6.x
versions 6.14 and later, 7.x versions 7.41.02 and later, or 8.x
versions 8.10 and later.
Update Policies After Values:
Sending Configuration • Enabled—After successfully deleting the template(s) and
associated configuration objects from a device, an Update Policies
(activate latest changes) action is automatically initiated.
• Disabled—After successfully deleting the template(s) and
associated configuration objects from the device(s), an Update
Policies (activate latest changes) action is required for the
configuration to take effect.
Default: Disabled
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
Parameter Description
File Type Values:
• Server Protection—The template defines a Server Protection policy.
• Network Protection—The template defines a Network Protection policy.
Upload From The filepath of the template. Click Browse to browse to the directory and
select the file.
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
3. Configure the filter as necessary (see the procedure To filter the display of the template list,
page 283).
4. Select the rows with the required templates (using standard Windows key combinations).
6. In the Save As text box, type the path to the target directory or click Browse to browse to the
directory.
7. Click Save.
2. Click the Advanced ( ) button to open the DefensePro Configuration Templates pane.
3. Configure the filter as necessary (see the procedure To filter the display of the template list,
page 283).
4. Select the rows with the required templates (using standard Windows key combinations).
Note: The top table, which you can filter, contains all the selected devices and comprises the
following columns: Device Type, Device Name, IP Address, and Version.
4. From the top table, select the lead device—that is, the device whose configuration changes will
be applied to the selected additional devices. The bottom table, which you can filter, displays the
selected devices of the same type and major version.
5. From the bottom table, select the checkbox next to each device that the lead device will try to
change.
6. Click Go. The GUI of the lead device opens. The device pane shows the lead device and the
selected additional devices as selected.
7. Lock the devices if necessary.
Notes
— APSolute Vision submits only modified values. APSolute Vision does not submit values that
were not modified.
— APSolute Vision issues detailed message for unsuccessful attempts to change the value of a
parameter on a selected additional devices.
10. Repeat step 8 and step 9 as necessary.
• Back up the existing configuration file. For more information, see Downloading a Device-
Configuration File, page 16.
• Ensure that you have configured on the device the authentication details for the protocol used to
upload the file.
Parameter Description
Browse for File The name of the file to upload.
Software Version The software version number as specified in the new software
documentation.
Generate Password Automatically Specifies whether APSolute Vision generates the password
automatically—after verifying that the device has a valid
support agreement.
Default: Enabled
Caution: The functionality of the Generate Password
Automatically button requires connectivity to radware.com
or the proxy server that is configured in the APSolute Vision
settings (APSolute Vision Settings view System perspective,
General Settings > Connectivity > Proxy Server
Parameters).
Password The password received with the new software version. The
(This parameter is available only password is case sensitive.
when the Generate Password
Automatically checkbox is
cleared.)
Confirm Password The password received with the new software version. The
(This parameter is available only password is case sensitive.
when the Generate Password
Automatically checkbox is
cleared.)
Browse for File The name of the file to upload.
Caution: You must use the original filename.
Caution: Updating the signature file consumes large amounts of resources, which may cause the
device to go temporarily into an overload state. Radware recommends updating the signature file
during hours of low activity.
Note: You can schedule signature-file updates in the APSolute Vision scheduler. For more
information, see Configuring Tasks in the Scheduler, page 297.
Parameter Description
Signature Type The type of the signature file to upload to the device.
Values:
• Radware Signatures
• RSA Signatures
Note: You can select RSA Signatures only on DefensePro version-
6.x devices.
Update From The location of the signature file to upload.
Values:
• Radware.com—APSolute Vision uploads the signature file directly
from Radware.com or from the proxy server that is configured in
the Vision Server Connection configuration.
• Client—APSolute Vision uploads the signature file from the
APSolute Vision client system. This option is only available for
Radware signatures.
File Name Name of the signature file on the client system.
(This parameter is
displayed only when
Update From Client is
selected)
Parameter Description
Download Via (Read-only) The protocol used to download the technical support file.
Value: HTTPS
Save As Save the downloaded technical support file as a text file on the client
system. Enter or browse to the location of the saved file, and select or
enter a file name.
The commands are printed within each section—in the order of implementation.
At the end of the file, the device prints the signature of the configuration file. This signature is used
to verify the authenticity of the file and that it has not been corrupted. The signature is validated
each time the configuration file is uploaded to the device. If the validity check fails, the device
accepts the configuration, but a notification is sent to the user that the configuration file has been
tampered with and there is no guarantee that it works. The signature looks like File Signature:
063390ed2ce0e9dfc98c78266a90a7e4.
Note: You can also download a DefensePro configuration support file using the DefensePro CLI.
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
information, see Configuring Tasks in the Scheduler, page 297.
Parameter Description
Destination The destination of the device configuration file.
Values: Client, Server
Include Private Keys Specifies whether the certificate private key information is included in the
downloaded file. You must include the private key information to restore
the private keys; otherwise, the device reverts to default keys.
Default: Disabled
Save As On the server, the default name is a combination of the device name and
(This parameter is backup date and time. You can change the default name.
displayed only when
Destination is
Server.)
Caution: Importing a configuration file that has been edited is not supported.
Parameter Description
Upload From The location of the backup device-configuration file to send.
Values: Client, Server
File Name When uploading from the client system, enter or browse to the name of
(This parameter is the configuration file to upload.
available only when
Upload From is
Client.)
File for Upload When uploading from the server, select the configuration to upload.
(This parameter is
available only when
Upload From is
Server.)
Note: APSolute Vision provides a predefined Toolbox script for exporting and importing DefensePro
configurations, DefensePro Export/Import Policies. For more information, see the APSolute Vision
User Guide or online help.
Note: For information on how to schedule operations in the APSolute Vision server, see the
APSolute Vision User Guide or APSolute Vision online help.
Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled
operations are called tasks.
The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be
performed next. When you configure a task for multiple devices, the task runs on each device
sequentially. After the task completes on one device, it begins on the next. If the task fails to
complete on a device, the Scheduler will activate the task on the next listed device.
When you create a task and specify the time to run it, the time is according to your local OS.
APSolute Vision then stores the time, translated to the timezone of the of the APSolute Vision server,
and then runs it accordingly. That is, once you configure a task, it runs according to the APSolute
Vision time settings, disregarding any changes made to the local OS time settings.
Caution: If the APSolute Vision client timezone differs from the timezone of the APSolute Vision
server or the managed device, take the time offset into consideration.
When you define a task, you can choose whether to enable or disable the task. All configured tasks
are stored in the APSolute Vision database.
You can define the following types of DefensePro-related scheduled tasks:
• Back up a device configuration
• Back up the APSolute Vision Reporter data
• Reboot a device
• Update the Radware security signature file onto a DefensePro device from Radware.com or the
proxy server
• Update the APSolute Vision Attack Description file from Radware.com or the proxy server
• Run an Operator Toolbox script
Notes
• Some tasks that APSolute Vision exposes are non-operational/irrelevant for certain DefensePro
versions.
• You can perform some of the operations manually, for example, from the APSolute Vision
Settings view System perspective, or from the Operations options
( ).
Note: For more information on filtering table rows, see Filtering Table Rows, page 14.
Parameter Description
Task Type The type of task to be performed.
Name The name of the configured task.
Description The user-defined description of the task.
Current Status The current status of the task.
Values: Waiting, In progress
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task is saved in the database.
Last Execution Status Whether the last task run was successful. When the task is disabled or
has not yet started, the status is Never Executed.
Values:
• Failure
• Never Executed
• Success
• Warning
Last Execution Time The date and time of the last task run. When the task is disabled or has
not yet started, this field is empty.
Parameter Description
Next Execution Time The date and time of the next task run. When the task is disabled, this
field is empty.
Run The frequency at which the task runs; for example, daily or weekly. The
schedule start date is displayed, if it has been defined.
Values:
• Daily
• Minutes
• Once
• Weekly
1. In the APSolute Vision toolbar, click the (Scheduler) button. The Tasks table displays
information for each scheduled task.
2. Do one of the following:
— To add an entry to the table, click the (Add) button. Then, select the type of task, and
click Submit. The dialog box for the selected task type is displayed.
— To edit an entry in the table, select the entry and click the (Edit) button.
3. Configure task parameters, and click Submit. All task configurations include basic parameters
and scheduling parameters. Other parameters depend on the task type that you select. Some
tasks that APSolute Vision exposes are non-operational/irrelevant for certain products and/or
versions. For more information, see the description of the relevant task parameters in Task
Parameters, page 5
1. In the APSolute Vision toolbar, click the (Scheduler) button. The Tasks table displays
information for each scheduled task.
2. Select the required task, and click the (Run Now) button.
Task Parameters
The following sections describe the parameters for DefensePro-related Scheduler tasks:
• APSolute Vision Reporter Backup—Parameters, page 299
• Update Security Signature Files—Parameters, page 301
• Update Attack Description File—Parameters, page 302
• Device Configuration Backup—Parameters, page 303
• Device Reboot Task—Parameters, page 305
• Operator Toolbox Task—Parameters, page 307
Note: Some tasks that APSolute Vision exposes are non-operational/irrelevant for certain
DefensePro versions.
Notes
• For information on managing the backups using the CLI, see the APSolute Vision User Guide.
• APSolute Vision stores up to three iterations of the APSolute Vision Reporter data in the storage
location. After the third reporter-backup, the system deletes the oldest one.
• The storage location is, by default, a hard-coded location in the APSolute Vision server.
• The backup filenames in the storage location are the first five characters of the specified
filename plus a 10-character timestamp. When the task exports the backup file, the filename is
as specified in the task configuration.
• The backup file in the storage location includes the hard-coded description Scheduler-
generated.
Parameter Description
Name A name for the task.
Description A user-defined description of the task.
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task configuration is saved in the
database.
Parameter Description
Run The frequency at which the task runs.
Select a frequency, then configure the related time and day/date
parameters.
Values:
• Once—The task runs one time only at the specified date and time.
• Minutes—The task runs at intervals of the specified number of
minutes between task starts. TBD: minimum
• Daily—The task runs daily at the specified time.
• Weekly—The task runs every week on the specified day or days, at
the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Parameter Description
Minutes3 The interval, in minutes, at which the task runs.
Run Always4 Specifies whether the task always runs or only during the defined period.
Values:
• Enabled—The task is activated immediately and runs indefinitely, with
no start or end time. It runs at the first Time configured with the
Frequency in the Schedule tab.
• Disabled—The task runs (at the Time and Frequency specified in the
Schedule tab) from the specified Start Date at the Start Time until the
End Date at the End Time.
Default: Enabled
Start Date5 The date and time at which the task is activated.
Start Time5
End Date5 The date and time after which the task no longer runs.
End Time5
1 – This parameter is available only when the specified Run value is Once, Daily, or
Weekly.
2 – This parameter is available only when the specified Run value is Once.
3 – This parameter is available only when the specified Run value is Minutes.
4 – This parameter is available only when the specified Run value is Minutes, Daily, or
Weekly.
5 – This parameter is available only when the Run Always checkbox is cleared.
Parameter Description
Protocol The protocol that APSolute Vision uses for this task.
Values:
• FTP
• SCP
• SFTP
• SSH
Default: FTP
IP Address The IP address of the server.
Directory The path to the export directory with no spaces. Only alphanumeric
characters and underscores (_) are allowed.
Backup File Name The name of the backup, up to 15 characters, with no spaces. Only
alphanumeric characters and underscores (_) are allowed.
User The username.
Password The user password.
Confirm Password The user password.
Parameter Description
Name A name for the task.
Description A user-defined description of the task.
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task configuration is saved in the
database.
Parameter Description
Run The frequency at which the task runs.
Select a frequency, then configure the related time and day/date
parameters.
Values:
• Once—The task runs one time only at the specified date and time.
• Minutes—The task runs at intervals of the specified number of
minutes between task starts.
• Daily—The task runs daily at the specified time.
• Weekly—The task runs every week on the specified day or days, at
the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Run Always4 Specifies whether the task always runs or only during the defined period.
Values:
• Enabled—The task is activated immediately and runs indefinitely, with
no start or end time. It runs at the first Time configured with the
Frequency in the Schedule tab.
• Disabled—The task runs (at the Time and Frequency specified in the
Schedule tab) from the specified Start Date at the Start Time until the
End Date at the End Time.
Default: Enabled
Start Date 5 The date and time at which the task is activated.
Start Time5
End Date5 The date and time after which the task no longer runs.
5
End Time
1 – This parameter is available only when the specified Run value is Once, Daily, or
Weekly.
2 – This parameter is available only when the specified Run value is Once.
3 – This parameter is available only when the specified Run value is Minutes.
4 – This parameter is available only when the specified Run value is Minutes, Daily, or
Weekly.
5 – This parameter is available only when the Run Always checkbox is cleared.
Parameter Description
The Available list and the Selected list. The Available list displays the available devices. The
Selected list displays the devices whose Radware signature files this task updates.
Parameter Description
Name A name for the task.
Description A user-defined description of the task.
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task configuration is saved in the
database.
Parameter Description
Run The frequency at which the task runs.
Select a frequency, then configure the related time and day/date
parameters.
Values:
• Once—The task runs one time only at the specified date and time.
• Minutes—The task runs at intervals of the specified number of
minutes between task starts.
• Daily—The task runs daily at the specified time.
• Weekly—The task runs every week on the specified day or days, at
the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Table 224: Update Vision's Attack Description File: Schedule Parameters (cont.)
Parameter Description
Run Always4 Specifies whether the task always runs or only during the defined period.
Values:
• Enabled—The task is activated immediately and runs indefinitely, with
no start or end time. It runs at the first Time configured with the
Frequency in the Schedule tab.
• Disabled—The task runs (at the Time and Frequency specified in the
Schedule tab) from the specified Start Date at the Start Time until the
End Date at the End Time.
Default: Enabled
Start Date 5 The date and time at which the task is activated.
Start Time5
End Date5 The date and time after which the task no longer runs.
End Time5
1 – This parameter is available only when the specified Run value is Once, Daily, or
Weekly.
2 – This parameter is available only when the specified Run value is Once.
3 – This parameter is available only when the specified Run value is Minutes.
4 – This parameter is available only when the specified Run value is Minutes, Daily, or
Weekly.
5 – This parameter is available only when the Run Always checkbox is cleared.
Note: By default, you can save up to five (5) configuration files per device on the APSolute Vision
server. You can change this parameter in the APSolute Vision Setup tab.
Parameter Description
Name A name for the task.
Description A user-defined description of the task.
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task configuration is saved in the
database.
Parameter Description
Run The frequency at which the task runs.
Select a frequency, then configure the related time and day/date
parameters.
Values:
• Once—The task runs one time only at the specified date and time.
• Minutes—The task runs at intervals of the specified number of
minutes between task starts.
• Daily—The task runs daily at the specified time.
• Weekly—The task runs every week on the specified day or days, at
the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Run Always4 Specifies whether the task always runs or only during the defined period.
Values:
• Enabled—The task is activated immediately and runs indefinitely, with
no start or end time. It runs at the first Time configured with the
Frequency in the Schedule tab.
• Disabled—The task runs (at the Time and Frequency specified in the
Schedule tab) from the specified Start Date at the Start Time until the
End Date at the End Time.
Default: Enabled
Start Date5 The date and time at which the task is activated.
Start Time5
End Date5 The date and time after which the task no longer runs.
End Time5
1 – This parameter is available only when the specified Run value is Once, Daily, or
Weekly.
2 – This parameter is available only when the specified Run value is Once.
3 – This parameter is available only when the specified Run value is Minutes.
4 – This parameter is available only when the specified Run value is Minutes, Daily, or
Weekly.
5 – This parameter is available only when the Run Always checkbox is cleared.
Parameter Description
Include Private Keys Specifies whether to include the certificate private key information in the
configuration file in devices that support private keys.
Default: Disabled
Parameter Description
Backup Configuration To The destination the backup configuration files.
Values:
• APSolute Vision Server
• External Location
Default: APSolute Vision Server
Protocol 1 The protocol that APSolute Vision uses for this task.
Values:
• FTP
• SCP
• SFTP
• SSH
IP Address1 The IP address of the external location.
Directory1 The path to the export directory with no spaces. Only alphanumeric
characters and underscores (_) are allowed.
Backup File Name1 The name of the backup, up to 15 characters, with no spaces. Only
alphanumeric characters and underscores (_) are allowed.
User1 The username.
Parameter Description
The Available list and the Selected list. The Available list displays the available devices. The
Selected list displays the devices whose configurations this task backs up.
Parameter Description
Name A name for the task.
Description A user-defined description of the task.
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task configuration is saved in the
database.
Parameter Description
Run The frequency at which the task runs.
Select a frequency, then configure the related time and day/date
parameters.
Values:
• Once—The task runs one time only at the specified date and time.
• Minutes—The task runs at intervals of the specified number of
minutes between task starts.
• Daily—The task runs daily at the specified time.
• Weekly—The task runs every week on the specified day or days, at
the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Run Always4 Specifies whether the task always runs or only during the defined period.
Values:
• Enabled—The task is activated immediately and runs indefinitely, with
no start or end time. It runs at the first Time configured with the
Frequency in the Schedule tab.
• Disabled—The task runs (at the Time and Frequency specified in the
Schedule tab) from the specified Start Date at the Start Time until the
End Date at the End Time.
Default: Enabled
Start Date5 The date and time at which the task is activated.
Start Time5
End Date5 The date and time after which the task no longer runs.
End Time5
1 – This parameter is available only when the specified Run value is Once, Daily, or
Weekly.
2 – This parameter is available only when the specified Run value is Once.
3 – This parameter is available only when the specified Run value is Minutes.
4 – This parameter is available only when the specified Run value is Minutes, Daily, or
Weekly.
5 – This parameter is available only when the Run Always checkbox is cleared.
Parameter Description
The Available list and the Selected list. The Available list displays the available devices. The
Selected list displays the devices that this task reboots.
Notes
• For more information on Toolbox scripts, see the APSolute Vision User Guide or online help.
• The scope configured for an APSolute Vision user determines the managed devices that the
Operator Toolbox task displays. (For more information, see the APSolute Vision User Guide.)
• APSolute Vision issues a failure message if any task action is not successful. The failure message
includes the result of each action—that is, whether the action succeeded or failed for each
target device.
• The configuration of the Toolbox script determines whether the target device must be locked for
the script to run. If the script requires device locking, when an Operator Toolbox task runs the
script, APSolute Vision tries to lock the device. If the locking action is successful, the script runs,
and then, APSolute Vision unlocks the device. If the locking action fails, the Operator Toolbox
task fails.
• If a device in the Target Device List is deleted from APSolute Vision, APSolute Vision deletes
the device from the Target Device List and continues running the task.
• If all the devices in the Target Device List are deleted from APSolute Vision, APSolute Vision
disables the task.
Parameter Description
Name The name of the task.
Description A user-defined description of the task.
Enabled When selected, the task runs according to the defined schedule. Disabled
tasks are not activated, but the task configuration is saved in the
database.
Parameter Description
Run The frequency at which the task runs.
Select a frequency, then configure the related time and day/date
parameters.
Values:
• Once—The task runs one time only at the specified date and time.
• Minutes—The task runs at intervals of the specified number of
minutes between task starts.
• Daily—The task runs daily at the specified time.
• Weekly—The task runs every week on the specified day or days, at
the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Parameter Description
Run Always4 Specifies whether the task always runs or only during the defined period.
Values:
• Enabled—The task is activated immediately and runs indefinitely, with
no start or end time. It runs at the first Time configured with the
Frequency in the Schedule tab.
• Disabled—The task runs (at the Time and Frequency specified in the
Schedule tab) from the specified Start Date at the Start Time until the
End Date at the End Time.
Default: Enabled
Start Date 5 The date and time at which the task is activated.
Start Time5
End Date5 The date and time after which the task no longer runs.
End Time5
1 – This parameter is available only when the specified Run value is Once, Daily, or
Weekly.
2 – This parameter is available only when the specified Run value is Once.
3 – This parameter is available only when the specified Run value is Minutes.
4 – This parameter is available only when the specified Run value is Minutes, Daily, or
Weekly.
5 – This parameter is available only when the Run Always checkbox is cleared.
Parameter Description
Selected Script (Read-only) The script that is selected in the table—with the file name.
To select the script, click the script from the Action Title column.
The table contains all the Toolbox scripts that you have permission to run. The table comprises the
following columns: Action Title, File Name, and Category.
Note: When you change a selection, the parameters in the Parameters tab change accordingly.
Parameter Description
The parameters for the selected script.
Parameter Description
The Available list and the Selected list. The Available list displays the available devices. The
Selected list displays the devices that the Toolbox script runs on.
Note: Radware also recommends updating the Attack Description file each time you update the
Signature files on DefensePro devices.
When you update the Attack Description file, APSolute Vision downloads the file directly from
Radware.com or from the enabled proxy file server.
Tip: You can schedule updates of the Attack Descriptions file using the APSolute Vision scheduler.
For more information, see the APSolute Vision User Guide.
To view the date and time of the last update of the Attack Description file
1. In the APSolute Vision Settings view System perspective, select General Settings > Basic
Parameters.
2. Select the Attack Descriptions File tab. The Attack Descriptions Last Update text box displays
the time of the latest update of the Attack Description file on the APSolute Vision server.
Parameter Description
Hardware Platform The type of hardware platform for this device.
Uptime The system up time in days, hours, minutes, and seconds.
Base MAC Address The MAC address of the first port on the device.
Device Serial Number
Parameter Description
Radware Signature File The version of the Radware Signature File installed on the device.
Version
Parameter Description
Software Version The version of the product software installed on the device.
APSolute OS Version The version of the APSolute OS installed on the device—for example,
10.31-03.01:2.06.08.
Parameter Description
Build The build number of the current software version.
Version Status The state of this software version.
Values:
• Open—Not yet released
• Final—Released version
Parameter Description
Hardware Version The hardware version; for example, B.5.
RAM Size The amount of RAM, in megabytes.
Flash Size The size of flash (permanent) memory, in megabytes.
2. Select the row(s) with the relevant port(s), and click the (Disable Selected Ports) button (for
a port currently Up) or the (Enable Selected Ports) button (for a port that is currently Down).
Parameter Description
Port Name The interface name or index number.
Port Family A hard-coded description of the interface.
Port Description A user-defined description of the interface.
Port Speed The current bandwidth of the interface, in megabits per second.
MAC Address The MAC address of the interface.
Admin Status The administrative status of the interface, Up or Down.
Parameter Description
Operational Status The operational status of the interface, Up or Down.
Last Change Time The value of System Up time at the time the interface entered its
current operational state. If the current state was entered prior to the
last re-initialization of the local network management subsystem,
then this value is zero (0).
Parameter Description
Incoming Bytes The number of incoming octets (bytes) through the interface
including framing characters.
Incoming Unicast Packets The number of packets delivered by this sub-layer to a higher sub-
layer, which were not addressed to a multicast or broadcast address
at this sub-layer.
Incoming Non-Unicast The number of packets delivered by this sub-layer to a higher sub-
Packets layer, which were addressed to a multicast or broadcast address at
this sub-layer.
Incoming Discards The number of inbound packets chosen to be discarded even though
no errors had been detected to prevent their being deliverable to a
higher-layer protocol. One possible reason for discarding such a
packet could be to free up buffer space.
Incoming Errors For packet-oriented interfaces, the number of inbound packets that
contained errors preventing them from being deliverable to a higher-
layer protocol. For character-oriented or fixed-length interfaces, the
number of inbound transmission units that contained errors
preventing them from being deliverable to a higher-layer protocol.
Outgoing Bytes The total number of octets (bytes) transmitted out of the interface,
including framing characters.
Outgoing Unicast Packets The total number of packets that higher-level protocols requested be
transmitted, and which were not addressed to a multicast or
broadcast address at this sub-layer, including those that were
discarded or not sent.
Outgoing Non-Unicast The total number of packets that higher-level protocols requested be
Packets transmitted, and which were addressed to a multicast or broadcast
address at this sub-layer, including those discarded or not sent.
Outgoing Discards The number of outbound packets that were chosen to be discarded
even though no errors had been detected to prevent their being
transmitted. One possible reason for discarding such a packet could
be to free up buffer space.
Outgoing Errors For packet-oriented interfaces, the number of outbound packets that
could not be transmitted because of errors. For character-oriented or
fixed-length interfaces, the number of outbound transmission units
that could not be transmitted because of errors.
Note: When you issue the Switch Over command on the cluster node, the active device switches
over. To switch modes, select the cluster node, and then select Switch Over.)
To view the parameters related to the high availability of a selected DefensePro device
> In the Monitoring perspective, select Operational Status > High Availability.
Parameter Description
Device Role Values:
• Stand Alone—The device is not configured as a member of a high-
availability cluster.
• Primary—The device is configured as the primary member of a high-
availability cluster.
• Secondary—This device is configured as the secondary member of a
high-availability cluster.
Device State Values:
• Active—The device is in the active state. The device may be a
standalone device (not part of a high-availability cluster) or the active
member of a high-availability cluster.
• Passive—The device is the passive member of a high-availability
cluster.
Last Baseline Sync. Values:
• Base-Line still not synched on this device—Either high availability is
not enabled on the device or high availability is enabled on the device
but the baselines for security protections are still not synchronized.
• The timestamp, in DDD MMM DD hh:mm:ss yyyy format, of the last
synchronization of the baseline between the active and passive device.
Cluster State Values:
• Pair not defined—The device is not configured as a member of a high-
availability cluster.
• Disconnected—The device is disconnected from the other member of
the high-availability cluster.
• Negotiate—The device is negotiating with the other member of the
high-availability cluster.
• Synchronizing—The device is synchronizing with the other member of
the high-availability cluster.
• In Sync—The members of the high-availability cluster are
synchronized.
• Hold on—The device is waiting for information from the other member
of the high-availability cluster.
Cluster Node in Use The IP address of the selected device.
Peer Clustered Node in The IP address of the other cluster member.
Use
Parameter Description
Note: DefensePro versions running on the x420 platform contains internal logic of two
DefensePro software instances—using the DoS Mitigation Engine (DME) and physical ports as
shared resources. For more information, see the DefensePro User Guide.
Resource Utilization Instance 0 The percentage of the device’s instance-0 CPU currently utilized.
Resource Utilization Instance 1 The percentage of the device’s instance-1 CPU currently utilized.
RS Resource Utilization The percentage of the device’s instance-0 routing services (RS)
Instance 0 resource currently utilized.
RS Resource Utilization The percentage of the device’s instance-1 routing services (RS)
Instance 1 resource currently utilized.
RE Resource Utilization The percentage of the device’s instance-0 routing engine (RE)
Instance 0 resource currently utilized.
RE Resource Utilization The percentage of the device’s instance-1 routing engine (RE)
Instance 1 resource currently utilized.
Last 5 sec. Average Utilization The average utilization of instance-0 resources in the last 5
Instance 0 seconds.
Last 5 sec. Average Utilization The average utilization of instance-1 resources in the last 5
Instance 1 seconds.
Last 60 sec. Average Utilization The average utilization of instance-0 resources in the last 60
Instance 0 seconds.
Last 60 sec. Average Utilization The average utilization of instance-1 resources in the last 60
Instance 1 seconds.
Parameter Description
Instance The internal hardware instance of the device.
Accelerator Type The name of the accelerator. The accelerator named
Flow_Accelerator_0 is one logical accelerator that uses several
CPU cores. The accelerator named HW Classifier is the string-
matching engine (SME).
CPU ID The CPU number for the accelerator.
Forwarding Task The percentage of CPU cycles used for traffic processing.
Other Tasks The percentage of CPU resources used for other tasks such as
aging and so on.
Idle Task The percentage of free CPU resources.
Parameter Description
Table Size The number of source addresses that the table can hold.
Table Utilization Percent of the table that is currently utilized.
Aging Time The aging time, in seconds, for the table.
Parameter Description
Table Size The number of source-destination couples for protected HTTP servers.
For example, if there are two attacks towards two HTTP servers and the
source addresses are the same, for those two servers, there will be two
entries for the source in the table.
Table Utilization Percent of the table that is currently utilized.
Aging Time The aging time, in seconds, for the table.
Values: 60–3600
Default: 1200
Parameter Description
Table Size The number of source addresses that the table can hold.
Table Utilization Percent of the table that is currently utilized.
Aging Time The aging time, in minutes, for the table.
Note: For the TCP Authentication Table and the HTTP Authentication Table, the Clean Table
action can take up to 10 seconds.
Note: If the device is not equipped with the DME, 0 (zero) values are displayed.
Parameter Description
Note: If a value in this tab is close to the maximum, the resources for the device are exhausted.
Total Policies The total number of policies in the context of the DME, which is
double the number of network policies configured in the device.
HW Entries Utilization The percentage of resource utilization from the HW entries in the
context of the DME.
Parameter Description
Sub-Policies Utilization The percentage of DME resource utilization from the entries of sub-
policies.
In the context of the DME, a sub-policy is a combination of the
following:
• Source-IP-address range
• Destination-IP-address range
• VLAN-tag range
Concurrent Active BDoS The number of concurrent active BDoS attacks.
Attacks
Parameter Description
Policy Name The name of the policy.
Direction The direction of the policy.
Values:
• Inbound
• Outbound
HW Entries The number of DME hardware entries that the policy uses.
Sub-Policies The number of DME sub-policy entries that the policy uses.
Parameter Description
Syslog Server The name of the syslog server.
Status The status of the syslog server.
Values:
• Reachable—The server is reachable.
• Unreachable—The server is unreachable.
• N/R—Specifies not relevant, because traffic towards the
Syslog server is over UDP—as specified (Configuration
perspective, Setup > Syslog Server > Protocol > UDP).
Messages in Backlog The number of messages in the backlog to the syslog server.
Parameter Description
Number of SNMP Received Packets The total number of messages delivered to the SNMP entity
from the transport service.
Number of SNMP Sent Packets The total number of SNMP messages passed from the SNMP
protocol entity to the transport service.
Number of SNMP Successful 'GET' The total number of MIB objects retrieved successfully by
Requests the SNMP protocol entity as the result of receiving valid
SNMP GET-Request and GET-Next PDUs.
Number of SNMP Successful 'SET' The total number of MIB objects modified successfully by the
Requests SNMP protocol entity as the result of receiving valid SNMP
SET-Request PDUs.
Number of SNMP 'GET' Requests The total number of SNMP GET-Request PDUs accepted and
processed by the SNMP protocol entity.
Number of SNMP 'GET-Next' The total number of SNMP GET-Next Request PDUs accepted
Requests and processed by the SNMP protocol entity.
Number of SNMP 'SET' Requests The total number of SNMP SET-Request PDUs accepted and
processed by the SNMP protocol entity.
Number of SNMP Error “Too Big” The total number of SNMP PDUs generated by the SNMP
Received protocol entity for which the value of the error-status field is
‘tooBig.’
Number of SNMP Error “No Such The total number of SNMP PDUs generated by the SNMP
Name” Received protocol entity for which the value of the error-status is
‘noSuchName’.
Number of SNMP Error “Bad Value” The total number of SNMP PDUs generated by the SNMP
Received protocol entity for which the value of the error-status field is
‘badValue’.
Number of SNMP Error “Generic The total number of SNMP PDUs generated by the SNMP
Error” Received protocol entity for which the value of the error-status field is
‘genErr’.
Parameter Description
Number of SNMP 'GET' Responses The total number of SNMP Get-Response PDUs generated by
Sent the SNMP protocol entity.
Number of SNMP Traps Sent The total number of SNMP Trap PDUs generated by the SNMP
protocol entity.
Parameter Description
Number of IP Packets The total number of input datagrams received from interfaces,
Received including those received in error.
Number of IP Header Errors The number of input datagrams discarded due to errors in their IP
headers, including bad checksums, version number mismatch, other
format errors, time-to-live exceeded, errors discovered in
processing their IP options, and so on.
Number of Discarded IP The total number of input datagrams for management that were
Packets discarded.
This counter does not include any datagrams discarded while
awaiting re-assembly.
Number of Valid IP Packets The total number of input datagrams successfully delivered to IP
Received user-protocols (including ICMP).
Number of Transmitted The total number of IP datagrams which local IP user-protocols,
Packets (Inc. Discards) including ICMP supplied to IP in requests for transmission.
This counter does not include any datagrams counted in the Number
of IP Packets Forwarded.
Number of Discarded Packets The number of output IP datagrams for which no problem was
on TX encountered to prevent their transmission to their destination, but
which were discarded, for example, the lack of buffer space.
This counter includes any datagrams counted in the Number of IP
Packets Forwarded if those packets meet this (discretionary) discard
criterion.
Parameter Description
Number of IP Packets The number of input datagrams for which this entity was not their
Forwarded final IP destination, as a result of which an attempt was made to
find a route to forward them to that final destination. In entities that
do not act as IP Gateways, this counter includes only those packets
which were Source - Routed via this entity, and the Source - Route
option processing was successful.
Number of IP Packets The number of locally addressed datagrams received successfully
Discarded Due to ‘Unknown but discarded because of an unknown or unsupported protocol.
Protocol’
Number of IP Packets The number of IP datagrams discarded because no route could be
Discarded Due to ‘No Route’ found to transmit them to their destination.
Note: This counter includes any packets counted in the Number
of IP Packets Forwarded that meet the no-route criterion. This
includes any datagrams which a host cannot route because all of
its default gateways are down.
Number of IP Fragments The number of IP fragments received which needed to be
Received reassembled at this entity.
Number of IP Fragments The number of IP datagrams successfully re-assembled.
Successfully Reassembled
Number of IP Fragments The number of failures detected by the IP re-assembly algorithm,
Failed Reassembly such as timed out, errors, and so on. Note: This is not necessarily a
count of discarded IP fragments since some algorithms (notably the
algorithm in RFC 815) can lose track of the number of fragments by
combining them as they are received.
Number of IP Datagrams The number of IP datagrams that have been successfully re-
Successfully Reassembled assembled at this entity.
Number of IP Datagrams The number of IP datagrams that have been discarded because they
Discarded Due to needed to be fragmented at this entity but could not be, for
Fragmentation Failure example, because their Don’t Fragment flag was set.
Number of IP Datagrams The number of IP datagram fragments that have been generated as
Fragments Generated a result of fragmentation at this entity.
Valid Routing Entries Number of valid routing entries discarded.
Discarded
Notes
• The filtered Session table does not automatically refresh. The information loads when you
display the Session Table pane and when you manually refresh the display.
• DefensePro issues alerts for high utilization alerts of the Session table. DefensePro sends alerts
to APSolute Vision when table utilization reaches 90% and 100%.
Parameter Description
Source IP The source IP address within the defined subnet.
Destination IP The destination IP address within the defined subnet.
Source L4 Port The session source port.
Destination L4 Port The session destination port.
Parameter Description
Protocol The session protocol.
Physical Interface The physical port on the device at which the request arrives from the
client.
Lifetime (Sec.) The time, in seconds, following the arrival of the last packet, that the
entry remains in the table before it is deleted.
Aging Type The reason for the Lifetime value.
Values:
• Default—A lifetime per protocol. The default value is 100 seconds.
• End—Session end. A FIN/RST arrived, and the session ended. The
value depends on the protocol defaults. The default value is 5
seconds.
• SYN—SYN Protection. The Lifetime was set after DefensePro
received a SYN that may be an attack. The default value is 10
seconds.
• App—An application changed the lifetime for an application-specific
reason. Note that the host table can change this lifetime only to the
Lifetime type End (for example, ACL rules).
• Initial—The initial lifetime of the session, which later (probably after
the arrival of the second packet) will be modified to the Lifetime
type Default. The default value is 5 seconds.
• Unknown—If none of the above options are used.
SYN Flood Status Indicates whether the entry is currently protected against SYN attacks.
Values:
• Not Protected—The SYN Flood Protection module is disabled.
• Protected (No Attack)—No trigger is found for the protected server,
thus there is no attack.
• Protected (Under Attack)—There is an ongoing attack on the
protected server, and DefensePro is mitigating the attack
Policy Name The name of the Network Protection policy.
Parameter Description
Filter Name The unique name of the filter.
Physical Interface The physical port on the device at which the request arrives from the
client.
Default: Any
Source IP Address The source IP address within the defined subnet.
Select IPv4 or IPv6, and then, enter the address.
Source IP Mask The source IP address used to define the subnet that you want to
present in the Session table.
Select IPv4 or IPv6, and then, enter the mask.
Destination IP Address The destination IP address within the defined subnet.
Select IPv4 or IPv6, and then, enter the address.
Destination IP Mask The destination IP address used to define the subnet that you want to
present in the Session table.
Select IPv4 or IPv6, and then, enter the mask.
Source L4 Port The session source Layer 4 port.
Destination L4 Port The session destination Layer 4 port.
Note: The Routing table is not automatically refreshed periodically. The information is loaded when
you select to display the Routing Table pane, and when you manually refresh the display.
Parameter Description
Destination Network The destination network to which the route is defined.
Netmask The network mask of the destination subnet.
Next Hop The IP address of the next hop toward the Destination subnet. (The next
hop always resides on the subnet local to the device.)
Parameter Description
Via Interface The local interface or VLAN through which the next hop of this route is
reached. This can be the port name, trunk name, or VLAN ID.
In DefensePro 6.x–8.x versions, this is the local interface or VLAN through
which the next hop of this route is reached. This can be the port name,
trunk name, or VLAN ID.
Type This field is displayed only in the Static Routes table.
The type of routing.
Values:
• Local—The subnet is directly reachable from the device.
• Remote—The subnet is not directly reachable from the device.
Metric The metric value defined or calculated for this route.
Note: The ARP table is not automatically refreshed periodically. The information is loaded when you
select to display the ARP Table pane, and when you manually refresh the display.
Parameter Heading
Port The interface number where the station resides.
IP Address The station’s IP address.
MAC Address The station’s MAC address.
Type The entry type.
Values:
• Other—Not Dynamic or Static.
• Dynamic—Entry is learned from ARP protocol. If the entry is not active
for a predetermined time, the node is deleted from the table.
• Static—Entry has been configured by the network management station
and is permanent.
Parameter Description
Source IP The IP address from which traffic was suspended.
Destination IP The IP address to which traffic was suspended (0.0.0.0 means traffic to all
destinations was suspended).
Destination Port The application port to which traffic was suspended (0 means all ports).
Protocol The network protocol of the suspended traffic.
Module The security module that activated the traffic suspension.
Values: Signature Protection, Anti Scanning, Syn Protection
Classification Type Values:
• Policy—A Network Protection policy suspended the traffic.
• Server—A Server Protection policy suspended the traffic.
Policy / Server Name The name of the policy that suspended the traffic.
Expiration Type The method of determining the expiration.
Values: On Request, Fixed Timeout, Dynamic Timeout
Expiration Time The number of seconds until the entry is removed from the Suspend table.
Notes
• For more information on the Device Operation Mode, see Configuring the Device Operation Mode
for DefensePro, page 156.
• For more information on the tunnels when the Device Operation Mode is IP, see Managing
Tunnel Interfaces, page 86.
Parameter Description
Tunnel IP Address The IP address of the tunnel.
Primary Tunnel Status The status of the primary tunnel.
Secondary Tunnel Status The status of the secondary tunnel.
Parameter Description
Total Tunnels Status The number of reachable tunnels of the total configured tunnels,
using a slash (/) as the separator. For example, the value 10/11
signifies that there are 10 reachable tunnels of the 11 total
configured tunnels.
Note: The routing tables managed by a Border Gateway Protocol (BGP) implementation are
adjusted continually to reflect changes in the network, such as links breaking and being restored, or
routers going down and coming back up. In the network as a whole, these changes happen almost
continuously, but for any particular router or link, changes should be relatively infrequent.
Parameter Description
Peer IP Address The IP address of the remote peer.
Admin Status Indicates whether the peer is enabled.
Connection State The state of the connection.
Values:
• Idle—The peer is stopped.
• Connect—DefensePro initiated a TCP connection to remote peer.
• Active—The peer is waiting during a connect retry interval, after
failing to establish TCP connection to a remote peer. In this
state, DefensePro also listens on port 179 for potential incoming
connections from the remote peer.
• OpenSent—A TCP connection is established with the remote
peer. DefensePro sent a BGP OPEN message to the remote peer
and expects to receive an OPEN message from it.
• OpenConfirm—DefensePro received an OPEN message from the
remote peer. DefensePro responds with a KEEPALIVE message
and expects a KEEPALIVE message from the remote peer.
• Established—A BGP connection is established with a remote
peer. DefensePro can now exchange UPDATE messages with it.
Remote AS The remote autonomous system number.
Peer Identifier The IP address that identifies the remote peer for the current BGP
connection.
Local Address The DefensePro IP interface address used as the source IP address
for a BGP connection.
Local Port (Source) The TCP source port number used by DefensePro for a BGP
connection to the remote peer.
Remote Port (Destination) The TCP destination port number used by DefensePro for a BGP
connection to the remote peer.
In Updates The number of BGP UPDATE messages transmitted on the
connection.
Out Updates The number of BGP UPDATE messages transmitted on the
connection.
In Total Messages The total number of messages received from to the remote peer on
the connection.
Out Total Messages The total number of messages transmitted to the remote peer on
the connection.
Last Error The last error code and subcode seen by the peer on the
connection. If no error has occurred, the value for this field is zero
(0). Otherwise, the first byte of this two-byte OCTET STRING
contains the error code, and the second byte contains the subcode.
FSM Established Time How long, in seconds, the peer has been in the established state, or
how long since the peer was last in the established state. It is set to
zero when a new peer is configured or the router is booted.
FSM Established Transitions The total number of times the BGP FSM transitioned into the
established state.
Connect Retry Interval The Connect Retry Interval value specified in the configuration of
the peer.
Parameter Description
Hold Time The time, in seconds, the Hold Timer established with the peer. The
value of this object is calculated by the BGP speaker by using the
smaller of the value by the specified Hold Time and the Hold Time
received in the OPEN message. The value zero (0) indicates that the
Hold Timer has not been established with the peer, or, the specified
Hold Time is zero (0).
Keep Alive Time The interval, in seconds, for the keepalive timer established with the
peer. The value of this object is calculated by the BGP speaker. The
value zero (0) indicates that the keepalive timer has not been
established with the peer, or, the specified Keep-Alive Time is zero
(0).
Hold Time Configured The Hold Time value specified in the configuration of the peer.
Keep Alive Configured The Keep-Alive Time value specified in the configuration of the
peer.
In Update Elapsed Time The elapsed time, in seconds, since the last BGP UPDATE message
was received from the peer.
Notes
• To see the actual timestamp of the packets in the files that the diagnostic packet-capture tool
produces, in the packet analyzer (for example, Wireshark), you may need to modify the format
of the time display. The timestamp in the packets in the files that the diagnostic packet-capture
tool produces is always UTC.
• The diagnostic packet-capture tool does not capture packets that pass through the device as the
result of Traffic Exclusion. Traffic Exclusion is when DefensePro passes through all traffic that
matches no network policy configured on the device.
• The diagnostic packet-capture tool does not capture GRE-encapsulated packets.
• The diagnostic packet-capture tool does not handle jumbo frames. DefensePro either passes
through jumbo-frame traffic or drops jumbo-frame traffic.
• For information on the files that diagnostic packet-capture tool generates, see Managing Capture
Files.
To configure the parameters of the diagnostic packet-capture tool using APSolute Vision
1. In the Monitoring perspective, select Diagnostics > Diagnostic Tool Parameters.
2. Configure the parameters, and then, click Submit.
Parameter Description
Status Specifies whether the diagnostic packet-capture tool is enabled.
Values: Enabled, Disabled
Default: Disabled
Note: When the device reboots, the status of the diagnostic packet-
capture tool reverts to Disabled.
Output to File The location of the stored captured data.
Values:
• RAM Drive and Flash—The device stores the data in RAM and appends
the data to the file on the CompactFlash drive. Due to limits on
CompactFlash size, DefensePro uses two files. When the first file
becomes full, the device switches to the second, until it is full, and then
it overwrites the first file, and so on.
• RAM Drive—The device stores the data in RAM.
• None—The device does not store the data in RAM or flash, but you can
view the data using a terminal.
Output to Terminal Specifies whether the device sends captured data to a terminal.
Values: Enabled, Disabled
Default: Disabled
Capture Point The location where the device captures the data.
Values:
• On Packet Arrive—The device captures packets when they enter the
device.
• On Packet Send—The device captures packets when they leave the
device.
• Both—The device captures packets when they enter the device and
when they leave the device.
Default: On Packet Arrive
Capture Rate Values: 1–10,000
Default: 1
Note: When the device reboots, the value reverts to 1.
Parameter Description
Name The user-defined name of the policy.
Maximum characters: 64
Index The number of the policy in the order in which the diagnostic packet-
capture tool classifies (that is, captures) the packets.
Default: 1
Description The user-defined description of the policy.
Maximum characters: 20
VLAN Tag Group The VLAN tag value or predefined class object whose packets the policy
classifies (that is, captures).
Destination The destination IP address or predefined class object whose packets the
policy classifies (that is, captures).
Source The source IP address or predefined class object whose packets the
policy classifies (that is, captures).
Service Type The service type whose packets the policy classifies (that is, captures).
Values:
• None
• Basic Filter
• AND Group
• OR Group
Default: None
Service The service whose packets the policy classifies (that is, captures).
Outbound Port Group The Physical Port class whose outbound packets the policy classifies
(that is, captures).
You cannot set the this parameter when the Trace-Log Status
parameter is enabled in the DefensePro CLI or Web Based Management,
Inbound Port Group The Physical Port class whose inbound packets the policy classifies (that
is, captures).
Destination MAC Group The destination MAC group whose packets the policy classifies (that is,
captures).
Parameter Description
Source MAC Group The source MAC group whose packets the policy classifies (that is,
captures).
Maximal Number of The maximal number of packets the policy captures. Once the policy
Packets captures the specified number of packets, it stops capturing traffic. In
some cases, the policy captures fewer packets than the configured
value. This happens when the device is configured to drop packets.
Maximal Packet Length The maximal length for a packet the policy captures.
Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Note: You cannot set the Outbound Port Group when the value of the
Trace-Log Status parameter is Enabled.
Capture Status Specifies whether the packet-capture feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Notes
• Your user permissions (your RBAC user definition) determine the DefensePro devices and
policies that the Security Monitoring perspective displays to you. You can view and monitor only
the attacks blocked by the DefensePro that are available to you.
• APSolute Vision also manages and issues alerts for new security attacks.
• DefensePro calculates traffic baselines, and uses the baselines to identify abnormalities in traffic
levels.
• When calculating the real-time network traffic and statistical parameters, DefenseProdoes not
include traffic that exceeded the throughput license.
Risk Levels
The following table describes the risk levels that DefensePro supports to classify security events.
Note: For some protections, the user can specify the risk level for an event. For these protections,
the descriptions in the following table are recommendations, and specifying the risk level is the
user’s responsibility.
Use a Dashboard View in the Security Monitoring perspective to analyze activity and security events
in the network, identify security trends, and analyze risks.
You can view information for individual devices, all devices in a site, or all devices in the network.
The dashboard monitoring display automatically refreshes providing ongoing real-time analysis of
the system.
The Dashboard View node comprises the following tabs, which display the same summary
information:
• Current Attacks Table—which is a table display (see Figure 19 - Current Attacks Table, page
339).
• Ongoing Attacks Monitor—which includes a graphical, chart display (see Figure 20 - Ongoing
Attacks Monitor, page 343).
The Scope and other display parameters that you configure apply to the Current Attacks Table and
to the Ongoing Attacks Monitor. For more information, see Configuring the Display Parameters of a
Dashboard View, page 337.
When you double-click an attack in the Current Attacks Table or Ongoing Attacks Monitor, APSolute
Vision displays the details in an Attack Details tab. There, you can display the Sampled Data dialog
box for the all attack types that support sampled data.
By default, the display of the Dashboard View refreshes every 15 seconds. Administrators can
configure the refresh rate (APSolute Vision Settings view System perspective, General Settings >
Monitoring > Polling Interval for Reports).
Parameter Description
Scope The physical ports and the Network Protection policies that the
dashboard displays.
By default, the Scope is Any Port; Any Policy. That is, by default, the
dashboard displays all the information.
To control the scope of the information that the dashboard displays in
DefensePro, see the procedure To control the scope of the information
that the Dashboard View displays, page 338.
Display Last How long the dashboard displays attacks after the attack terminates.
That is, the dashboard displays all attacks that are currently ongoing or
that terminated within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
• 2 Hours
• 6 Hours
• 12 Hours
• 24 Hours
Default: 10 Minutes
Top Attacks to Display The number of attacks that the Ongoing Attacks Monitor displays.
(This parameter is Values: 1–50
available only in the Default: 20
Ongoing Attacks
Monitor.)
Sort By Values:
(This parameter is • Top Total Packet Count—The Ongoing Attacks Monitor displays the
available only in the attacks with the highest number of packets.
Ongoing Attacks • Top Volume—The Ongoing Attacks Monitor displays the attacks with
Monitor.) the highest volume.
• Most Recent—The Ongoing Attacks Monitor displays the most recent
attacks.
• Attack Risk—The Ongoing Attacks Monitor displays the attacks
according to attack risk.
Default: Top Packet Count
To control the scope of the information that the Dashboard View displays
1. Click . Two tables open. One table has the Device Name and Port columns, and the
other table has the Device Name and Policy columns.
2. Do one of the following:
— To limit the physical ports or Network Protection policies that the dashboard displays, select
the corresponding checkboxes.
— To display the information for all the currently relevant physical ports or Network Protection
policies, click in the top-left table cell, and then, select Select All.
— To display all the information in the database, even information that is not associated with a
specific port or specific Network Protection policy, click in the top-left table cell, and then,
select Select None.
click (View Attack Details). For more information, see Attack Details, page 343
• Export the information in the table to a CSV file—To do this, click (CSV). Then, you
can view the file or specify the location and file name.
• Pause the refresh of the table display—To do this, click (Pause). When the table display
is not paused, it refreshes approximately every 15 seconds.
Parameter Description
Start Time The date and time that the attack started.
Attack Category The threat type to which this attack belongs.
Values:
• ACL
• Anomalies
• Anti-Scanning
• Bandwidth Management
• Behavioral DoS
• DNS Flood
• DoS
• HTTP Flood
• Intrusions
• Server Cracking
• Stateful ACL
• SYN Flood
Status The last-reported status of the attack.
Values:
• Started—An attack containing more than one security event has been
detected. (Some attacks contain multiple security events, such as DoS,
Scans, and so on.)
• Occurred (Signature-based attacks)—Each packet matched with
signatures was reported as an attack and dropped.
• Ongoing—The attack is currently taking place, the time between Started
and Terminated (for attacks that contain multiple security events, such
as DoS, Scans, and so on).
• Terminated—There are no more packets matching the characteristics of
the attack, and the device reports that the attack has ended.
Risk The predefined attack severity level (see Risk Levels, page 335).
Values:
• —High
• —Medium
• —Low
• —Info
Attack Name The name of the detected attack.
Source Address The source IP address of the attack. If there are multiple IP sources for an
attack, this field displays Multiple. The multiple IP addresses are displayed
in the Attack Details window. Multiple may also refer to cases when
DefensePro cannot report a specific value.
The Search string can be any legal IPv4 or IPv6 address, and can include a
wildcard (*).
Parameter Description
Destination Address The destination IP address of the attack. If there are multiple IP sources for
an attack, this field displays Multiple. The multiple IP addresses are
displayed in the Attack Details window. Multiple may also refer to cases
when DefensePro cannot report a specific value.
Policy The name of the configured Network Protection policy or Server Protection
policy that was violated by this attack.
To view or edit the policy for a specific attack, select the attack entry and
click the (Go to Policy) button.
Radware ID The unique attack identifier issued by device.
Direction The direction of the attack, inbound or outbound.
Values: in, out
Action Type The reported action against the attack. The actions are specified in the
protection profile, which may or may not be available or relevant for your
system.
Values:
• Bypass—DefensePro does not protect against this attack, but rather,
sends its data out of the device, and may report it.
• Challenge—DefensePro challenges the packet.
• Destination Reset—DefensePro sends a TCP-Reset packet to the
destination IP address and port.
• Drop—DefensePro discards the packet.
• Drop & Quarantine—DefensePro discards the traffic and adds the
destination to the Web quarantine.
• Forward—DefensePro continues to process the traffic and eventually
forwards the packet to its destination.
• Proxy
• Quarantine—DefensePro adds the destination to the Web quarantine.
• Source Destination Reset—DefensePro sends a TCP-Reset packet to both
the packet source IP and the packet destination IP address.
• Source Reset—DefensePro sends a TCP-Reset packet to the packet
source IP address.
• Http 200 Ok—DefensePro sends a 200 OK response using a predefined
page and leaves the server-side connection open.
• Http 200 Ok Reset Dest—DefensePro sends a 200 OK response using a
predefined page and sends a TCP-Reset packet to the server side to close
the connection.
• Http 403 Forbidden—DefensePro sends a 403 Forbidden response using
a predefined page and leaves the server-side connection open.
• Http 403 Forbidden Reset Dest—DefensePro sends a 403 Forbidden
response using a predefined page and sends a TCP-Reset packet to the
server side to close the connection.
Total Packet Count The number of identified attack packets from the beginning of the attack.
Volume1 For most protections, this value is the volume of the attack, in kilobits, from
when the attack started.
For SYN protection (SYN cookies), this value is the number of SYN packets
dropped, multiplied by 60 bytes (the SYN packet size).
Parameter Description
Device IP The IP address of the attacked device.
Application Protocol 1 The transmission protocol used to send the attack:
Values:
• TCP
• UDP
• ICMP
• IP
MPLS RD The Multi-protocol Label Switching Route Distinguisher in the policy that
handled the attack. The value N/A or 0 (zero) in this field indicates that the
MPLS RD is not available.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled the attack.
The value N/A or 0 (zero) in this field indicates that the VLAN tag or Context
Group is not available.
Note: The VLAN tag or Context Group identifies similar information in this
field. DefensePro 6.x and 7.x versions support VLAN tags. DefensePro 8.x
versions support Context Groups.
Destination Port The Layer 4 destination port of the attack. If there are multiple destination
L4 ports, this field displays Multiple. In cases when DefensePro cannot
report a specific value, the field displays 0 (zero).
Physical Port1 The port on the device to which the attack packets arrived. In cases when
DefensePro cannot report a specific value, the field displays 0 (zero).
Source MSISDN The MSISDN Resolution feature is not supported in APSolute Vision version
3.0 and later.
Destination MSISDN The MSISDN Resolution feature is not supported in APSolute Vision version
3.0 and later.
The Ongoing Attacks Monitor is a graphical representation of current and recent attacks. Each icon in
the monitor represents a separate attack. The icon type (see the legend) represents the type of
protection that the attack violates. A flashing icon represents an ongoing attack. The horizontal
position of each icon in the chart indicates the attack risk (see Risk Levels, page 335). The vertical
position of the icon in the chart indicates the attack duration; the higher in the chart, the longer the
attack has existed. Attacks that have started recently are lower in the monitor. The icon size
indicates the amount of dropped data for the attack type relative to other attacks of the same type.
Hover the mouse over an icon to display summary information for the attack. Double-click an icon to
display detailed information for the attack. For more information, see Attack Details, page 343.
There are two Drop Intensity gauges: Packets and Bandwidth. The Packets gauge indicates the
proportion of dropped packets relative to the total packets. The Bandwidth gauge indicates the
proportion of dropped bandwidth relative to the total bandwidth (according to the license). The
gauges show the calculated ranges Low (up to 30% dropped), Medium (up to 70% dropped), and
High (more than 70% dropped).
Attack Details
An Attack Details tab is displayed when you double-click an attack in a Security Monitoring
Dashboard View.
APSolute Vision displays attack details for the following attacks:
• ACL (Black List) Details, page 345
• Anti-Scanning Details, page 345
• BDoS Attack Details, page 346
• DNS Flood Attack Details, page 349
• DoS Attack Details, page 350
• HTTP Flood Attack Details, page 351
For DefenseFlow Attack Details, only the Attack Details tab displays.
Each Attack Details tab includes two or more sub-tabs, which provide details on the attack. All
Attack Details tabs include the sub-tabs Attack Characteristics and the Attack Description. The
Attack Characteristics tab displays information that is also available in the hidden columns of the
Current Attacks Table. The Attack Description tab displays the information from the Attack
Descriptions file. An attack description is displayed only if the Attacks Description file has been
uploaded on the APSolute Vision server.
Notes
• To display hidden columns of the Current Attacks Table, click the (Table Settings) button and
then select the relevant checkbox. Click the button again to close the Table Settings list.
• For information about uploading the Attacks Description file, see Updating the Attack Description
File, page 309.
In addition to viewing the details of the attack, in each Attack Details tab, you can do the following:
• View sampled data from the attack—To do this, click (View Sampled Data). For more
information, see Sampled Data Tab, page 357.
• Export the information in the in the Attack Details tab to a CSV file—To do this, click
(CSV). Then, you can view the file or specify the location and file name.
• Export the capture files related to the selected attack to a ZIP file—To do this, click
(Export Attack Capture Files), and enter a file name in the file selection dialog box.
Notes
— You can send the CAP file to a packet analyzer.
— Up to 255 bytes of packet information is saved in the CAP file. That is, DefensePro exports
full packets but APSolute Vision trims them to 255 bytes.
— The file is available only as long as it is displayed in the Current Attacks table.
— The file is created only if packet reporting is enabled in the protection configuration for the
profile that was violated.
— DefensePro exports only the last packet in a sequence that matches the filter. Furthermore,
if traffic matches a signature that consists of more than one packet, the reported packet will
not include the whole expression in the filter.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port 1 The physical port that the attack uses or used.
1 – This parameter is not resolved, and the value Multiple is always displayed.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Anti-Scanning Details
Table 271: Anti-Scanning Attack Details: Characteristics Parameters
Parameter Description
Protocol The protocol that the attack uses or used.
Source L4 Port The source L4 port that the attack uses or used.
Physical Port The physical port that the attack uses or used.
Packet Count The packet count that the attack uses or used.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN The VLAN that the attack uses or used.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
Parameter Description
Action The protection Action taken.
Action Reason Describes the difference between the configured action and
the actual action.
Blocking Duration The blocking duration, in seconds, of the attacker source IP
address.
Estimated Release Time (Local) The estimated release time of attacker in local time.
Avg. Time Between Probes The average time between scan events in seconds.
Number of Probes The number of scan events from the time the attack started.
Parameter Description
DST IP The destination IP address of the scan.
DST L4 Port The destination port of the scan.
TCP Flag The TCP packet type.
(This is displayed only for TCP
traffic.)
ICMP Message Type The ICMP message type.
(This is displayed only for ICMP
traffic.)
Parameter Description
The footprint blocking rule generated by the Anti-Scanning protection, which provides the
narrowest effective blocking rule against the scanning attack.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Note: Some fields can display multiple values, when relevant and available. The values displayed
depend on the current stage of the attack. If a field is part of the dynamic signature (that is, a
specific value or values appear in all the attack traffic), the field displays the relevant value or
values.
Protocol The protocol that the attack uses or used.
Source L4 Port The source L4 port that the attack uses or used.
Physical Port The physical port that the attack uses or used.
Packet Count The packet count of the attack.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled the
attack.
Note: The VLAN tag or Context Group identifies similar information
in this field. DefensePro 6.x and 7.x versions support VLAN tags.
DefensePro 8.x versions support Context Groups.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
TTL The TTL that the attack uses or used.
L4 Checksum The L4 checksum that the attack uses or used.
Parameter Description
TCP Sequence Number The TCP sequence number that the attack uses or used.
IP ID Number The IP ID number that the attack uses or used.
Fragmentation Offset The fragmentation offset that the attack uses or used.
Fragmentation Flag The fragmentation flag that the attack uses or used. 0 indicates that
fragmentation is allowed. 1 indicates that fragmentation is not allowed.
Flow Label (IPv6 only) The flow label that the attack uses or used.
ToS The ToS that the attack uses or used.
Packet Size The packet size that the attack uses or used.
ICMP Message Type The ICMP message type that the attack uses or used.
(This is displayed only if
the protocol is ICMP.)
Source IP The source IP address that the attack uses or used.
Destination IP The destination IP address that the attack uses or used.
Source Ports The source ports that the attack uses or used.
Destination Ports The destination ports that the attack uses or used.
DNS ID The DNS ID that the attack uses or used.
DNS Query The DNS query that the attack uses or used.
DNS Query Count The DNS query count that the attack uses or used.
Parameter Description
Packet Size Anomaly The statistical region of the attack packets.
Region The formula for the packet-size baseline for a policy is as follows:
{(AnomalyBandwidth/AnomalyPPS)/(NormalBandwidth/
NormalPPS)}
Values:
• Large Packets—The attack packets are approximately 15% larger
than the normal packet-size baseline for the policy.
• Normal Packets—The attack packets are within approximately 15%
either side of the normal packet-size baseline for the policy.
• Small Packets—The attack packets are approximately 15% smaller
than the normal packet-size baseline for the policy.
Parameter Description
State The state of the protection process.
Values:
• Footprints Analysis—Behavioral DoS Protection has detected an
attack and is currently determining an attack footprint.
• Blocking—Behavioral DoS Protection is blocking the attack based
on the attack footprint created. Through a closed feedback loop
operation, the Behavioral DoS Protection optimizes the footprint
rule, achieving the narrowest effective mitigation rule.
• Non-attack—Nothing was blocked because the traffic was not an
attack—no footprint was detected or the blocking strictness level
was not met.
Parameter Description
The footprint blocking rule generated by the Behavioral DoS Protection, which provides the
narrowest effective blocking rule against the flood attack.
Parameter Description
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines. Table columns are displayed according to the
protocols: TCP (includes all flags), UDP, or ICMP.
Parameter Description
The graph displays a snapshot of the relevant traffic type for the 15-second period during which the
attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue line
represents the normal adapted traffic baseline.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Note: Some fields can display multiple values, when relevant and available. The values
displayed depend on the current stage of the attack. If a field is part of the dynamic signature
(that is, a specific value or values appear in all the attack traffic), the field displays the relevant
value or values.
Protocol The protocol that the attack uses or used.
Source L4 Port The source L4 port that the attack uses or used.
Physical Port The physical port that the attack uses or used.
Packet Count The packet count of the attack.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled the
attack.
Note: The VLAN tag or Context Group identifies similar information
in this field. DefensePro 6.x and 7.x versions support VLAN tags.
DefensePro 8.x versions support Context Groups.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
TTL The TTL that the attack uses or used.
L4 Checksum The L4 checksum that the attack uses or used.
IP ID Number The IP ID number that the attack uses or used.
Packet Size The packet size that the attack uses or used.
Destination IP The destination IP address that the attack uses or used.
Destination Ports The destination ports that the attack uses or used.
DNS ID The DNS ID that the attack uses or used.
DNS Query The DNS query that the attack uses or used.
DNS Query Count The DNS query count that the attack uses or used.
DNS An Query Count The DNS An query count that the attack uses or used.
Parameter Description
State The state of the protection process.
Mitigation Action The mitigation action.
Values:
• Signature Challenge
• Signature Rate Limit
• Collective Challenge
• Collective Rate Limit
Parameter Description
The footprint blocking rule that the Behavioral DoS Protection generated. The footprint blocking
rule provides the narrowest effective blocking rule against the flood attack.
Parameter Description
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines. Table columns are displayed according to the DNS
query types: A, MX, PTR, AAAA, Text, SOA, NAPTR, SRV, Other.
Parameter Description
The graph displays a snapshot of the relevant traffic type for the 15-second period during which
the attack was triggered. For example, during a UDP flood, just UDP traffic is represented. The blue
line represents the normal adapted traffic baseline.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port The physical Port that the attack uses or used.
Packet Count The packet count of the attack.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled the
attack.
Note: The VLAN tag or Context Group identifies similar information
in this field. DefensePro 6.x and 7.x versions support VLAN tags.
DefensePro 8.x versions support Context Groups.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
Parameter Description
Action The protection Action taken.
Attacker IP The IP address of the attacker.
Protected Host The protected host.
Parameter Description
Protected Port The protected port.
Attack Duration The duration of the attack.
Current Packet Rate The current packet rate.
Average Packet Rate The average packet rate.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Note: Some fields can display multiple values, when relevant and available. The values
displayed depend on the current stage of the attack. If a field is part of the dynamic signature
(that is, a specific value or values appear in all the attack traffic), the field displays the relevant
value or values.
Protocol The protocol that the attack uses or used.
Source L4 Port The source L4 port that the attack uses or used.
Physical Port The physical port that the attack uses or used.
Packet Count The packet count of the attack.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN The VLAN that the attack uses or used.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The device IP address that the attack uses or used.
Parameter Description
Protection State The state of the protection process.
Values:
• Characterization—The protection module is analyzing the
attack footprint.
• Mitigation—The protection module is mitigating the attack
according to the profile configuration.
• Suspicious Activities—The protection module identified the
attack but cannot mitigate it.
Mitigation Flow The configuration of the mitigation flow for the profile.
Values:
• Default—The mitigation flow for the profile is configured to
use all three mitigation actions, which are selected by default:
1-Challenge Suspects, 2-Challenge All, 3-Block Suspects.
• Customized—The mitigation flow for the profile is not
configured to use all three mitigation actions.
Action The current action that protection module is using to mitigate the
attack.
Values:
• Challenge Suspected Attackers—The protection module is
challenging HTTP sources that match the real-time signature.
• Challenge All Sources—The protection module is challenging
all HTTP traffic toward the protected server.
• Block Suspected Attackers—The protection module is
blocking all HTTP traffic from the suspect sources (that is,
sources that match the signature).
• No Mitigation—The protection module is in the Suspicious
Activities state and is not mitigating the attack.
Challenge Method The user-specified Challenge Mode: 302 Redirect or JavaScript.
Suspicious Sources The number of sources that the protection module suspects as
being malicious.
Challenged Sources The number of sources that the protection module has identified
as being attackers and is now challenging them.
Blocked Sources The number of sources that the protection module has identified
as being attackers and is now blocking them.
HTTP Authentication Table The percentage of HTTP Authentication Table that is full.
Utilization [%]
Parameter Description
Source IP address The source IP addresses mitigated as attackers. Up to 40 different
IP addresses can be viewed.
Note: When the HTTP flood attack is widely distributed,
meaning more than 1000 source IP addresses, the system does
not use any source IP addresses in the blocking rule. This
mitigation occurs only if the URI Only blocking mode option is
enabled.
Request URI The HTTP request URIs that took part in the HTTP flood attack and
were mitigated.
Bypassed / Blocked Usually, the value that is displayed is Blocked. Only when one of
HTTP request URIs was configured to be bypassed, is the value
Bypassed.
Parameter Description
This table displays attack traffic (Anomaly) and normal traffic information. Red indicates real-time
values identified as suspicious in the 15 seconds prior to when the attack was triggered. Black
indicates the learned normal traffic baselines.
Table columns:
• Statistic Type—Anomaly or Normal
• Get and Post Requests/sec
• Other HTTP Requests/sec
• Outbound Kbps
• GET and POST per source/sec
• GET and POST per connection
Parameter Description
The graph displays the HTTP request URI size distribution. The y-axis shows the number of HTTP
requests per second that refers to GET and POST request methods, and the x-axis shows the
Request URI size in bytes. The blue line represents the normal expected HTTP request rates and the
orange line represents the real-time rate values identified when the attack was triggered.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port 1 The physical Port that the attack uses or used.
1 – This parameter is not resolved, and the value Multiple is always displayed.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port 1 The physical Port that the attack uses or used.
1 – This parameter is not resolved, and the value Multiple is always displayed.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Source L4 Port The Source L4 Port that the attack uses or used.
Physical Port The Physical Port that the attack uses or used.
Packet Count The Packet Count that the attack uses or used.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN The VLAN that the attack uses or used.
MPLS RD The MPLS RD that the attack uses or used.
Device IP The Device IP that the attack uses or used.
Parameter Description
Blocking Duration The blocking duration, in seconds, of the attacker source IP
address.
Estimated Release Time The estimated release time of attacker in local time.
Avg. Time Between Probes The average time between scan events in seconds.
Number of Probes The number of scan events from the time the attack started.
Parameter Description
Requests Details When a server-cracking attack is detected, DefensePro sends, to
the management system, sample suspicious “attacker” requests
in order to provide more information on the nature of the attack.
The sample requests are sent for the protocols or attacks.
Values:
• Web Scan—Sample HTTP requests.
• Web Cracking—Username and Password.
• SIP—SIP user (SIP URI).
• FTP—Username (if sent in the same request) and Password.
• POP3—Username (if sent in the same request) and Password.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port 1 The physical Port that the attack uses or used.
1 – This parameter is not resolved, and the value Multiple is always displayed.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Parameter Description
Protocol The protocol that the attack uses or used.
Physical Port The physical Port that the attack uses or used.
Packet Count The packet count of the attack.
Volume (Kbits) The volume, in Kbits, that the attack uses or used.
VLAN Tag / Context The VLAN tag value or Context Group in the policy that handled
the attack.
Note: The VLAN tag or Context Group identifies similar
information in this field. DefensePro 6.x and 7.x versions
support VLAN tags. DefensePro 8.x versions support Context
Groups.
MPLS RD The MPLS RD that the attack uses or used.
Parameter Description
The information is displayed when the protection action is blocking mode.
Caution: If SYN Protection is configured with report-only mode, the fields Average Attack Rate,
Attack Threshold, and Attack Volume display 0 (zero).
Average Attack Rate The average rate of spoofed SYNs and data connection attempts
per second, calculated every 10 seconds.
Attack Threshold The configured attack trigger threshold, in half connections per
second.
Parameter Description
Attack Volume The number of packets from spoofed TCP connections during the
attack life cycle (aggregated). These packets are from the
sessions that were established through the SYN-cookies
mechanism or were passed through the SYN protection trusted
list.
Attack Duration The duration, in hh:mm:ss format, of the attack on the protected
port.
TCP Challenge The Authentication Method that identified the attack: Transparent
Proxy or Safe-Reset.
HTTP Challenge The HTTP Authentication Method that identified the attack: 302-
Redirect or JavaScript.
Table 309: SYN Flood Attack Details: Authentication Lists Utilization Parameters
Parameter Description
TCP Auth. List The current utilization, in percent, of the TCP Authentication
table.
HTTP Auth. List The current utilization, in percent, of the Table Authentication
table.
Parameter Description
The description of the attack from the Attack Descriptions file, if it is uploaded on the APSolute
Vision server.
Note: APSolute Vision stores sampled attack data, which includes the source and destination
addresses of the sampled packets. This information reflects a sampling of the attack packets; it does
not reflect the full attack data. For example, it is possible that the source IP addresses of the
sampled data do not include all of the source addresses of the attack.
The table in the Sampled Data tab comprises the following columns:
• Time
• Source Address
• Source L4 Port
• Destination Address
• Destination L4 Port
• Protocol
• VLAN / Context
• MPLS RD
• Physical Port
You can monitor the following traffic information in the Traffic Monitoring tab:
• Viewing the Traffic Utilization Report, page 359
• Viewing the Connection Rate Report, page 364
• Viewing the Concurrent Connections Report, page 366
Caution: When the value of the Scope parameter is Devices/Policies (see Table 311 - Traffic
Utilization Report: Display Parameters for Graph and Table, page 360), during the Update
Policies process, the Statistics Graph momentarily displays Traffic Utilization as 0 (zero).
Tip: To get the current traffic rate in packets or bytes per second (calculated as the average rate in
15 seconds), you can use the following CLI command on the DefensePro device:
dp rtm-stats get [port number]
Note: For packets received through the 1G, 10G, or 40G ports, packet-size information and
counters do not account for the CRC.
Table 311: Traffic Utilization Report: Display Parameters for Graph and Table
Parameter Description
Scope The physical ports or the Network Protection policies that the Traffic
(This is a link that Utilization Report displays.
displays the table.) By default, the Scope is Any Port or Any Policy (depending on the specified
value in the Scope drop-down list). That is, by default, the Traffic Utilization
Report displays all the information.
To control the scope of the information that the report shows, see the
procedure To control the scope of the information that the report shows,
page 361.
Caution: The scope for DefensePro platforms without the DME can be
only according to physical ports, not Network Protection policies.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Scope The scope of the graph view.
(This is a drop-down Values:
list.) • Devices/Physical Ports—The graph shows traffic according to physical
ports on the specified device.
• Devices/Policies—The graph shows traffic according to Network
Protection policies on the specified device.
Default: Devices/Physical Ports
Units The units for the traffic rate.
Values:
• Kbps—Kilobits per second
• Packet/Sec—Packets per second
1. Click . A table opens. The table has either the Device Name and Port columns or the
Device Name and Policy columns—according to the specified value in the Scope drop-down list:
Devices/Physical Ports or Devices/Policies.
2. Do one of the following:
— To limit the physical ports or Network Protection policies that the report displays, select the
corresponding checkboxes.
— To display the information for all the currently relevant physical ports or Network Protection
policies, click in the top-left table cell, and then, select Select All.
— To display all the information in the database, even information that is not associated with a
specific port or specific Network Protection policy, click in the top-left table cell, and then,
select Select None.
Table 312: Traffic Utilization Report: Filter Parameters for the Traffic Statistics Graph
Parameter Description
Direction The traffic that the graph shows.
Values:
• Inbound—Show inbound traffic.
• Outbound—Show outbound traffic.
• Both—Show inbound and outbound traffic. Data for inbound and
outbound are displayed as separate lines, not as totals.
Note: The direction of traffic between a pair of ports is defined by the
In Port setting in the port pair configuration.
Protocol The traffic protocol to display.
Values:
• TCP—Show the statistics of the TCP traffic.
• UDP—Show the statistics of the UDP traffic.
• ICMP—Show the statistics of the ICMP traffic.
• IGMP—Show the statistics of the IGMP traffic.
• SCTP—Show the statistics of the SCTP traffic.
• Other—Show the statistics of the traffic that is not TCP, UDP, ICMP,
IGMP, or SCTP.
• All—Show total traffic statistics.
Parameter Description
Protocol The protocol for the statistics displayed in the row.
Values: HTTP, TCP, DNS
Current Attacks The number of attacks currently in the device.
Authentication Table Utilization % The percentage of the Authentication Table that is full.
Challenges Rate The rate, in PPS, that the device is sending challenges.
Parameter Description
Protocol The traffic protocol.
Values:
• TCP
• UDP
• ICMP
• IGMP
• SCTP
• Other—The statistics of the traffic that is not TCP, UDP, ICMP, IGMP, or
SCTP.
• All—Total traffic statistics.
Inbound The amount of inbound traffic for the protocol identified in the row.
Outbound The amount of outbound traffic for the protocol identified in the row.
Discarded Inbound The amount of discarded inbound traffic for the protocol identified in the row.
Discarded Outbound The amount of discarded outbound traffic for the protocol identified in the
row.
Discard % The percentage of discarded traffic for the protocol identified in the row.
Excluded Inbound The amount of excluded inbound traffic for the protocol identified in the row.
Excluded Outbound The amount of excluded outbound traffic for the protocol identified in the
row.
Parameter Description
Scope The physical ports and the Network Protection policies that the Connection
(This is a link that Rate Report shows.
displays the table.) By default, the Scope is Any Port or Any Policy (depending on the specified
value in the Scope drop-down list). That is, by default, the Connection Rate
Report displays all the information.
To control the scope of the information that the report shows, see the
procedure To control the scope of the information that the report shows,
page 365.
Caution: The scope for DefensePro platforms without the DME can be
only according to physical ports, not Network Protection policies.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Scope The scope of the graph view.
(This is a drop-down Values:
list.) • Devices/Physical Ports—The graph shows traffic according to physical
ports on the specified device.
• Devices/Network Policies—The graph shows traffic according to Network
Protection policies on the specified device.
Default: Devices/Physical Ports
Caution: In 8.x versions, the Connection Rate Report works only when
the Scope is Devices/Network Policies.
Parameter Description
Direction Values:
• Both—Show both inbound traffic and outbound traffic. Data for inbound
and outbound are displayed as separate lines, not as totals.
• Inbound—Show only inbound traffic.
• Outbound—Show only outbound traffic.
Note: The direction of traffic between a pair of ports is defined by the In
Port setting in the port pair configuration.
Protocol The traffic protocol to display.
When you select All, total traffic statistics are displayed.
Select Port Pair Opens the Select Port Pairs dialog box. Select the port pairs relevant for the
(This button is network topology by moving the required port pairs to the Selected Port
displayed only when Pairs list. All other port pairs should be in the Available Port Pairs list.
the Scope is Note: You can select port pairs for each direction; however, Radware
Devices/Physical recommends that you select a port pair in one direction only, and display
Ports.) traffic for both directions, if required. If you select port pairs in both
directions, and traffic for both directions, the graph will display the same
traffic twice.
Select Policies Opens the Select Policies dialog box. Select the Network Protection policies
(This button is relevant for the network topology by moving the required policies the
displayed only when Selected Policies list.
the Scope is
Devices/Policies.)
1. Click . A table opens. The table has either the Device Name and Port columns or the
Device Name and Policy columns—according to the specified value in the Scope drop-down list:
Devices/Physical Ports or Devices/Policies.
2. Do one of the following:
— To limit the physical ports or Network Protection policies that the report displays, select the
corresponding checkboxes.
— To display the information for all the currently relevant physical ports or Network Protection
policies, click in the top-left table cell, and then, select Select All.
— To display all the information in the database, even information that is not associated with a
specific port or specific Network Protection policy, click in the top-left table cell, and then,
select Select None.
Note: For packets received through the 1G, 10G, or 40G ports, packet-size information and
counters do not account for the CRC.
Parameter Description
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Protocol The traffic protocol to display.
When you select All, total traffic statistics are displayed.
Protection Monitoring
Protection Monitoring provides the real-time traffic monitoring per network policy, either for the
network as a whole—if BDoS is configured, or for DNS traffic—if DNS is configured. The statistical
traffic information that Protection Monitoring provides can help you better understand the traffic that
flows through the protected network, how the configured protection is working, and, most
importantly, how anomalous traffic is detected.
For information about displaying protection information for a selected device, see the following:
• Displaying Attack Status Information, page 367
• Monitoring BDoS Traffic, page 367
• Monitoring DNS Traffic, page 370
Caution: When traffic matches multiple Network Protection policies with Out-of-State protection,
the value that APSolute Vision displays for the total dropped traffic represents the sum of all
dropped traffic for all relevant Network Protection policies. This is because when traffic matches
multiple Network Protection policies with Out-of-State protection, all those Network Protection
policies count the same dropped traffic.
To display traffic information for a Network Policy that includes BDoS protection
1. In the Security Monitoring perspective, select the device to monitor.
2. Select Protection Monitoring > BDoS Traffic Monitoring Reports.
3. Configure the scope for the display of the BDoS Traffic Statistics graph and Last Sample
Statistics table.
Statistics Graph
The table displays the traffic rates for the selected Network Protection policy according to the
specified parameters.
Table 318: Scope Parameters for the Statistics Graph and Last Sample Statistics Table
Parameter Description
Scope The Network Protection policy. The list only displays policies that are
configured with a BDoS profile.
Display Last How long the graph displays attacks after the attack terminates. That is, the
graph displays all attacks that are currently ongoing or that terminated
within the selected period.
Values:
• 10 Minutes
• 20 Minutes
• 30 Minutes
• 1 Hour
Default: 10 Minutes
Direction The direction of the traffic that the Statistics Graph and Last Sample
Statistics table display.
Values: Inbound, Outbound
Units The unit according to which the Statistics Graph and Last Sample Statistics
table display the traffic.
Values:
• Kbps—Kilobits per second
• Packets/Sec—Packets per second
Parameter Description
IP Version The IP version of the traffic that the graph displays.
Values: IPv4, IPv6
Protection Type The protection type to monitor.
Values:
• TCP ACK FIN
• TCP FRAG
• TCP RST
• TCP SYN
• TCP SYN ACK
• UDP
• UDP FRAG
• ICMP
• IGMP
Scale The scale for the presentation of the information along the Y-axis.
Values: Linear, Logarithmic
Attack Status (Read-only) The status of the attack.
Line Description
Total Traffic The total traffic that the device sees for the specific protection type and
( dark blue) direction.
Legitimate Traffic The actual forwarded traffic rate, after DefensePro managed to block
( light blue) the attack.
When there is no attack, the Total Traffic and Legitimate Traffic are
equal.
Normal Edge The statistically calculated baseline traffic rate.
( dashed green)
Suspected Edge The traffic rate that indicates a change in traffic that might be an
( dashed orange) attack.
Caution: DefensePro reports the Suspected Edge in Kbps only. The
graph displays the Suspected Edge only when the Scope parameter
Units is Kbps (see Table 322 - Scope Parameters for the Statistics
Graph and Last Sample Statistics Table, page 370). When the Scope
parameter Units is Packets/Sec, the graph does not display the
Suspected Edge.
Attack Edge The traffic rate that indicates an attack.
( dashed red) Caution: DefensePro reports the Attack Edge in Kbps only. The
graph displays the Attack Edge only when the Scope parameter
Units is Kbps (see Table 322 - Scope Parameters for the Statistics
Graph and Last Sample Statistics Table, page 370). When the Scope
parameter Units is Packets/Sec, the graph does not display the
Attack Edge.
Parameter Description
Traffic Type The protection type. Each specific traffic type and direction has a baseline
that the device learns automatically.
Baseline The normal traffic rate expected by the device.
Total Traffic The total traffic rate that the DefensePro device sees for the specific traffic
type and direction.
Baseline Portion % An indication for the rate invariant baseline—that is, the normal percentage
of the specific traffic type to all other traffic in the same direction.
RT Portion % The actual percentage of the specific traffic type relative to all other traffic in
the same direction.
Legitimate Traffic The actual forwarded traffic rate, after the device blocked the attack.
When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type
relative to other types of traffic, after the device blocked the attack.
Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or
greater signifies an attack.
To display traffic information for a Network Protection policy that includes DNS
protection
1. In the Security Monitoring perspective, select the device to monitor.
2. Select Protection Monitoring > DNS Traffic Monitoring Reports.
3. Configure the filter for the display of the Statistics Graph and Last Sample Statistics table.
Statistics Graph
The graph displays the traffic rates for the selected Network Protection policy according to the
specified parameters.
Table 322: Scope Parameters for the Statistics Graph and Last Sample Statistics Table
Parameter Description
Scope The Network Protection policy. The list only displays rules configured with a
DNS profile.
Direction The direction of the traffic that the Statistics Graph and Last Sample
Statistics table display.
Values: Inbound, Outbound
Units (Read-only) The unit according to which the Statistics Graph and Last
Sample Statistics table display the traffic.
Value: QPS—Queries per second
Parameter Description
IP Version The IP version of the traffic that the graph displays.
Values: IPv4, IPv6
Protection Type The DNS query type to monitor.
Values:
• Other
• Text
• A
• AAAA
• MX
• NAPTR
• PTR
• SOA
• SRV
Parameter Description
Scale The scale for the presentation of the information along the Y-axis.
Values: Linear, Logarithmic
Attack Status (Read-only) The status of the attack.
Line Description
Total Traffic The total traffic that the device sees for the specific protection type and
( dark blue) direction.
Legitimate Traffic The actual forwarded traffic rate, after DefensePro managed to block
( light blue) the attack.
When there is no attack, the Total Traffic and Legitimate Traffic are
equal.
1 – This line is not displayed if the protection is configured to use a footprint bypass or
manual triggers.
Parameter Description
Traffic Type The protection type. Each specific traffic type and direction has a baseline
that the device learns automatically.
Baseline The normal traffic rate expected by the device.
Total Traffic The total traffic rate that the DefensePro device sees for the specific traffic
type and direction.
Baseline Portion % An indication for the rate invariant baseline—that is, the normal percentage
of the specific traffic type to all other traffic in the same direction.
RT Portion % The actual percentage of the specific traffic type relative to all other traffic in
the same direction.
Legitimate Traffic The actual forwarded traffic rate, after the device blocked the attack.
When there is no attack, the RT Rate and Legitimate Rate are equal.
Legitimate Portion % The actual percentage of the forwarded traffic rate of the specified type
relative to other types of traffic, after the device blocked the attack.
Degree of Attack A numeric value that evaluates the current level of attack. A value of 8 or
greater signifies an attack.
HTTP Reports
HTTP Mitigator protection monitors rate-based and rate-invariant HTTP traffic parameters, learns
them, and generates normal behavior baselines accordingly.
Note: DefensePro examines the number and rate of HTTP requests. Thus, when HTTP pipelining is
used, the detection mechanism remains accurate.
You can monitor real-time and historical (normal baseline) values, and analyze HTTP traffic
anomalies using the following reports:
• Monitoring Continuous Learning Statistics, page 372
• Monitoring Hour-Specific Learning Statistics, page 373
• HTTP Request Size Distribution, page 374
• MIB Support for Real-Time HTTP Monitoring Data, page 375
Channel Description
GET & POST Requests Rate The rate of HTTP GET and POST requests sent per second to the
protected server.
Other Requests Rate The rate of HTTP requests that are not POST or GET sent per
second to the protected server. Other HTTP request methods can
be used, but are used less frequently.
Requests Rate per Source The maximum rate of HTTP GET and POST requests per second
per source IP address.
This parameter characterizes the site users’ behavior, enabling
you to recognize abnormal activities, such as scanning or bots.
Legitimate users may generate many requests per second, but
automatic devices such as bots or scanners generate many more.
Requests per Connection The maximum number of HTTP GET and POST requests per TCP
connection.
This parameter characterizes the site users’ behavior, enabling
you to recognize abnormal activities, such as scanning or bots.
Many requests over a single TCP connection may indicate bot or
scanner activity.
Outbound Bandwidth The bandwidth, in megabits per second, of the HTTP servers
sending the responses.
Note: Normal Requests per Source and Requests per Connection baseline parameters show the
highest number of HTTP requests generated by a single source IP address and TCP connection
respectively. This number fades out, unless a higher value is observed, within about 30 seconds.
Parameter Description
Server The name of the protected Web server for which to display HTTP traffic
statistics.
Display Last The last number of hours for which the graph displays information.
Values: 1, 2, 3, 6, 12, 24
Default: 1
Channel Description
GET & POST Requests Rate The rate of HTTP GET and POST requests sent per second to the
protected server.
Other Requests Rate The rate of HTTP requests that are not POST or GET sent per
second to the protected server. Other HTTP request methods can
be used, but are used less frequently.
Outbound Bandwidth The bandwidth, in megabits per second, of the HTTP pages sent
as responses.
Parameter Description
Server The protected server for which to display information.
Scale The scale for the presentation of the information along the Y-axis.
Values: Linear, Logarithmic
OID MIB
1.3.6.1.4.1.89.35.1.65.115.83 rsHTTPFReportsContinuousLearningStatisticsTable
1.3.6.1.4.1.89.35.1.65.115.83.1 rsHTTPFReportsContinuousLearningStatisticsEntry
1.3.6.1.4.1.89.35.1.65.115.83.1.1 rsHTTPFReportsContinuousLearningStatisticsServerName
1.3.6.1.4.1.89.35.1.65.115.83.1.2 rsHTTPFReportsContinuousLearningStatisticsGETAndPOSTRequestsRate
1.3.6.1.4.1.89.35.1.65.115.83.1.3 rsHTTPFReportsContinuousLearningStatisticsOtherRequestsRate
1.3.6.1.4.1.89.35.1.65.115.83.1.4 rsHTTPFReportsContinuousLearningStatisticsRequestsRatePerSource
1.3.6.1.4.1.89.35.1.65.115.83.1.5 rsHTTPFReportsContinuousLearningStatisticsRequestsRatePerConnection
1.3.6.1.4.1.89.35.1.65.115.83.1.6 rsHTTPFReportsContinuousLearningStatisticsOutboundBandwidthKbps
String in a Security Alert for a Single Attack String in a Security Alert Aggregated Attack
Information
An attack of type: <attack category>1 started. <quantity of attacks> attacks of type: <attack
category>1 started between <start time of first
attack> and <start time of last attack>.2
Detected by rule: <Network Protection policy>; Detected by rule: <Network Protection policy>;3
Attack name: <attack name>; Attack name: <attack name>;3
Source IP: <attacker IP address>; Source IP: <attacker IP address>;4
Destination IP: <attacked IP address>; Destination IP: <attacked IP address>;4
Destination port: <attacked port>; Destination port: <attacked port>;4
Action: <action>. Action: <action>.4
An APSolute Vision administrator can limit the parameters that are included in security alerts. This is
option useful, because security alerts, which are often received by e-mail, are often viewed on a
smartphone. To compensate for the small screen size, an administrator can select parameters to
include in the alerts.
Note: Changes to the settings take effect on alerts generated from the time of the change and
forward.
Note: When troubleshooting is required, DefensePro can generate a text file that includes the
output of various CLI commands, such as printouts of the Client table, ARP table, and so on. You can
download this file using APSolute Vision and send it to Radware Technical Support (see Downloading
a Device-Configuration File, page 293).
Command Description
acl Access control list.
classes Configures traffic attributes used for classification.
device Device settings.
dp DefensePro security settings.
help Displays help for the specified command.
login Log in to the device.
logout Log out of the device.
manage Device management configuration.
net Network configuration.
ping Ping a remote host.
reboot Reboot the device.
security Device security.
services General networking services.
shutdown Shut down.
Command Description
ssh Connect via SSH to a remote host.
statistics Device statistics configuration.
system Set system parameters.
telnet Connect to a remote host via Telnet.
trace-route Measure hops and latency to a given destination.
Example
manage terminal buffer-size set 16000000
CLI Capabilities
You can use DefensePro CLI through console access, Telnet, or SSH.
The CLI provides the following capabilities:
• Consistent, logically structured and intuitive command syntax.
• A system config command to view the current configuration of the device, formatted as CLI
command lines.
• Pasting the output of system config, or part of it, to the CLI of another device, using the
system config set command. This option can be used for easy configuration replication.
• Help and command completion keys.
• Command line editing keys.
• Command history.
• Configurable prompt.
• Configurable banner for Telnet and SSH.
• Ping—Ping other hosts on the network to test availability of the other hosts.
• Traceroute—Use the following command:
trace-route <destination IP address>
Output format:
DP#trace-route www.radware.com
trace-route to host 209.218.228.203:
1: 50ms 50ms 50ms 212.150.43.130
2: 50ms 50ms 50ms 80.74.101.129
3: 50ms 50ms 50ms 192.116.214.2
4: * * *
5: 50ms 50ms 50ms 80.74.96.40
• Telnet client—To initiate a Telnet session to remote hosts, use the following CLI command:
telnet <IP address>
• SSH client—To initiate a SSH session to remote hosts, use the following CLI command:
ssh <IP address>
CLI Traps
When connected to a physical DefensePro platform via a serial cable, the device generates traps
when events occur.
Caution: Do not use the CLI to monitor security traps. The CLI reads only from Instance 0. The CLI
does not receive security traps from Instance 1. You can use APSolute Vision to monitor security
traps from both instances.
Note: In Web Based Management, the online help is available by clicking on the ? Help icon that is
displayed in every screen.
You can also use secure Web Based Management, that is, an HTTPS session. By default, the device
has self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
Note: SSL Keys and certificates are not exported as part of the configuration.
Web Services
DefensePro Radware devices can be managed through SNMP, a serial port, Telnet, SSH, HTTP (via
internal Web application), and HTTPS. To provide customers with the capability to develop enhanced
application monitoring, customized application delivery network management applications and
advanced automation tools, Radware provides Web Service interfaces on DefensePro with APSolute
API, an open standards-based SOAP (XML) API.
Integration with APSolute API allows customers a comprehensive view of device performance,
including historical data analysis and trending, performance diagnostics, availability reports and the
automation of maintenance operations and fine-tuning of DefensePro for optimal application delivery
based on external parameters.
Key features:
• Control of Radware product features and functions from any external application.
• API enabled network devices appear as software for applications, resulting in true, software-
native integration.
• Comprehensive SDK for multiple development platforms and languages.
• Extensive sample application code, documentation, and configuration guidance.
The DefensePro Web services operate via HTTP or HTTPS requests, like a regular Web browser. Web
Services are by default disabled on DefensePro.
You can enable DefensePro Web services using the following:
• CLI—manage Web-services status
• WBM—Services > Management Interfaces > Web Server > Web Services
• APSolute Vision—Configuration perspective, Setup > Device Security > Access Protocols
You can enable Web Services only if either the Web or secure Web management interface is enabled
on the device.
API Structure
The APSolute API is a SOAP/XML interface that provides full access to DefensePro devices for third-
party applications utilizing common development languages, including Java, Visual Basic/C#, and
Perl. This interface enables both device configuration and monitoring status and performance
statistics.
APSolute API offers two approaches to interacting with DefensePro devices:
• Issuing CLI commands:
This interface does not provide support for:
— Commands that are not configuration commands or monitoring, such as ping, telnet and
trace-route.
— Commands that have asynchronous output (such as accelerator related CLI commands).
— The response to a CLI command is limited to the first 1000 rows.
• Configuring and monitoring the devices via SOAP commands that mirror Radware's SNMP MIB:
The following type of commands are available:
— For scalar MIB parameter, retrieve (get) the value and change (set) the value.
— For a MIB table entry, create an entry, delete an entry, update one or more parameters of an
entry, retrieve (get) an entry, retrieve (get) the entire table, walk through the table (get first
entry and get next).
To start working with the APSolute API SDK, install a SOAP client tool kit (supporting SOAP
version 1.1 and later) and a development environment for the tool kit on the workstation.
For more information, see Configuring BDoS Footprint Bypass, page 117.
Table 333: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers
IGMP
UDP id-num Accept For UDP: 0 The ID number from the IP packet header.
ICMP For ICMP and IGMP: N/A
IGMP
UDP id-num-ipv62 Accept For UDP: 0 The ID number from the IPv6 packet head.
ICMP For ICMP and IGMP: N/A
IGMP
UDP dns-id-num Accept For UDP: 0 The ID number of a DNS query.
ICMP For ICMP and IGMP: N/A
IGMP
UDP dns-qname Accept N/A The domain name requested by a DNS query.
UDP dns-qcount Accept 1 The number of DNS queries in a single DNS
session.
UDP source-port Accept N/A The source port of the attack.
UDP frag-offset Accept 0,185 Indicates where this fragment belongs in the
ICMP datagram. The fragment offset is measured in units
of 8 bytes (64 bits).
IGMP
Table 333: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers (cont.)
IGMP
UDP packet-size Accept For UDP and IGMP: N/A The size of the packet in bytes, including data-link
ICMP For ICMP: 74 header.
IGMP
UDP packet-size-ipv62 Accept For UDP: N/A The size of the IPv6 packet in bytes, including data-
ICMP For ICMP: 118 link header.
UDP destination-port Accept N/A The destination port from the packet header.
UDP destination-ip Accept N/A The destination IP address.
ICMP
IGMP
UDP destination-ip-ipv62 Accept N/A The destination IPv6 address.
ICMP
Table 333: BDoS Footprint Bypass Fields and Values for UDP, ICMP, and IGMP Controllers (cont.)
1 – “N/A” (that is, “not applicable”) means that no specific values can be used with the field; only the general status, Accept or Bypass,
applies.
2 – This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Setup >
Networking > Basic).
Table 334: BDoS Footprint Bypass Fields and Values for All TCP Controllers
TCP-ACK-FIN
TCP-SYN-ACK
TCP-Frag
TCP-SYN id-num Accept N/A The ID number from the IP packet header.
TCP-RST
TCP-ACK-FIN
TCP-SYN-ACK
TCP-Frag
TCP-SYN source-port Accept N/A The source port of the generated attack.
TCP-RST
TCP-ACK-FIN
TCP-SYN-ACK
TCP-Frag
TCP-SYN source-ip Bypass The source IP address of the generated attack.
TCP-RST
TCP-ACK-FIN
TCP-SYN-ACK
TCP-Frag
TCP-SYN source-ip-ipv62 Bypass The source IPv6 address of the generated attack.
TCP-RST
TCP-ACK-FIN
TCP-SYN-ACK
TCP-Frag
Table 334: BDoS Footprint Bypass Fields and Values for All TCP Controllers (cont.)
Table 334: BDoS Footprint Bypass Fields and Values for All TCP Controllers (cont.)
1 – “N/A” (that is, “not applicable”) means that no specific values can be used with the field; only the general status, Accept or Bypass,
applies.
2 – This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Setup >
Networking > Basic).
For more information, see Configuring DNS Footprint Bypass, page 134.
id-num-ipv6 2 Accept For UDP: 0 The ID number from the IPv6 packet head.
For ICMP and IGMP: N/A
dns-id-num Accept For UDP: 0 The ID number of a DNS query.
For ICMP and IGMP: N/A
dns-qname Accept N/A The domain name requested by a DNS query.
1 – “N/A” (that is, “not applicable”) means that no specific values can be used with the field; only the general status, Accept or Bypass,
applies.
2 – This field is displayed only when the IP Version Mode on the device is set to IPv4 and IPv6 (Configuration perspective > Setup >
Networking > Basic).
Note: Some DefensePro versions do not support all the protections listed in the following table.
• MS Windows Server
• Unix
Diagnostic Tools
DefensePro supports the following diagnostic tools:
• Traffic Capture
• Trace-Log
Diagnostic tools are only available using the CLI or Web Based Management.
Diagnostic tools start working only after there is a diagnostic policy configured on the device (see
Diagnostics Policies, page 427) and the relevant options are enabled.
Diagnostic tools stop in the following cases:
• You stop the relevant task.
• You reboot the device. That is, when the device reboots, the status of the Capture Tool reverts to
Disabled.
The Traffic Capture tool uses the following format for packet capture files:
capture_<Device Name>_ddMMyyyy_hhmmss_<file number>.cap
Notes
• DefensePro cannot capture GRE-encapsulated packets.
• DefensePro cannot capture outgoing ICMP packets.
• The Traffic Capture tool truncates packets longer than 1619 bytes (regardless of the
configuration for jumbo frames).
Parameter Description
Status Specifies whether the Capture Tool is enabled.
Values: Enabled, Disabled
Default: Disabled
Note: When the device reboots, the status of the Capture Tool
reverts to Disabled.
Output To File Specifies the location of the stored captured data.
Values:
• RAM Drive and Flash—The device stores the data in RAM and
appends the data to the file on the CompactFlash drive. Due to
limits on CompactFlash size, DefensePro uses two files. When
the first file becomes full, the device switches to the second,
until it is full and then it overwrites the first file, and so on.
• RAM Drive—The device stores the data in RAM.
• None—The device does not store the data in RAM or flash, but
you can view the data using a terminal.
Output To Terminal Specifies whether the device sends captured data to the terminal.
Values: Enabled, Disabled
Default: Disabled
Capture Point Specifies where the device captures the data.
Values:
• On Packet Arrive—The device captures packets when they enter
the device.
• On Packet Send—The device captures packets when they leave
the device.
• Both—The device captures packets when they enter the device
and when they leave the device.
Parameter Description
Traffic Match Mode Specifies how the device logically captures a session traversing a
VIP. Each session sent to a device VIP has two sides—the client side
(the session between the client and the VIP) and the server side
(the session between the DefensePro device and the server).
This parameter has no effect on traffic that does not traverse a VIP.
Values:
• Inbound only—Capture the client-side session only.
• Inbound and Outbound—Capture both the client-side and the
corresponding server-side sessions.
Default: Inbound only
Trace-Log
The Trace-Log tool provides data on the traffic flow within the device. The feature is intended for
debugging purposes only.
Parameter Description
Status Specifies whether the Trace-Log tool is enabled.
Values: Enabled, Disabled
Default: Disabled
Parameter Description
Output To File Specifies the location of the stored data.
Values:
• RAM Drive and Flash—The device stores the data in RAM and
appends the data to the file on the CompactFlash drive. Due to limits
on CompactFlash size, DefensePro uses two files. When the first file
becomes full, the device switches to the second, until it is full and
then it overwrites the first file, and so on.
• RAM Drive—The device stores the data in RAM.
• None—The device does not store the data in RAM or flash, but you
can view the data using a terminal.
Output To Terminal Specifies whether the device sends Trace-Log data to the terminal.
Values: Enabled, Disabled
Default: Disabled
Output To Syslog Server Specifies whether the device sends Trace-Log data to a syslog server.
Values: Enabled, Disabled
Default: Disabled
To configure the diagnostics Trace-Log message format using Web Based Management
1. Select Services > Diagnostics > Trace-Log > Message Format. The Diagnostics Trace-Log
Message Format pane is displayed.
2. Configure the parameters, and then, click Set.
Parameter Description
Date Specifies whether the date that the message was generated is included in the
Trace-Log message.
Time Specifies whether the time that the message was generated is included in the
Trace-Log message.
Platform Name Specifies whether the platform MIB name is included in the Trace-Log
message.
File Name Specifies whether the output file name is included in the Trace-Log message.
Line Number Specifies whether the line number in the source code is included in the Trace-
Log message.
Packet Id Specifies whether an ID assigned by the device to each packet is included in
the Trace-Log message. This enables you see the order of the packets.
Parameter Description
Module Name Specifies whether the name of the traced module is included in the Trace-Log
message is included in the Trace-Log message.
Task Name Specifies whether the name of the specific task of the d module is included in
the Trace-Log message.
Trace-Log Modules
To help pinpoint the source of a problem, you can specify which DefensePro modules the Trace-Log
feature works on and the log severity per module. For example, you can specify that the Trace-Log
feature traces only the Health Monitoring module to understand why a specific health check fails.
To configure the parameters of the Trace-Log modules using Web Based Management
1. Select Services > Diagnostics > Trace-Log > Modules. The Trace-Log Modules pane is
displayed.
The table in the pane comprises the following columns:
— Name—The name of the module.
Values:
• ACL
• CDE
• GENERIC
• HMM
• VSDR
— Status—The current status of the traced module.
— Severity—The lowest severity of the events that the Trace-Log includes for this module.
Values:
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Info
• Debug
2. Click the relevant link. The Trace-Log Modules Update pane is displayed.
3. Configure the parameters, and then, click Set.
Parameter Description
Status Specifies whether the Trace-Log feature is enabled for the module.
Severity The lowest severity of the events that the Trace-Log includes for this module.
Values:
• Emergency
• Alert
• Critical
• Error
• Warning
• Notice
• Info
• Debug
Note: The default varies according to module.
Parameter Description
File Name The name of the file.
File Size The file size, in bytes.
Action The action that you can take on the data stored.
Values:
• download—Starts the download process of the selected data. Follow the
on-screen instructions.
• delete—Deletes the selected file.
2. From the Action column, select the action, Download or Delete, and follow the instructions.
Diagnostics Policies
In most cases, there is no need to capture all the traffic passing through the device. Using diagnostic
policies, the device can classify the traffic and store only the required information.
Note: To reuse the policy, edit the policy and set it again.
Parameter Description
Name The user-defined name of the policy up to 20 characters.
Index The number of the policy in the order in which the diagnostics tools
classifies (that is, captures) the packets.
Default: 1
Description The user-defined description of the policy.
VLAN Tag Group The VLAN Tag group whose packets the policy classifies (that is,
captures).
Destination The destination IP address or predefined class object whose packets
the policy classifies (that is, captures).
Default: any—The diagnostics tool classifies (that is, captures)
packets with any destination address.
Source The source IP address or predefined class object whose packets the
policy classifies (that is, captures).
Default: any—The diagnostics tool classifies (that is, captures)
packets with any source address.
Outbound Port Group The port group whose outbound packets the policy classifies (that is,
captures).
Note: You cannot set the Outbound Port Group when the value of
the Trace-Log Status parameter is Enabled.
Inbound Port Group The port group whose inbound packets the policy classifies (that is,
captures).
Service Type The service type whose packets the policy classifies (that is, captures).
Service The service whose packets the policy classifies (that is, captures).
Values:
• None
• Basic Filter
• AND Group
• OR Group
Default: None
Parameter Description
Destination MAC Group The Destination MAC group whose packets the policy classifies (that is,
captures).
Source MAC Group The Source MAC group whose packets the policy classifies (that is,
captures).
Maximal Number of Packets The maximal number of packets the policy captures. Once the policy
captures the specified number of packets, it stops capturing traffic. In
some cases, the policy captures fewer packets than the configured
value. This happens when the device is configured to drop packets.
Maximal Packet Length The maximal length for a packet the policy captures.
Capture Status Specifies whether the packet-capture feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Trace-Log Status Specifies whether the Trace-Log feature is enabled in the policy.
Values: Enabled, Disabled
Default: Disabled
Note: You cannot set the Outbound Port Group when the value of
the Trace-Log Status parameter is Enabled.
To generate and display the output of the technical-support file on the terminal using the
CLI
> Enter the following command:
manage support display
To generate a technical-support file and send it to a TFTP server using the CLI
> Enter the following command:
manage support tftp put <file name> <TFTP server IP address> [-v]
where:
-v displays also the output of the command.
To generate and download the technical-support file using Web Based Management
1. Select File > Support. The Download Tech Support Info File pane is displayed.
2. Click Set. A File Download dialog box opens.
3. Click Open or Save and specify the required information.
Term Definition
AMS Attack Mitigation Service.
AMS is a solution offering from Radware, which comprises the following
products:
• DefensePro
• Cloud DDoS Protection (previously DefensePipe)
• DefenseFlow
• AppWall
• Cloud WAF
• APSolute Vision
• ERT—Emergency Response Team
Anomaly An anomaly is unusual or unexpected behavior of traffic patterns or a
protocol.
Attack An attack is a realization of a threat, a malicious action taken against a
network, host, or service.
Attack Signatures Radware’s Attack Signatures database contains signatures of known
Database / Signatures attacks.
Database These signatures are included in the predefined groups and profiles
supplied by Radware to create security protection policies. Each profile
consists of attack signatures with common characteristics intended to
protect a specific application or range of IP addresses.
Behavioral DoS (BDoS) Behavioral DoS (Behavioral Denial of Service) protection defends
networks from zero day network-flood attacks that jam available network
bandwidth with spurious traffic, denying use of network resources for
legitimate users.
BDoS profiles do this by identifying the footprint of the anomalous traffic.
Network-flood protection types include:
• SYN Flood
• TCP Flood, including TCP Fin + Ack Flood, TCP Reset Flood
• TCP Syn + Ack Flood, TCP Fragmentation Flood
• UDP Flood
• ICMP Flood
• IGMP Flood
Black List You can define DefensePro Black List rules to block certain traffic. Black
List rules are used as exceptions for DefensePro security policies (see
Security policy). You can define Black List rules for a single IP address or
using a Network class.
Term Definition
Certificate Certificates are digitally signed indicators which identify the server or
user. They are usually provided in the form of an electronic key or value.
The digital certificate represents the certification of an individual business
or organizational public key but can also be used to show the privileges
and roles for which the holder has been certified. It can also include
information from a third-party verifying identity. Authentication is needed
to ensure that users in a communication or transaction are who they
claim to be.
Class In DefensePro, classes define groups of elements of the same type of
entity.
DDoS Distributed Denial of Server attack on a DNS server. A typical attack
involves numerous compromised zombie systems (botnets) sending
spoofed domain-name requests to DNS servers, which process the
“legitimate” request and send replies to the spoofed victims.
When the DNS server is configured to provide recursion, the DNS server,
if the requested domain name isn’t available locally, will query the root
name servers for the IP address. The traffic then traverses the Internet
backbone, affecting the Internet Service Provider and any upstream
provider to reach the intended target.
Radware’s adaptive behavior-based DoS Protection learns the
characteristics of DNS traffic and re-establishes normal traffic behavior
baselines. An embedded decision engine, based on fuzzy logic, constantly
analyzes DNS traffic and detects when deviations from the normal
baselines occur. Upon detection, the system performs an in-depth
analysis of the suspicious DNS packets in order to identify abnormal
appearances of parameters in the packet headers and payload.
Deep Packet Inspection Inspection of the packet’s payload as opposed to only its header. This
enables the security device to perform inspection at the application level.
DME DoS/DDoS mitigation engine.
DoS Denial of Service is an attack intended to consume system resources and
create a temporary loss of service.
ERT Emergency Response Team. Radware’s ERT is an emergency DDoS
service that can stop DDoS attacks fast. This unique emergency DDoS
service is designed to provide 24/7 security services for customers facing
a denial-of-service (DoS) or a distributed denial-of-service (DDoS)
attack, or a malware outbreak. Often, these attacks require immediate
assistance and specialized DDoS prevention techniques.
Exploit An exploit is a program or technique that takes advantage of a software
vulnerability.
The program can be used for breaking security, or otherwise attacking a
host over the network.
Filter In the context of the DefensePro Signature Protection module, filters are
components of a signature. Each filter contains the exact pattern of the
attack. DefensePro scans, classifies and matches packets to the filters in
the Signatures database. Upon a match, the Signature Protection module
takes the configured action.
Term Definition
Heuristic analysis Heuristic analysis is behavior-based analysis, targeted to provide a filter
blocking the abnormal phenomena.
Heuristic analysis is the ability of a virus scanner to identify a potential
virus by analyzing the behavior of the program, rather than looking for a
known virus signature.
Historical security The Attack Mitigation Service (AMS), using APSolute Vision, offers a built-
reporting in security information and event management (SIEM) for historical
security reporting of DefensePro security events.
Inspection port An inspection port is a port on a DefensePro device that you can
configure to receive, inspect, and transmit traffic.
Intrusion An intrusion is an attempted or successful access to system resources in
any unauthorized manner.
Intrusion Detection Intrusion Detection System. An IDS applies the latest security or attack
System (IDS) expertise to filter out potentially destructive/malicious events from a
much larger amount of legitimate activity.
There are two system-monitoring approaches:
• NIDS—network-based IDS—monitors all network traffic passing on
the segment where the agent is installed, acting upon suspicious
anomalies or signature-based activity.
• HIDS—host-based IDS—is confined to the local host and monitor
activity in detail, such as, command execution, file access, or system
calls.
Organizations generally choose a combination of these approaches,
based on known vulnerabilities.
IPS Intrusion prevention system. That is, a network security appliance that
monitors network and/or system activities for malicious activity. The
main functions of intrusion prevention systems are to identify malicious
activity, log information about this activity, attempt to block/stop it, and
report it.
Intrusion prevention systems are considered extensions of Intrusion
Detection Systems (IDS) because they both monitor network traffic and/
or system activities for malicious activity. The main differences are,
unlike intrusion detection systems, intrusion prevention systems are
placed in-line and are supposed to be able to actively prevent/block
intrusions that are detected.
Term Definition
IP interface An IP interface in DefensePro is comprised of two components: an IP
address and an associated interface. The associated interface can be a
physical interface or a virtual interface (VLAN). IP routing is performed
between DefensePro IP interfaces, while bridging is performed within an
IP interface that contains an IP address associated with a VLAN.
DefensePro is designed to intercept HTTP requests and to redirect them
to a content inspection server farm. The first assumption in designing a
DefensePro network is that the DefensePro device resides on the path
between the clients and both the Internet and the content inspection
servers. This is required since DefensePro needs to intercept the clients'
requests going to the Internet and to manipulate the packets returning
from the content inspection servers to the clients.
Except when using local triangulation or transparent proxy, all traffic
must physically travel through the DefensePro device. This includes
traffic from the users to the Internet and from the content inspection
server farm back to the users.
If there are users statically configured to use a content inspection server,
they should be configured to the DefensePro virtual address. This address
is the access IP address for the content inspection servers. This address
is used only for statically configured users.
Network class A Network class is a type of class in the DefensePro configuration (see
Class). A Network class is identified by a name and defined by a network
address and mask, or by a range of IP addresses (from-to).
NHR A Next-Hop Router (NHR) is a network element with an IP address
through which traffic is routed.
Protection policy Another term for a DefensePro security policy (see Security policy).
Security event reporting DefensePro security events include all events related to attack detection
and mitigation. When an attack is detected, DefensePro creates and
reports a security event, which includes the information relevant to the
specific attack.
Security policy A security policy in an organization is a set of rules that defines what
constitutes a secure network and how DefensePro reacts to security
violations.
You implement a security policy for your organization by using the global
security settings, network classification and protection profiles. You can
define the security policy to suit different network segments down to a
single server, providing comprehensive protection for your organization.
Each policy consists of multiple profiles and the action to be taken when
the device detects an attack.
Term Definition
Server Cracking Radware’s Server Cracking Protection is a behavioral server-based
Protection technology that detects and prevents both known and unknown
application scans and brute-force attacks.
This behavioral protection is part of Radware’s DefensePro Full Spectrum
Protection Technology. The technology includes:
• An adaptive behavioral network-based protection that mitigates
network DoS and DDoS attacks
• Adaptive behavioral user-based protections that mitigate network
pre-attack probes and zero-day worm propagation activities
• Stateful signature-based protections against exploitation attempts of
known application vulnerabilities.
See also Server Cracking Protection Profiles.
Server Cracking A Server Cracking Protection profile provides application level protection
Protection Profile that identifies excessive frequencies of error responses from various
applications. The profile initiates blocking of hacking sources, while
allowing legitimate traffic to pass through.
Application scanning and authentication brute force attempts are usually
precursors to more serious exploitation attempts. An attacker tries to
gain access to a restricted section, or to find a known vulnerability by
sending a list of legitimate-looking requests and analyzing the responses.
Both cracks and scanning attempts are characterized by a higher than
usual error responses from the application to a few specific users.
Server Protection Profile Server Protection profiles are designed to defend from network and
application attacks targeting network servers or services, such as:
• Connection limit
• Server cracking
• HTTP Page floods
Server, Reporting A reporting server is the component responsible for running the required
services to display reports to the end user. It may contain a Web server
and provide services for both Eclipse and Web interfaces.
Service A feature that provides protection against a set of attacks.
Signature A signature is a pattern-based analysis, used to search for packets
generated by known network vulnerabilities, application vulnerabilities,
exploitation attempts, and DoS/DDoS attack tools.
Signature Protection The DefensePro Signature Protection module protects against known
module network vulnerabilities, application vulnerabilities, exploitation attempts,
and DoS/DDoS flood attacks.
SME String-matching engine.
Spoof A spoof is when one system entity poses as or assumes the identity of
another entity.
Term Definition
SYN cookie SYN cookies are particular choices of initial TCP sequence numbers by
TCP servers. The difference between the server's initial sequence number
and the client's initial sequence number is:
• Top 5 bits: t mod 32, where t is a 32-bit time counter that increases
every 64 seconds.
• Next 3 bits: an encoding of an MSS selected by the server in
response to the client's MSS.
• Bottom 24 bits: a server-selected secret function of the client IP
address and port number, the server IP address and port number,
and t.
This choice of sequence number complies with the basic TCP requirement
that sequence numbers increase slowly; the server's initial sequence
number increases slightly faster than the client's initial sequence number.
A server that uses SYN cookies does not have to drop connections when
its SYN queue fills up. Instead it sends back a SYN+ACK, exactly as if the
SYN queue had been larger. (Exceptions: the server must reject TCP
options such as large windows, and it must use one of the eight MSS
values that it can encode.) When the server receives an ACK, it checks
that the secret function works for a recent value of t, and then rebuilds
the SYN queue entry from the encoded MSS.
A SYN flood is simply a series of SYN packets from forged IP addresses.
The IP addresses are chosen randomly and don't provide any hint of
where the attacker is. The SYN flood keeps the server's SYN queue full.
Normally this would force the server to drop connections. A server that
uses SYN cookies, however, will continue operating normally. The biggest
effect of the SYN flood is to disable large windows.
SYN flood A SYN attack/flood is a type of DoS (Denial of Service) attack. SYN flood
attacks are performed by sending a SYN packet without completing the
TCP three-way handshake, referred as single packet attack. Alternatively,
the TCP three-way handshake can be completed, but no data packets are
sent afterwards. Such attacks are known as connection flood attacks.
A SYN packet notifies a server of a new connection. The server then
allocates some memory in order to handle the incoming connection,
sends back an acknowledgment, then waits for the client to complete the
connection and start sending data. By spoofing large numbers of SYN
requests, an attacker can fill up memory on the server, which waits for
more data that never arrives. Once memory has filled up, the server is
unable to accept connections from legitimate clients. This effectively
disables the server. Key point: SYN floods exploit a flaw in the core of the
TCP/IP technology itself. There is no complete defense against this
attack. There are, however, partial defenses. Servers can be configured
to reserve more memory and decrease the amount of time they wait for
connections to complete.
Likewise, routers and firewalls can filter out some of the spoofed SYN
packets. Finally, there are techniques (such as “SYN cookies”) that can
play tricks with the protocol in order to help distinguish good SYNs from
bad ones.
Term Definition
SYN-ACK Reflection SYN-ACK Reflection Attack Prevention is intended to prevent reflection of
Attack Prevention SYN attacks and reduce SYN-ACK packet storms that are created as a
response to DoS attacks.
When a device is under SYN attack, it sends a SYN-ACK packet with an
embedded Cookie, in order to prompt the client to continue the session.
Threat A threat, in Internet security terms, is a person, thing, event, or idea,
that poses a danger to an asset.
A fundamental threat can be any of the following: information leakage,
Denial of Service, integrity violation, and illegitimate use.
Trojan Horse A Trojan horse (also known as a Trojan) is a computer program that
appears benign, but is actually designed to harm or compromise the
system.
It is usually designed to provide unrestricted access into internal
systems, bypassing security monitoring and auditing policies.
Virus A virus is a malicious program code written with the intention to damage
computer systems and to replicate itself to extend the possible damage.
Web application attack A category of attacks, which are crafted to take advantage of
vulnerabilities found in Web servers, vulnerabilities in HTTP, or
application-specific vulnerabilities. Examples of Web application attacks
include cross-site scripting (XSS), SQL injection, and code injection.
White List DefensePro White List rules allow certain traffic without inspection. White
List are rules are used as exceptions for DefensePro security policies (see
Security policy). You can define White List rules for a single IP address or
using a Network class.
Worm A worm is a type of computer virus that uses the Internet or local
networks to spread itself by sending copies of itself to other hosts.
Zero-day attack / zero- A zero-day attack (0-day) or zero-minute attack is an attack on a
minute attack vulnerability that no one knows about except for those who discovered it.
A zero-day attack is carried out by exploiting a non-public, unknown
vulnerability. Since there are no known signatures, the attack penetrates
any signature-based security defenses (for example, an intrusion
prevention system). If the exploit passes through a common port and
there are no other defenses, such as behavioral-based or impact-based
techniques, the attack is hard or impossible to stop.
nonexclusive, nontransferable license to copy and modify the Code Samples and create
derivative works based thereon solely for the SDK Purpose and solely on computers within your
organization. The SDK shall be considered part of the term “Software” for all purposes of this
License Agreement. You agree that you will not sell, assign, license, sublicense, transfer, pledge,
lease, rent or share your rights under this License Agreement nor will you distribute copies of
the Software or any parts thereof. Rights not specifically granted herein, are specifically
prohibited.
2. Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which you download the Software, as inferred from any time-
limited evaluation license keys that you are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (“Evaluation Use”) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole
discretion (the “Evaluation Period”). The evaluation copy of the Software contains a feature that
will automatically disable it after expiration of the Evaluation Period. You agree not to disable,
destroy, or remove this feature of the Software, and any attempt to do so will be a material
breach of this License Agreement. During or at the end of the evaluation period, you may
contact Radware sales team to purchase a Commercial License to continue using the Software
pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial
License, you agree to stop using the Software and to delete the evaluation copy received
hereunder from all computers under your possession or control at the end of the Evaluation
Period. In any event, your continued use of the Software beyond the Evaluation Period (if
possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to
the terms of this License Agreement, and you agree to pay Radware any amounts due for any
applicable license fees at Radware’s then-current list prices.
3. Lab License. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for use in your lab or for development purposes, as indicated in your
purchase order, sales receipt, the part number description for the Software, the webpage from
which you download the Software, or otherwise, then You may use the Software only for internal
testing and development purposes in your lab but not for any production use purposes.
4. Subscription Software. If you licensed the Software on a subscription basis, your rights to use
the Software are limited to the subscription period. You have the option to extend your
subscription. If you extend your subscription, you may continue using the Software until the end
of your extended subscription period. If you do not extend your subscription, after the expiration
of your subscription, you are legally obligated to discontinue your use of the Software and
completely remove the Software from your system.
5. Feedback. Any feedback concerning the Software including, without limitation, identifying
potential errors and improvements, recommended changes or suggestions (“Feedback”),
provided by you to Radware will be owned exclusively by Radware and considered Radware’s
confidential information. By providing Feedback to Radware, you hereby assign to Radware all of
your right, title and interest in any such Feedback, including all intellectual property rights
therein. With regard to any rights in such Feedback that cannot, under applicable law, be
assigned to Radware, you hereby irrevocably waives such rights in favor of Radware and grants
Radware under such rights in the Feedback, a worldwide, perpetual royalty-free, irrevocable,
sub-licensable and non-exclusive license, to use, reproduce, disclose, sublicense, modify, make,
have made, distribute, sell, offer for sale, display, perform, create derivative works of and
otherwise exploit the Feedback without restriction. The provisions of this Section 5 will survive
the termination or expiration of this Agreement.
6. Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble,
disassemble, decompile, reverse engineer or otherwise attempt to derive source code (or the
underlying ideas, algorithms, structure or organization) from the Software, in whole or in part,
except and only to the extent: (i) applicable law expressly permits any such action, despite this
limitation, in which case you agree to provide Radware at least ninety (90) days advance written
notice of your belief that such action is warranted and permitted and to provide Radware with an
opportunity to evaluate if the law’s requirements necessitate such action, or (ii) required to
debug changes to any third party LGPL-libraries linked to by the Software; or (c) create,
develop, license, install, use, or deploy any software or services to circumvent, enable, modify
or provide access, permissions or rights which violate the technical restrictions of the Software;
(d) in the event the Software is provided as an embedded or bundled component of another
Radware Product, you shall not use the Software other than as part of the combined Product and
for the purposes for which the combined Product is intended; (e) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (f) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding Section
5(d), if you provide hosting or cloud computing services to your customers, you are entitled to
use and include the Software in your IT infrastructure on which you provide your services. It is
hereby clarified that the prohibitions on modifying, or creating derivative works based on, any
Software provided by Radware, apply whether the Software is provided in a machine or in a
human readable form. It is acknowledged that examples provided in a human readable form
may be modified by a user.
7. Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.
8. No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided “AS IS” by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. Radware does not make any
representation or warranty, nor does Radware assume any responsibility or liability or provide
any license or technical maintenance and support for any operating systems, databases,
migration tools or any other software component provided by a third party supplier and with
which the Software is meant to interoperate.
This disclaimer of warranty constitutes an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radware’s authorized service
personnel.
9. Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no
event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors,
contractors, subsidiaries, or parent organizations (together, the “Radware Parties”), be liable for
any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating
to the use of, or the inability to use, the Software, or to your relationship with, Radware or any
of the Radware Parties (including, without limitation, loss or disclosure of data or information,
and/or loss of profit, revenue, business opportunity or business advantage, and/or business
interruption), whether based upon a claim or action of contract, warranty, negligence, strict
liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of
the possibility of such damages. If any Radware Party is found to be liable to You or to any third-
party under any applicable law despite the explicit disclaimers and limitations under these
terms, then any liability of such Radware Party, will be limited exclusively to refund of any
license or registration or subscription fees paid by you to Radware.
10. Third Party Software. The Software includes software portions developed and owned by third
parties (the “Third Party Software”). Third Party Software shall be deemed part of the Software
for all intents and purposes of this License Agreement; provided, however, that in the event that
a Third Party Software is a software for which the source code is made available under an open
source software license agreement, then, to the extent there is any discrepancy or inconsistency
between the terms of this License Agreement and the terms of any such open source license
agreement (including, for example, license rights in the open source license agreement that are
broader than the license rights set forth in Section 1 above and/or no limitation in the open
source license agreement on the actions set forth in Section 6 above), the terms of any such
open source license agreement will govern and prevail. The terms of open source license
agreements and copyright notices under which Third Party Software is being licensed to
Radware or a link thereto, are included with the Software documentation or in the header or
readme files of the Software. Third Party licensors and suppliers retain all right, title and interest
in and to the Third Party Software and all copies thereof, including all copyright and other
intellectual property associated therewith. In addition to the use limitations applicable to Third
Party Software pursuant to Section 6 above, you agree and undertake not to use the Third Party
Software as a general SQL server, as a stand-alone application or with applications other than
the Software under this License Agreement.
11. Term and Termination. This License Agreement is effective upon the first to occur of your
opening the package of the Product, purchasing, downloading, installing, copying or using the
Software or any portion thereof, and shall continue until terminated. However, sections 5-15
shall survive any termination of this License Agreement. The Licenses granted under this License
Agreement are not transferable and will terminate upon: (i) termination of this License
Agreement, or (ii) transfer of the Software, or (iii) in the event the Software is provided as an
embedded or bundled component of another Radware Product, when the Software is un-bundled
from such Product or otherwise used other than as part of such Product. If the Software is
licensed on subscription basis, this Agreement will automatically terminate upon the termination
of your subscription period if it is not extended.
12. Export. The Software or any part thereof may be subject to export or import controls under
applicable export/import control laws and regulations including such laws and regulations of the
United States and/or Israel. You agree to comply with such laws and regulations, and, agree not
to knowingly export, re-export, import or re-import, or transfer products without first obtaining
all required Government authorizations or licenses therefor. Furthermore, You hereby covenant
and agree to ensure that your use of the Software is in compliance with all other foreign,
federal, state, and local laws and regulations, including without limitation all laws and
regulations relating to privacy rights, and data protection. You shall have in place a privacy
policy and obtain all of the permissions, authorizations and consents required by applicable law
for use of cookies and processing of users’ data (including without limitation pursuant to
Directives 95/46/EC, 2002/58/EC and 2009/136/EC of the EU if applicable) for the purpose of
provision of any services.
13. US Government. To the extent you are the U.S. government or any agency or instrumentality
thereof, you acknowledge and agree that the Software is a “commercial computer software” and
“commercial computer software documentation” pursuant to applicable regulations and your use
of the is subject to the terms of this License Agreement.
14. Governing Law. This License Agreement shall be construed and governed in accordance with
the laws of the State of Israel.
15. Miscellaneous. If a judicial determination is made that any of the provisions contained in this
License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or
provisions shall be rendered void or invalid only to the extent that such judicial determination
finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder
of this License Agreement shall remain operative and in full force and effect. In any event a
party breaches or threatens to commit a breach of this License Agreement, the other party will,
in addition to any other remedies available to, be entitled to injunction relief. This License
Agreement constitutes the entire agreement between the parties hereto and supersedes all prior
agreements between the parties hereto with respect to the subject matter hereof. The failure of
any party hereto to require the performance of any provisions of this License Agreement shall in
no manner affect the right to enforce the same. No waiver by any party hereto of any provisions
or of any breach of any provisions of this License Agreement shall be deemed or construed
either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of
any other provision or breach of any other provision of this License Agreement.
IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE YOU MUST REMOVE THE
SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMIDIATELY CEASE USING THE
SOFTWARE.
COPYRIGHT © 2016, Radware Ltd. All Rights Reserved.