Arbor SP 8.4.0-Release Notes 20180411

Arbor Networks SP 8.
4
Release Notes
Arbor Networks SP 8.4 Release Notes
The information contained within this document is subject to change without notice. Arbor Networks, Inc.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be liable
for errors contained herein or for any direct or indirect, incidental, special, or consequential damages in
connection with the furnishings, performance, or use of this material.
Copyright © 2018 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo,
ArbOS, and ATLAS are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of
their respective owners. Proprietary and Confidential Information of Arbor Networks, Inc.
Document Number: SP_ RN-84-2018/04
11 April 2018
2 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Contents
Introduction ................................................................................................................................................. 5
Arbor Networks SP 8.4 Release Notes ...................................................................................................... 5

New Features in Arbor Networks SP 8.4 ................................................................................................ 5
Flow specification auto-mitigations .................................................................................................. 5
New misuse types: CLDAP amplification and memcached amplification ........................................ 5
Support for managed objects that match both IPv4 and IPv6 prefixes ............................................ 5
Support for IPv4 and IPv6 auto-mitigations in the same managed object ....................................... 7
Custom blackhole nexthop template values .................................................................................... 7
Arbor-recommended shared host detection settings ....................................................................... 7
ATLAS Global DDoS Report ............................................................................................................ 7
AIF templates ................................................................................................................................... 8
SP Insight: Facet relationships visualization method ....................................................................... 8
SP Insight: Enhanced filtering .......................................................................................................... 8
SP Insight: Router flow ingestion limiting ......................................................................................... 9
SP Insight: Custom facets ................................................................................................................ 9
Enhancements in Arbor Networks SP 8.4 ............................................................................................ 11
Security Summary wizard report content type supports user-defined time periods ...................... 11
Expanded duration for learning mitigations.................................................................................... 11
PKCS#8-format SSL certificates are supported ............................................................................ 11
SSL certificates can be uploaded to any leader regardless of appliance’s role ............................ 11
Resources for alert notifications can be specified by IPv6 CIDR block ......................................... 11
SNMP trap destinations for notification groups can be specified by port number, hostname ....... 11
TMS auto-mitigations reuse for multiple alerts .............................................................................. 11
SP Insight: Facet descriptions available in the Add/Edit Facet window ........................................ 11
SP Insight: Web UI improvements ................................................................................................. 12
SP Insight: Traffic calculation options added ................................................................................. 12
SP Insight: New filter box design ................................................................................................... 12
SP Insight: Performance increases ................................................................................................ 12
SP REST API additional endpoints and enhancements ................................................................ 13
Changes in Behavior in Arbor Networks SP 8.4 ................................................................................... 16
Destination prefixes in flow specification mitigations ..................................................................... 16
IP version setting for learning mitigations ...................................................................................... 16
Password requirements ................................................................................................................. 16
Default maximum number of login failures..................................................................................... 16
Unused ATLAS tabs and reports removed .................................................................................... 16
Change in deployment status graphs in the SP user interface ...................................................... 17
vTMS renamed to Software TMS in the SP user interface ............................................................ 17
SP Insight: Changes to facet values .............................................................................................. 17
SP Insight: Links to SP Insight filter query result pages may require updating ............................. 17
SP Insight: Reported traffic volume is similar to volume reported by SP ...................................... 18
SP Insight: Unused facets deleted ................................................................................................. 18
SP REST API: page and perPage query error key name changed from V.3 to V.4...................... 18
Upgrade Information for Arbor Networks SP 8.4 .................................................................................. 19
Deployments that use flexible licensing require a new license file ................................................ 19
Leader device must be upgraded first ............................................................................................ 19
Upgrading requires a current maintenance and support contract ................................................. 19
Supported upgrade paths for Arbor Networks SP 8.4 ................................................................... 19
Multi-version compatibility .............................................................................................................. 20
Using SP Insight in an SP 8.4 deployment .................................................................................... 20
Wizard and Classic XML Reports Are Not Synchronized Between User Interface Devices ......... 20
System Requirements for Arbor Networks SP 8.4 ............................................................................... 21
Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 3

Supported Models .......................................................................................................................... 21

Supported Web Browsers .............................................................................................................. 21
Router Requirements ..................................................................................................................... 22
Communication Ports ..................................................................................................................... 22
Fixed Issues in Arbor Networks SP 8.4 ................................................................................................ 25
Known Issues in Arbor Networks SP 8.4 .............................................................................................. 28
Other Things to Know about Arbor Networks SP 8.4 ............................................................................ 29

Create a Backup after Conversion to Flexible Licensing ..................................................................... 29
High CPU Load Averages .................................................................................................................... 29
Dynamic Subscriber Interfaces ............................................................................................................. 29
SP Interface Handling .................................................................................................................... 29
Untracked Interfaces ...................................................................................................................... 29
Additional Information .............................................................................................................................. 30

Downloading the Software .................................................................................................................... 30
Contacting Arbor Technical Assistance Center .................................................................................... 30
Documentation for Arbor Networks SP 8.4 .......................................................................................... 30
Appendixes ................................................................................................................................................ 31
Appendix A: Notification Changes from SP/TMS 7.6 to SP/TMS 8.4 ................................................... 31
Miscellaneous changes to arbornet-sp.mib ................................................................................... 31
GRE Tunnel Down Alerts Include GRE tunnel name .................................................................... 31
Profiled Router Alerts ..................................................................................................................... 32
Alert Message Notifications ........................................................................................................... 36
Notifications Include Diversion and Protection Prefixes ................................................................ 36

Introduction
This document includes release information about Arbor Networks SP 8.4. Release information about
TMS 8.4.0 is in a separate document.
The Arbor Networks SP 8.4 software release is Generally Available from April 12, 2018 until April 12,
2020, at which time it will go End of Maintenance.

New Features in Arbor Networks SP 8.4
Flow specification auto-mitigations
You can configure SP to use flowspec to automatically mitigate IPv4 traffic when host detection detects
certain misuse types. Auto-mitigations that use flowspec allow you to mitigate common attacks by using
the flowspec features of the network's routers, thus conserving your deployment's TMS resources.
Flowspec auto-mitigations are enabled on a per-managed object basis, and can be enabled only for
customer managed objects.
The following table describes settings related to flowspec auto-mitigations.
Setting Description
Host detection settings Administration > Monitoring > Managed Objects > Host Detection
These settings determine the criteria used by host detection to detect attacks. They
apply on a per-managed object basis.
Mitigation settings Administration > Monitoring > Managed Objects > Mitigation > IPv4 Flowspec
Auto-Mitigations
These settings determine whether flowspec auto-mitigations are enabled for a
customer managed object. They apply on a per-managed object basis.
System-wide settings Administration > Mitigation > IPv4 Flowspec Auto-Mitigation Settings
These settings determine how flowspec auto-mitigations are carried out. They apply to
all flowspec auto-mitigations.
Note: Flowspec auto-mitigations apply only to IPv4 traffic.

For more information about this feature, see “Configuring Flow Specification Auto-Mitigation Settings” in
the SP and TMS User Guide.
New misuse types: CLDAP amplification and memcached amplification

SP 8.4 adds support for new misuse types. The following misuse types are available for host detection,
flow specification auto-mitigations, and UDP reflection/amplification protection countermeasures.
• CLDAP amplification: Can help detect and mitigate connectionless LDAP reflection/amplification
attacks, which use the UDP protocol and source port 389.
• memcached amplification: Can help detect and mitigate memcached reflection/amplification attacks,
which use the UDP protocol and source port 11211.
Support for managed objects that match both IPv4 and IPv6 prefixes
You can now create managed objects that match both IPv4 and IPv6 prefixes. This allows you to
streamline the management of your deployment by including its resources in fewer managed objects.
This feature applies to managed objects with the following match types:
• Advanced Boolean Matching

• AS Path Regular Expression

• CIDR Blocks
• Communities
• Extended Communities
• Interfaces
• Interface Groups
• Local ASN
• Peer ASN
• TMS Ports
For managed objects with the CIDR Blocks match type, you can specify both IPv4 and IPv6 prefixes as
the Match Values. Note that the IPv6 CIDR Blocks match type has not been deprecated; it can still be
used to create managed objects that match only IPv6 prefixes.
General notes for managed objects that match both IPv4 and IPv6 prefixes
Keep the following in mind if your deployment includes managed objects that match both IPv4 and IPv6
prefixes:
• Alerts are generated separately for IPv4 and IPv6 traffic.
• Auto-mitigations are started separately for IPv4 and IPv6 traffic.
• Most reports do not include information about IPv6 traffic. If a managed object matches both IPv4 and
IPv6 prefixes, most reports for that managed object include only IPv4 traffic.
• Some reports combine both IPv4 and IPv6 traffic. If you need to view separate reports for IPv4 and
IPv6 traffic, create separate managed objects for IPv4 and IPv6 prefixes.
Profiled network detection for managed objects that match both IPv4 and IPv6 prefixes
When using profiled network detection with managed objects that match both IPv4 and IPv6 prefixes,
note the following limitations:
• If a managed object matches both IPv4 and IPv6 prefixes, the baselines calculated for profiled
network detection consider the combination of both IPv4 and IPv6 traffic.
• Profiled network detection generates alerts for IPv4 traffic only.
• If a managed object matches both IPv4 and IPv6 prefixes, IPv4 traffic must exceed the baselines that
were calculated from a combination of both IPv4 and IPv6 traffic in order for an alert to be generated.
For these reasons, if you are using profiled network detection for a managed object, we recommend
creating separate managed objects for IPv4 prefixes and IPv6 prefixes.
Constrain protected prefixes setting for managed objects that match both IPv4 and IPv6 prefixes
As in previous versions of SP, if you set constraint prefixes, auto-mitigations protect only prefixes that fall
within the constraint prefixes. In SP 8.4, because both IPv4 and IPv6 prefixes can be auto-mitigated as
part of the same managed object, some caution is required when setting constraint prefixes for managed
objects that match both IPv4 and IPv6 prefixes.
For example, if the managed object matches both IPv4 and IPv6 prefixes and you specify only IPv4
prefixes for the Constrain Protected Prefixes setting on the managed object’s Mitigation tab, IPv6
prefixes are not auto-mitigated.

Support for IPv4 and IPv6 auto-mitigations in the same managed object
SP can create auto-mitigations that apply to IPv4 and IPv6 traffic associated with the same managed
object. Auto-mitigations are started separately for IPv4 and IPv6 traffic.
These settings are found on the managed object’s Mitigation tab. Note that some settings apply to IPv4
or IPv6 traffic only, and some settings apply to both IPv4 and IPv6 traffic. For example:
• You can select the auto-mitigation template that applies to IPv4 traffic and IPv6 traffic separately
using the Auto-Mitigation Template – IPv4 setting and the Auto-Mitigation Template – IPv6
setting.
• You can enable alert-triggered auto-mitigations that mitigate both IPv4 and IPv6 traffic by selecting
Alert-triggered.
• You can enable traffic-triggered auto-mitigations by selecting IPv4 Traffic-triggered, but it applies to
IPv4 traffic only.
For details, refer to the SP and TMS User Guide.
Custom blackhole nexthop template values

In addition to the default blackhole nexthop template values that SP uses to inject blackhole routes, you
can now use the CLI to add custom blackhole nexthop template values. When using the CLI, you can add
template values one at a time and in bulk. After you add template values, they are available on the Edit
Blackhole Nexthop Template Values page (Administration > Mitigation > Blackhole Nexthops).
For information about this feature, see “Configuring Custom Blackhole Nexthop Templates” in the SP and
TMS Advanced Configuration Guide.
Arbor-recommended shared host detection settings

A set of host detection settings recommended by Arbor is available on the Shared Host Detection
Settings page (Administration > Detection > Shared Host Detection Settings). The set of shared host
detection settings is named “Arbor recommendations - early 2018”. It includes the new misuse types
added in SP 8.4, CLDAP amplification and memcached amplification.
For information about this feature, see “About the Shared Host Detection Settings Page” in the SP and
TMS Advanced Configuration Guide.
ATLAS Global DDoS Report

The new ATLAS Global DDoS page allows you to view the latest information about the global DDoS
threats seen by customers that participate in the ATLAS visibility program.
The Global DDoS page (Reports > Atlas > Global DDoS) contains the ATLAS Global DDoS Report, a
monthly report created by ASERT (Arbor Security Engineering and Response Team). ASERT leverages
ATLAS's internet intelligence and the feedback it receives from SP deployments around the world to
generate the ATLAS Global DDoS Report. The report includes unique insights about the global DDoS
landscape. The ATLAS Global DDoS Report is currently available exclusively to Arbor SP and Arbor APS
customers.
The Global DDoS page is updated automatically each month with the latest report. The page will be
updated more frequently if ASERT gathers new intelligence that it determines should be shared with SP
customers.
Note: To view ATLAS report features, your deployment must participate in the ATLAS visibility program
(Administration > ATLAS > ATLAS Visibility). For information about this feature, see “ATLAS Visibility”
in the SP and TMS Advanced Configuration Guide.

AIF templates
If your SP deployment includes TMS, you can now use AIF templates to quickly and easily configure TMS
mitigation templates to block new types of DDoS attacks. AIF templates contain attack-specific settings
for TMS countermeasures. These settings correspond to settings in TMS mitigations and TMS mitigation
templates. With a valid ATLAS Intelligence Feed (AIF) license, you can download the latest AIF templates
automatically or on demand.
The Arbor Security Engineering and Response Team (ASERT) continually configures new AIF templates
to block new types of attacks. The settings in AIF templates reflect the most recent ATLAS intelligence
and the ASERT team’s extensive research, analysis, and experience.
Choosing an AIF template
You can merge the settings in an AIF template with the corresponding settings in one or more TMS
mitigation templates. To help you choose the best AIF template to merge, see the list of available AIF
templates on the new AIF Templates page in SP 8.4 (Administration > Mitigation > AIF Templates).
On the AIF Templates page, each list item shows the name and detailed description for an AIF template.
The name tells you the types of attacks that the AIF template can mitigate. The description tells you what
mitigation settings the AIF template contains and how to use them properly. The list also tells you when
the AIF template was last updated, and which versions of SP are compatible with the settings in that AIF
template.
Note: SP can be configured to notify you when it downloads new or changed AIF templates from the AIF
feed. To immediately download the latest AIF templates, click Update Now at the top of the
AIF Templates page.
Merging an AIF template with TMS mitigation templates
When you are ready to create new TMS mitigation templates that contains the settings in an AIF
template, go to the Mitigation Templates page (Administration > Mitigation > AIF Templates). Select
one or more TMS mitigation templates in the list and then select Merge AIF Template.
In the Merge AIF Template dialog, select an AIF template to merge, and then choose Save Merged
Templates. SP merges the AIF template with each selected TMS mitigation template. Then, SP saves
each merged template as a new, separate template. Each new TMS mitigation template contains the
settings from the AIF template. They also contain legacy settings that the merge did not change. You can
apply the new, merged templates to the TMS mitigations in your deployment.
For more information about AIF templates, see "About ATLAS Intelligence Feed (AIF) Templates for TMS
Mitigations" and "Merging an AIF Template with TMS Mitigation Templates" in the SP and TMS User
Guide.
SP Insight: Facet relationships visualization method

SP Insight can now display relationships between multiple facets in a Sankey diagram. This new
visualization method is available on the Facet Relationships tab of the SP Insight page.
The facet relationships diagram makes it easy to visualize the volume of traffic moving between network
elements. It is particularly useful when you want to identify the elements of your network that are carrying
the largest amounts of traffic over time, rather than individual high-traffic and low-traffic incidents that
occur in a time period.
SP Insight: Enhanced filtering

SP Insight now provides several new powerful and flexible filtering features.
As with earlier versions of SP Insight, you can create a filter by selecting facets and choosing specific
values for each facet. In SP Insight 8.4, however, you can create a filter by selecting facets without
choosing a value, thereby displaying the top-traffic facets.

The following table describes example SP Insight filter box settings and their results. The first example
describes functionality available in earlier versions of SP Insight; the other examples describe
functionality that is new to SP Insight in SP 8.4.
Example No. Facet Value Result

1 Customer= ABC SP Insight displays all of customer ABC’s traffic on TCP port
TCP Port= 443 443.
2 Customer= (no value) SP Insight displays the top combinations of customer and TCP
TCP Port= 443 port 443 traffic.
TCP Port= (no value) port traffic.
TCP Port= (no value) port traffic that is IPv4.
IP Version= 4
SP Insight: Router flow ingestion limiting

In earlier versions of SP, you could limit the flow sent to SP Insight to flow that matched certain managed
objects. In SP 8.4, you can also limit the flow sent to SP Insight to flow that matches certain routers. You
might do this to exclude routers that you are not interested in viewing in SP Insight. Limiting the flow can
result in faster response times in SP Insight because you see only part of your full traffic.
Limiting SP Insight flow is done through the Command Line Interface (CLI). For additional information on
the CLI, see “Using CLI Commands” in the SP and TMS Advanced Configuration Guide.
The commands used for router flow ingestion limiting are listed below.
Command Result
services sp device insight limit_ingestion_routers enable Enables limiting flow by router.
services sp device insight limit_ingestion_routers disable Disables limiting flow by router.
services sp device insight limit_ingestion_routers show Displays whether limiting flow
by router is enabled or
disabled.
services sp device insight limit_routers_set add name Adds the router specified by
name to the set of routers that
may send flow to SP Insight.
services sp device insight limit_routers_set delete name Deletes the router specified by
name from the set of routers
that may send flow to SP
Insight.
services sp device insight limit_routers_set show Shows the current set of
routers that may send flow to
SP Insight.
services sp device insight limit_routers_set clear Clears the list of routers that
may send flow to SP Insight.
SP Insight: Custom facets

You can use the new insight/tagrules endpoint of the SP REST API to create rules that assign
custom facets and facet values to flow records. Once the flow records have been tagged according to the
rules, you can select and view this traffic in SP Insight just as you would view any other traffic.

Each rule contains the following attributes:

• filter_criteria: Specifies the traffic that is tagged with a custom facet and value.
• tag: Specifies the custom facets and values that are assigned to the specified traffic.
• valid_from: Specifies the start of the time period during which tags are applied to traffic.
• valid until (optional): Specifies the end of the time period during which tags are applied to traffic.
For information about using this endpoint, navigate to Administration > REST API Documentation in
the SP web UI.

Enhancements in Arbor Networks SP 8.4

Security Summary wizard report content type supports user-defined time periods
The Security Summary content type now allows you to specify the time period that is detailed in the
report.
Expanded duration for learning mitigations

The duration for learning mitigations has been expanded to 1-hour intervals between 1 and 24 hours.
Increasing the duration of learning mitigations allows you to sample a longer portion of your network
traffic and create a more accurate picture of normal network conditions.
PKCS#8-format SSL certificates are supported

Custom SSL certificates in PKCS#8 format are now supported.
This enhancement is a result of SP fixed issue 66536.
SSL certificates can be uploaded to any leader regardless of appliance’s role

In a small deployment, an appliance with the traffic and routing analysis role can also function as the
leader appliance. In this case, the SSL Certificates tab now appears in the leader's web UI even if the
leader appliance provides the traffic and routing analysis role.
Resources for alert notifications can be specified by IPv6 CIDR block

When adding or editing a notification rule on the Rule-Based Notification page (Administration >
Notification > Rules), you can now specify a resource by entering an IPv6 CIDR block.
SNMP trap destinations for notification groups can be specified by port number,
hostname
When adding or editing a notification group on the Notification Groups page (Administration >
Notification > Groups), you can now specify the SNMP trap destination by IP address:port,
hostname, and hostname:port.
Note: Destinations that contain port numbers and hostnames are removed when sending SNMP trap
information to the TMS. Therefore, when configuring the notification group that is used as the default
notification group, enter at least one destination that is specified by IP address only. For more
information, see “Configuring Notification Groups” in the SP and TMS Advanced Configuration Guide.
TMS auto-mitigations reuse for multiple alerts

In addition to host alerts, TMS auto-mitigations can now be reused for multiple profiled router alerts and
multiple profiled network alerts. When auto-mitigations are reused, CIDR blocks are added and removed
from the auto-mitigations as necessary to protect the prefixes that are associated with the alerts.
SP Insight: Facet descriptions available in the Add/Edit Facet window

When adding or editing a facet in Add Facet or Edit Facet window on the SP Insight page, a description of
the selected facet is displayed in the window. The descriptions and examples of accepted values are also
available in the documentation; see “About the SP Insight Filter” in the SP and TMS Advanced
Configuration Guide.

SP Insight: Web UI improvements

The SP Insight web UI is now divided into the following sections:
• Control bar: Displayed at the top of the SP Insight page. Allows you to specify the criteria of the traffic
that you want to investigate.
• Summary tab: Displays a summary of the traffic specified in the control bar, both in graph and in
table form.
• Relationships tab: Uses a Sankey diagram to help you visualize the volume of traffic moving
between facets. See SP Insight: Facet relationships visualization method on page 8.
• Top Contributors tab: Allows you to display the top traffic contributors of certain facets within the
traffic specified in the control bar.
• Raw Flows tab: Displays raw flow records for the traffic specified in the control bar.
SP Insight: Traffic calculation options added

Similar to the Current, Average, Max., and PCT95 calculation options that are available on the Explore
Traffic page, you can now select the following calculation options on the SP Insight page.
• Last: Displays the values of the last traffic logged for the selected time period.
• Average: Displays the average of all traffic for the selected time period.
• Max.: Displays the maximum of all traffic for the selected time period.
• PCT95: Displays the 95th percentile of all traffic for the selected time period.
SP Insight: New filter box design

The SP Insight Filter box was redesigned and provides more functionality. As in previous versions of SP
Insight, the filter box allows you to select facets and values that can be used as a display filter. Additional
features allow you to:
• View the top combinations of multiple facets
• View the top values for each facet, without specifying specific values
These new features allow you to explore and discover relationships and trends in your network traffic
easily.
SP Insight: Performance increases

Overall performance of SP Insight was improved. Queries that cover longer time periods and more facets
are possible, and query results are now returned faster.

SP REST API additional endpoints and enhancements
Version upgrade
The SP REST API was upgraded from version 3 in SP 8.3 to version 4 in SP 8.4.
For descriptions of breaking changes from version 3 to version 4, see Administration > REST API
Documentation > Breaking Changes > V.4 Breaking Changes in the SP UI.
New endpoints
The following endpoints were added to the SP REST API in version 4:
New endpoint Supported methods

/global_afsm_settings GET, PATCH
/insight/tagrules/ GET, POST
/insight/topn_timeseries GET, POST
/alerts/<alert_id>/source_ip_addresses GET, POST1, PATCH2
/alerts/<alert_id>/misuse_types_thresholds/ GET, POST1, PATCH2
/alerts//<alert_id>/profiled_router_traffic_thresholds/ GET, POST1, PATCH2
/alerts/<alert_id>/profiled_network_traffic GET, POST1, PATCH2
/alerts/<alert_id>/profiled_network_traffic_thresholds GET, POST1, PATCH2
/tms_filter_list_requests/ GET, POST
/tms_filter_list_requests/<process_id> GET
/tms_filter_lists/<filter_list_id>/entries/ PATCH
1 POST is supported for alerts with the alert_type attribute cloud_mit_request only.
2 PATCH is supported for the ticket and classification attributes only.
Updated endpoints
The following endpoints were updated in version 4 with significant new functionality:
• /alerts/
Added the ability to create a new ticket attribute and/or a new classification attribute in a POST
request. You can only POST a new alert if the alert_type attribute is cloud_mit_request. The
ticket value can be any alphanumeric string. For descriptions of alert classification types, see “About
Alert Classification” in the SP and TMS User Guide.
• /alerts/<alert_id>/
▪ Added the mitigation relationship. An alert can have more than one mitigation so the
relationship is “to-many”. The relationship data for each mitigation associated with an alert has a
separate id. The relationship type is mitigation for all mitigation relationships.
▪ Added the ability to PATCH the ticket attribute and/or the classification attribute for an alert
with any alert_type attribute. The ticket value can be any alphanumeric string. See New ways
to POST and PATCH ticket and classification data with alerts endpoints on page 15.
• /alerts/ and /alerts/<alert_id>/
Added support for the include parameter. This parameter value is a comma-separated list of
relationships and/or paths to “nested” relationships. Use dot separators in relationship paths. For
example:
..?include=annotations,traffic.protocols
Note: Relationship paths in the include parameter can have any number of nested relationships.

• /alerts/<alert_id>/traffic
The traffic endpoint for an alert now lists all 13 alert traffic relationships, even if one or more of
those relationships has no data.
• /insight/timeseries and /insight/topn
The calculation attribute was added. This attribute allows the API to return traffic data that is
calculated using one of four different methods (last, average, max, and pct95.)
• /managed_objects/
▪ The match value specified for managed objects with the cidr_blocks match type can now
include both IPv4 and IPv6 prefixes.
▪ Added the mitigation_flowspec_auto_enabled parameter, which allows SP to use flow
specification to auto-mitigate traffic associated with the corresponding managed object. The
global settings that determine how flow specification auto-mitigations are carried out are in the
new global_afsm_settings endpoint.
▪ Added support for a compatibility flag (?compat=managed_objects_v4) that allows you to
continue to use older versions of the SP REST API with the managed_objects endpoint.
• /mitigations/
▪ Flowspec mitigations (mitigations with the flowspec sub-type) now support POST, PATCH, and
DELETE.
For more information about these endpoints, navigate to Administration > REST API Documentation >
SP API V.4 REST Interface in the SP web UI.
Authorization-based access to SP through the SP REST API
Before SP 8.4, all users had administrator access to SP features and data through the SP REST API. As
of SP 8.4, this is no longer the case.
In SP 8.4, your access to SP features and data through the REST API now depends on the following
authorizations that are configured in the SP UI:
• The scoping for your account group (i.e., the managed objects assigned to your account group).
• The capabilities assigned to your account group.
• Whether or not your account group is a managed services group deployed by a managed security
service provider (“mssp”).
How scoping affects access to SP through the SP REST API
Your access to SP through the REST API is scoped to your account group's assigned managed objects
(if any) and their child managed objects.
As a scoped user, you can do the following with managed object data in the SP REST API:
• GET, PATCH, or DELETE managed object data within your scope.
• POST a new child managed object if the parent managed object is assigned to your account group.
If your account group is not scoped, you can GET, POST, PATCH, or DELETE managed object data for
any managed objects if your account group has the required capabilities.
How capabilities affect access to SP through the SP REST API
In addition to scoping, your account group's capabilities determine which REST API endpoints you can
access (GET, POST, PATCH, or DELETE). For example:
• The sp_restapi capability allows you to access an endpoint if you have all other capabilities that are
required to access that endpoint. Your managed object scoping must also allow access to that

endpoint’s managed object data. See How scoping affects access to SP through the SP REST API
above.
• The sp_admin capability allows you to edit and manage your SP configuration through requests to
any REST API endpoint except /mitigations/ and /alerts/. These two endpoints require one or
more separate capabilities, such as sp_tms_mitigations and sp_alerts.
Note: Some capabilities in the SP UI do not affect access to any endpoints in the REST API.
For a complete list of capabilities required by REST API V.4 endpoints in SP 8.4, see Administration >
REST API Documentation > SP API V.4 REST Interface > API Introduction > Authorization in the SP
UI.
How mssp user status affects access to SP through the SP REST API
In the SP 8.4 UI, mssp users (members of a managed services account group) are scoped to one or
more managed objects. However, in the SP REST API, mssp users cannot access the configuration data
for any managed object, including the managed objects in their scope. Specifically, mssp users cannot
GET, POST, PATCH, or DELETE any /managed_objects/ collection or instance endpoint.
Other tasks that mssp users can perform in the UI but cannot perform through the REST API include:
• Commit a system configuration change message. Specifically, mssp users cannot POST to the
/config/ endpoint unless they have the sp_portal_admin capability. See How capabilities affect
access to SP through the SP REST API above.
• Delete an alert that they are authorized to delete in the UI. Specifically, mssp users cannot send a
DELETE request to an /alerts/<alert-id> instance endpoint.
• Edit the classification for an alert that they are authorized to edit in the UI. Specifically, mssp users
cannot PATCH the value of the classification attribute in an /alerts/<alert-id> instance
endpoint.
Download all source IP addresses for an alert in the SP REST API
The new alerts sub-endpoint /alerts/<alert_id>/source_ip_addresses allows you to retrieve a list

of all source IP addresses for an alert. A request to this new endpoint provides the same result as this
SP UI procedure:
1. On the DoS Host Alert <alert_id> page, click the Traffic Details tab.
2. Under Source IP Addresses, click the View More link.
3. In the View More Details: Source IP Addresses window, click Download All.
New ways to POST and PATCH ticket and classification data with alerts endpoints
SP 8.4 extends your ability to POST and PATCH alert ticket and classification data in alerts endpoints.
For example, you can now do the following:
• POST a new cloud_mit_request alert with a ticket number attribute and/or a classification attribute.
• PATCH the ticket number attribute and/or classification attribute in any type of alert.
Note: cloud_mit_request alerts are the only type of alert that you can POST. They are also the only
type of alert in which you can PATCH data other than the ticket number and classification.
For descriptions of alert classification types, see “About Alert Classification” in the SP and TMS User
Guide.

Changes in Behavior in Arbor Networks SP 8.4

Destination prefixes in flow specification mitigations
Flow specification mitigations no longer require a destination prefix. This change in behavior is a result of
SP fixed issue 82909.
IP version setting for learning mitigations

When using learning mitigations for managed object match types that can match both IPv4 and IPv6
prefixes, you must specify the IP version of the learning mitigations.
Password requirements
The following are no longer requirements for SP passwords:
• cannot be only letters followed by only digits (for example, abCD123)
• cannot be only digits followed by only letters (for example, 123abCD)
When you change your SP password, the following are requirements for the new password:
• cannot be only digits followed by only uppercase letters (for example, 123ABCD)
• cannot be only digits followed by only lowercase letters (for example, 123abcd)
• cannot be only uppercase letters followed by only digits (for example, ABCD123)
• cannot be only uppercase letters followed by only lowercase letters (for example, ABCDefgh)
• cannot be only lowercase letters followed by only digits (for example, abcd123)
• cannot be only lowercase letters followed by only uppercase letters (for example, abcdEFGH)
Also, the default minimum password length was increased from 7 to 10 characters.
These changes in behavior are a result of SP fixed issues 82682 and 83220.
Default maximum number of login failures

The default maximum number of incorrect logins that SP permits local users to attempt before it disables
that user account is now 5. This setting can be changed using the following CLI command:
services aaa max_login_failures set number
Note that if you have previously changed this setting, the setting will not be overridden when upgrading to
SP 8.4.
If a user account is disabled, you can enable it on the User Accounts page (Administration >
Accounts/Accounting > User Accounts). For more information, see “About the User Accounts Page” in
the SP and TMS User Guide.
For information about using the SP CLI, see the SP and TMS Advanced Configuration Guide, available
from the Arbor Technical Assistance Center (https://support.arbornetworks.com). This change in behavior
is a result of SP fixed issue 82678.
Unused ATLAS tabs and reports removed

The following were removed from the ATLAS page (Reports > ATLAS > Summary):
• Scanning Activity tab
• Threat Briefs tab
The following have been removed from the ATLAS menu (Reports > ATLAS):
• Routeviews BGP Routing Table

• Routeviews BGP Instability

• Local Routes in Routeviews
• Local Instability in Routeviews
For information about new features added to ATLAS in SP, see ATLAS Global DDoS Report on page 7.
Change in deployment status graphs in the SP user interface

The graphs on the Deployment Status page (System > Status > Deployment Status) are now accessed
using a drop–down menu. Previously they were accessed by tabs at the top of the page. Additionally, the
names of the graphs were updated as part of renaming of vTMS to Software TMS (see vTMS renamed to
Software TMS in the SP user interface on page 17).
Previous Graph Name New Graph Name

TMS Total Bandwidth TMS Total Bandwidth – appliance–based
TMS IPv6 Bandwidth TMS IPv6 Bandwidth – appliance–based
vTMS Total Bandwidth Software TMS Total Bandwidth – flexible
vTMS IPv6 Bandwidth Software TMS IPv6 Bandwidth – flexible
vTMS renamed to Software TMS in the SP user interface

Areas of the SP user interface that previously referred to vTMS have been changed to refer to Software
TMS, the new name of vTMS. The following areas of the user interface now refer to Software TMS:
• System > Status > Deployment Status – in addition to the changes in the graphs (see Change in
deployment status graphs in the SP user interface on page 17.), the following name changes were
made in the Deployment Status table:
• TMS Bandwidth is now TMS Bandwidth – appliance based
• vTMS Bandwidth is now Software TMS Bandwidth – flexible
• System > Status > Appliance Status – the type of the appliance is now listed as Software TMS
• System > Status > Appliance Monitoring – Software TMS is now listed under the appliance name
• Administration > Appliances > Edit Appliance > Appliance tab – the appliance is now listed as
Software TMS
• Administration > Appliances > Add Appliance > Appliance tab – the appliance is now listed as
Software TMS
• Alerts > Summary > Appliances tab – the Type is now listed as Software TMS
SP Insight: Changes to facet values

The following changes were made to achieve more behavior parity between SP and SP Insight:
• The values for some facets were changed from numbers to a combination of names and numbers in
SP Insight. Facets affected by these changes include most facets than can be expressed both with a
name and a number, such as ASNs, TCP flags, TCP and UDP ports, and protocols.
• Country names used in SP Insight were changed to match those used by SP.
SP Insight: Links to SP Insight filter query result pages may require updating
As a result of the changes to facet values SP Insight, links to SP Insight filter query result pages created
before SP 8.4 may not work in SP 8.4. In this case you can update the link URL manually, or you can use
the SP Insight page to recreate the filter query and create a new link.

SP Insight: Reported traffic volume is similar to volume reported by SP

Because of subtle differences in the way SP and SP Insight bin network traffic information, traffic volume
reported by earlier versions of SP Insight varied from the volume reported by SP in certain situations.
These differences have been resolved and SP Insight now reports traffic volume similarly to SP.
SP Insight: Unused facets deleted

The following unused facets were deleted from SP Insight:
• Destination_Flow_Matches
• Destination_VLAN
• Source_Flow_Matches
• Source_VLAN
SP REST API: page and perPage query error key name changed from V.3 to V.4
Note: This change only affects the /alerts/ and /mitigations/ endpoints in the SP REST API
versions 3 and 4.
The SP REST API versions 3 and 4 both return an error if you submit a request with an invalid page or
perPage query value. For example, the following request returns an error because the perPage value is a
negative number:
GET https://sp.example.com/api/sp/alerts/?perPage=-1
• The SP REST API V.3 returns perPage error messages in the id key.
• The SP REST API V.4 returns page and perPage error messages in the detail key.

Upgrade Information for Arbor Networks SP 8.4

Deployments that use flexible licensing require a new license file
Flexible license files that are used in an SP deployment with a leader running SP 8.3.x or lower
do not work with SP 8.4.x. To obtain a flexible license file that is compatible with SP 8.4.x,
please open a support request with the Arbor Technical Assistance Center (ATAC) at
https://support.arbornetworks.com/
You will receive a new license server URL (for cloud-based flexible licensing) or a new flexible
license file (for locally-managed flexible licensing).
Before you upgrade to SP 8.4.x, set the new license server URL or install the new license file.
For more information, see the SP and TMS Licensing Guide at https://support.arbornetworks.com/
Leader device must be upgraded first

When upgrading to SP 8.4, you must upgrade your SP devices in a specific order. For more information,
see “Multi-Version Deployment Upgrade Process” in the SP and TMS Compatibility Guide. Be aware of
the following when upgrading:
• You must upgrade the leader SP device before upgrading any other user interface devices in your
deployment.
• When upgrading from SP 8.2 or higher, Arbor recommends stopping all user interface devices prior to
upgrading. Stopping user interface devices avoids failover and cross-version compatibility issues.
• The upgraded leader must be running when you upgrade the other user interface devices. If the
leader is not upgraded or not running, you will need to manually resync the database when it is.
• When upgrading from a version lower than SP 8.2, non-leader user interface devices take additional
time to upgrade because they are syncing the database. Syncing the database should take less than
10 minutes; however, large databases on slow connections could take longer.
• When upgrading from SP 8.2 or higher, a database sync for non-leader user interface devices is not
normally needed. A database sync is only needed if the devices have been down for an extended
time period, usually on the order of hours. Syncing the database should take less than 10 minutes;
however, large databases on slow connections could take longer.
Upgrading requires a current maintenance and support contract

Before upgrading to SP 8.4, make sure that your deployment’s maintenance and support contract with
Arbor is current.
Important: If your contract is not current when you update to SP 8.4, router capabilities will be blocked
and SP will not be able to process flow. To revert to a previous version of SP, you will need a backup that
was made before you upgraded to SP 8.4.
Supported upgrade paths for Arbor Networks SP 8.4

• SP 8.3 to SP 8.4
• SP 8.2 (all versions) to SP 8.4
To upgrade from earlier versions of SP not listed here, first upgrade to a version listed above, then
upgrade to SP 8.4.
For more information, see “Supported Upgrade Paths” in the SP and TMS Compatibility Guide.

Multi-version compatibility
SP 8.4 is compatible with earlier versions of SP and TMS. This allows you to upgrade the devices in your
deployment in stages. For details about multi-version compatibility, refer to the SP and TMS Compatibility
Guide as described below.
• To determine which versions of SP and TMS software can be paired with each other, see the
“SP/TMS Software Version Compatibility Matrix” in the “SP and TMS Software Compatibility” section.
• For information about multi-version upgrades and deployments, and Arbor’s guidelines for running a
multi-version deployment, see the “Multi-Version Support in SP and TMS Software” section.
The SP and TMS Compatibility Guide is available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com).
IMPORTANT: Before you upgrade appliances in your deployment, refer to the rules and guidelines for
multi-version deployments that are explained in the SP and TMS Compatibility Guide. It includes software
version matrices to help you verify that all post-upgrade software version pairings will be supported in
your multi-version deployment.
Using SP Insight in an SP 8.4 deployment

If you use SP Insight and you upgrade to SP 8.4 you must upgrade all SP devices to SP 8.4 and upgrade
your SP Insight nodes to the corresponding version. To receive the appropriate version of the SP Insight
installation files, contact the Arbor Technical Assistance Center (ATAC)
(https://support.arbornetworks.com).
Wizard and Classic XML Reports Are Not Synchronized Between User Interface Devices
When upgrading from SP 8.1.x or lower to SP 8.4, wizard reports that reside on non-leader User Interface
(UI) devices must be copied to the leader device in order to access or run the reports. Scheduled wizard
reports cannot run if they are missing from the leader or if they are on non-leader devices, even if they
ran in previous SP versions.
During an upgrade from SP 8.1.x or lower to SP 8.4, the leader device lists missing wizard reports and
non-leaders warn you if local wizard reports are found. The leader device also lists missing wizard reports
when you start services on it.
All classic XML report names appear on both leader and non-leader UI devices, where you can also run
those reports. However, you can edit classic XML reports and see the report results only on the leader.
To check for custom reports that need to be copied to the leader:
4. On the leader, log in to the CLI with your administrator user name and password.
5. In the CLI, enter / services sp reports custom check
To copy custom reports from a non–leader to a leader:
6. On the non–leader, log in to the CLI with your administrator user name and password.
7. To show the reports that need to be copied, enter / services sp reports custom find_old
8. You can copy the reports to the leader individually or together as a group:
• To copy a specific report to the leader, enter / services sp reports custom find_old
copy REPORT_ID
• To copy all the reports to the leader, enter / services sp reports custom find_old
copy all
If there are reports that you do not want to copy, you can delete them using Administration > Reports.

System Requirements for Arbor Networks SP 8.4

For information about enforced limits and appliance limits in SP deployments, see SP and TMS
Deployment and Appliance Limits, available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com/).
Supported Models
SP Appliances
The following SP appliances are supported in the SP 8.4 release:

• SP 6000 (BI, CP, FS, and PI under appliance mode licensing)
• SP 7000
For more information see “SP Software Compatibility with SP Appliances” in the SP and TMS
Compatibility Guide. You can download this guide from the Arbor Technical Assistance Center
(https://support.arbornetworks.com)
Important: Starting with SP 8.1, SP 5500 appliances are no longer be supported by SP. You are
encouraged to contact your Arbor Account Team to discuss a hardware modernization plan in order to
stay current with SP 8.1 and beyond.
TMS Models
The following TMS models are supported in the SP 8.4 release:

• TMS 2300 series (TMS 2301, 2302, 2305, and 2310)
• TMS 2600
• TMS 2800
• TMS 4000 (with APM-E modules only)
• TMS 5000 (32x10G and 4x100G models)
• TMS HD1000 (16x10G)
• TMS HD1000 (4x100G + 8x10G)/PPM–20G
• TMS HD1000 (4x100G + 8x10G)/PPM–50G
• Software TMS
• Cisco ASR 9000 vDDoS Protection Solution (10G, 20G, 40G, and 60G models)
Supported Web Browsers

SP 8.4 officially supports the following versions of Internet Explorer, Firefox, and Chrome Web browsers:
• Internet Explorer 11.0
Note: Internet Explorer 10.0 is not officially supported because it defaults to TLS 1.0, which SP no
longer supports. If you configure Internet Explorer 10.0 to use a newer version of TLS, the browser
should work, but it has not been tested.
• Firefox 52 ESR, 55
• Chrome Latest (61)
For more information see “Supported Web Browsers” in the SP and TMS Compatibility Guide. You can
download this guide from the Arbor Technical Assistance Center (https://support.arbornetworks.com)

Router Requirements
SP is compatible with any router that exports RFC-compliant netflow and includes all the RFC-required
fields. SP supports netflow v5, v9, ipfix, and sflow.
Communication Ports
Required Ports
The following table lists the ports that SP uses and that are required for a deployment to operate
correctly. When the following terms appear in this table, they refer to appliance roles with flexible
licensing and to appliance types with appliance‑based licensing:
• data storage
• traffic and routing analysis
• user interface
References in this table to the FS appliance (Flow Sensor) only apply to appliance-based licensing.
Service Ports Required Protocol Direction

ArborFlow 31373 UDP • FS appliance to traffic and routing analysis
• FS appliance to data storage traffic and routing
analysis to data storage
• traffic and routing analysis to data storage
ArborFlow (if ArborFlow 5000 (default) UDP • TMS appliance to traffic and routing analysis
from TMS is enabled)
BGP 179 TCP • traffic and routing analysis to router
• user interface to router
• FS appliance to router
• Router to traffic and routing analysis
• Router to user interface
• Router to FS appliance
• Router to TMS appliance
DNS 53 UDP • SP appliance to DNS server
• Return on same port
Flow 2055 UDP • Router to traffic and routing analysis
(netflow) (configurable) • Router to FS appliance
By default, traffic and routing analysis or FS
appliances watch all UDP ports for netflow packets
from configured routers.
HTTPS 443 TCP • SP non-leader appliance(s) to SP leader
appliance
• SP leader appliance to SP non-leader
appliance(s)
• TMS appliance to managing appliance
• Managing appliance to TMS appliance
SNMP polling of routers 161 UDP • Traffic and routing analysis to router
• FS appliance to router
• Return on same port
SP user interface 443 TCP • User workstation to SP leader or user interface
(HTTPS)

Service Ports Required Protocol Direction

SP user interface with 443 TCP • Web proxy to SP leader or user interface
single-sign-on (HTTPS)
SSL 40000-40030 TCP • Any appliance to any appliance (excluding TMS)
(configurable)
Note: Some of the ports may not be applicable to your deployment.
Optional Ports
The following ports are optional and only need to be enabled if you are using the corresponding service:
Service Ports Protocol Direction

Cloud-based 443 TCP • Leader to cloud license server
licensing • Cloud license server response to leader
Cloud signaling 443 TCP • APS to leader appliance
handshake • Leader appliance response to APS
(HTTPS)
Cloud signaling 7550 UDP • APS to leader appliance
heartbeat • Leader appliance response to APS
FTP 20-21 TCP • SP appliance query to FTP server
• FTP server response to SP appliance
HTTP 80 TCP • SP appliance to HTTP server
• HTTP server response to SP appliance
NTP 123 UDP • SP appliance request to NTP server
• NTP server response to SP appliance
ping echorequest, ICMP • SP appliance request to remote device
echoreply • Remote device response to SP appliance
RADIUS 1812 UDP • SP appliance query to RADIUS server
Authentication • RADIUS server response to SP appliance
RADIUS 1813 UDP • SP appliance query to RADIUS server
Accounting • RADIUS server response to SP appliance
SMTP 25 TCP • Leader appliance delivery to SMTP server
• SMTP server response to leader appliance
SNMP polling of 161 UDP • User polling equipment query to SP appliance
appliances • SP appliance response to user polling equipment
SNMP trap 162 UDP • Leader appliance message to SNMP trap collector
SSH 22 TCP • Workstation to SP appliance
• SP appliance response to workstation
Note: Backup uses SSH
Syslog 514 UDP • SP appliance message to Syslog server
TACACS+ 49 TCP • SP appliance query to TACACS+ server
• TACACS+ response to SP appliance
Whois 43 TCP • Leader appliance, user interface, and backup user
interface query to Whois server
• Whois server response to appliance

ATLAS Services Ports
All ATLAS services require you to open access to hosts outside your network. These host live across the
internet and leverage modern content delivery networks and web services.
Important: Because each of these services uses DNS to find the IP address of the ATLAS service, the IP
addresses of the services may change. If an ATLAS service cannot connect to the service IP address,
you may need to check the current DNS results for the addresses listed in the following table and update
your firewall rules. Use of a proxy server for outbound connections is an excellent method for accessing
these services. Contact the Arbor Technical Assistance Center (https://support.arbornetworks.com) if you
have any questions or have special requirements.
The following table lists the ATLAS services:
Service Address (DNS) Port Protocol Direction

AIF aif.arbor.net 443 HTTPS/TCP Leader to feed server(s)
ATF rfl.arbor.net 443 HTTPS/TCP Leader to feed server(s)

ATLAS Visibility atlas-visibility.arbor.net 443 HTTPS/TCP Leader and all UI appliances to
(formerly ATLAS servers
Internet Trends)
HTTP proxy (If Your HTTP proxy server 1080 TCP Leader to the proxy server
you configure a (configurable)
proxy to reach
out to ATLAS
services or the
Internet)

Fixed Issues in Arbor Networks SP 8.4

Bug Number Ticket Number Fixed In SP Fixed Issues Description
59725 8.4 The Managed Services Group? checkbox is now enabled
when users search for a managed object when adding a
managed object to an account group.
60345 8.4 Flowspec routes were not announced for TMS mitigations if
the flowspec protocols filter contained a blank.
66536 160808-000025 8.4 Custom SSL certificates can now be in PKCS#8 format. For
more information about custom SSL certificates, see
PKCS#8-format SSL certificates are supported on page 11.
77851 160602-000037 8.4 Slider bars now appear on the Zombie countermeasure.
78777 8.4 Using an unsupported query argument in an API call
returned a warning for all endpoints except Insight-related
ones.
79253 161220-000015 8.4 Web Services and REST APIs returned the incorrect units
for alert severity threshold (pps when it should have been
bps)
79917 170320-000008 8.4 SP sometimes crashed when waiting for a response from an
SP process.
80220 8.4 All learning mitigation countermeasures graphs were not
shown for IPv6 managed objects.
80444 170724-000033 8.4 The memory calculations were changed to use consensus
171031-000023 correct available memory numbers for individual appliances.
171213-000033
180207-000026
80745 8.4 When many APSes were deleted and added to an SP
system, data from the old APSes could have been reused.
80785 8.4 The following information was omitted from the
documentation for the REST API:
• The from_aps attribute in the tms_filter_lists endpoint.
• The flist_file_type and size attributes in the
tms_filter_lists endpoint are read-only values.
81063 8.4 In some places, the words “SP Version” were replaced with
just “Version”.
81067 8.4 “Threat Management System” was replaced with “Arbor
Networks TMS” in the UI.
81145 8.4 When using the “Select TMS Ports” interface, the “Model”
column now displays more detailed model information.
81149 8.4 When adding TMS ports to a TMS group, the 10G checkbox
in the search bar of the “Select TMS Ports” dialog box did
not limit the list of TMSs to TMSs with only 10G ports
81244 170615-000012 8.4 Fingerprint data may not have been accessible after an
171026-000018 upgrade.
180110-000032
180203-000003
81600 170725-000020 8.4 An SP process would crash after many reconfigurations.
81676 170721-000046 8.4 Generating more than the recommended number of
170830-000036 soap_access_log entries could degrade performance.
81903 8.4 Accessing crumbs with the line graph option set would
display stacked graphs.


81928 8.4 A PATCH request to the Devices endpoint containing invalid
data types in attribute values correctly returned an error
message. However, the request also returned an HTTP 200
OK status code indicating that the request succeeded.
82060 170824-000033 8.4 An SP process sometimes become unresponsive,
preventing notifications from going out via e-mail, SNMP,
and syslog.
82218 8.4 The alerts expanded on the “TMS Statistics” tab of the
“Appliance Status” page would collapse after an automatic
page update, hiding recent alerts.
82233 170913-000023 8.4 Bad configurations could occur after restoring from backup.
82262 180123-000005 8.4 The Deployment Status page did not include the bandwidth
180307-000008 of chassis-based TMS models in the TMS Bandwidth
calculation.
82316 8.4 The remote syslog message for stopping host detection did
not report the stop date and time.
82358 8.4 Some syslog message examples found in the SP Syslog
Output Format BNF topic in the SP and TMS Advanced
Configuration Guide did not match the actual content and
formatting of syslog messages.
82359 170919-000015 8.4 Auto-mitigations were not reused for new alerts when the
mitigation was still ongoing but the original alert had ended.
82398 8.4 Running the / ser sp data database reset CLI
command on the leader would result in not all leader
programs running.
82432 170928-000016 8.4 Fragmentation bitmask values were incorrectly documented
in “About Fragmentation Bitmask Menus” the SP and TMS
User Guide.
82678 8.4 The default maximum number of login failures has changed
from unlimited to 5. For more information, see Default
maximum number of login failures on page 16.
82682 8.4 The minimum password length increased to 10 characters
on new devices. For more information, see Password
requirements on page 16.
82686 140808-000022 8.4 You can now use custom SSL certificates on leader TRA
140723-000038 devices. Before you could only use them on leader UI
140617-000029 devices. For more information, see SSL certificates can be
140225-000013 uploaded to any leader regardless of appliance’s role on
140117-000030 page 11.
131218-000020
131114-000025
130802-000016
130712-000009
130220-000013
130218-000023
130114-000031
180303-000010
180219-000032
82849 171026-000039 8.4 MPLS VPN traffic triggered global detection host alerts.
82909 171102-000041 8.4 SP does not crash if a flow specification mitigation does not
171213-000021 have a destination prefix. For more information, see
180226-000066 Destination prefixes in flow specification mitigations on page
180324-000009 16.


83059 8.4 In the REST API alerts endpoint, you can now specify
cloudsignal as an alert_class filter value to filter for
cloud signaling alerts.
83111 8.4 TMS Mitigations for IPv6 displayed countermeasures that
apply only to IPv4 mitigations.
83126 171114-000049 8.4 TMS auto-mitigations can now be reused for multiple
profiled router alerts and multiple profiled network alerts. For
more information, see TMS auto-mitigations reuse for
multiple alerts on page 11.
83150 171121-000047 8.4 Web service periodically restarted on non-leader appliances.
171204-000044
83220 8.4 Password complexity requirements were changed. For more
information, see Password requirements on page 16.
83370 8.4 Global DNS servers can now be deleted.
83500 171214-000035 8.4 Large volumes of APS Cloud Signaling usage may have
171221-000032 caused performance issues and a log message.
171220-000048
83535 170821-000052 8.4 Sending too many SOAP API queries in a short time could
171103-000005 produce temporary files that would fill up the
171212-000044 /base/data/tmp filesystem.
83559 8.4 A cross-site scripting vulnerability in the logging page of the

SP UI was removed.
83627 180103-000006 8.4 Top Traffic Patterns is no longer missing pps/bps in the
SOAP API getDosAlertDetail function.
83711 180118-000050 8.4 Some clients using sflow may have received inaccurate
statistics.
83974 180202-000011 8.4 Upgrading does not fail when TMS groups are configured
180214-000035 with an override appliance route target.

Known Issues in Arbor Networks SP 8.4

Bug Number Ticket Number Found In SP Known Issues Description
83748 8.4 Users using RADIUS authentication cannot make Insight
queries without creating local accounts that have account
groups set.
83987 8.4 Very large filter lists (over 800 KB) cannot be processed via the
tms_filter_lists REST API endpoint.
84194 8.4 The print/download PDF button on the ATLAS Global DDoS
Report page does not work. As a workaround, use the “print to
PDF” feature of the browser.
84373 8.4 On the Mitigation Status page, when selecting a custom time
range using the Other tab with an end time near the current
date and time, the graph continues to update with new data for
a short period of time.
84398 8.4 Displaying the Insight Interface facet and filtering on values may
show unexpected extraneous values in the output.
81561 8.3 Reports on non-leader User Interface appliances can take up to
10 minutes to be available. The reports can be viewed on the
leader during that time.
80622 8.2 SP TCP and UDP port graphs in the TCP and UDP port reports
are not consistent with TCP and UDP port graphs presented by
SP Insight. SP uses both the source and destination ports for
calculating both inbound and outbound traffic graphs. SP Insight
uses only the destination port for calculating inbound and
outbound traffic graphs.
80782 8.2 After editing and saving settings for the UDP
Reflection/Amplification Protection countermeasure, the web UI
page may not display the current settings properly. In this case,
you can refresh the browser page to display the current settings.
80823 8.2 The managed_object endpoint in the REST API V.2 is missing
two attributes: mitigation_requested and auto_mitigate.
The attributes are available in the V.1 /cloud_signaling/
endpoint.
81980 170813-000000 8.1.2 When using two or more TMS’s in a single TMS group to start a
flow spec announcement, only the routers with the first TMS will
announce the flow spec.
77992 8.1 When given a specified top N or filter, the
insight/timeseries REST API endpoint can return more
distinct aspect values than requested. This can lead to
confusing results.
82316 8.1 The remote syslog message for stopping host detection does
not report the stop date and time.
74698 8.0 Accessing the SP REST API within 30 seconds after clicking the
Commit Config button in the UI or entering config write in
the CLI will return an HTTP Status of “503 Server Unavailable”.
74740 8.0 If user-created automated configuration rules are sufficiently
non-specific in their scope, the SNMP interface with index 0 can
be configured in such a way that dropped/multicast traffic can
be categorized incorrectly for the involved router or routers.

Other Things to Know about Arbor Networks SP 8.4

Create a Backup after Conversion to Flexible Licensing
Important: If you are converting from legacy appliance-based licensing to flexible licensing, be sure to
create a backup as soon as possible after the conversion. It is not recommended/supported to restore a
backup made before the conversion onto an appliance that was converted to flexible licensing.
High CPU Load Averages

On large multi-appliance deployments, high load averages will be seen when arbor_stats runs. This does
not materially impact interactive performance of the SP appliance.
Dynamic Subscriber Interfaces

SP Interface Handling
SP provides three levels of granularity when gathering data on a per-interface basis, depending on the
interface classification and discovery method:
Interface classification Discovery method Data granularity

External or configured to Via flow • Highest level of data granularity
collect “detailed” statistics • Available in all interface pages and reports
Other than external Via flow • Much lower level of data granularity
• Available in all interface pages and reports
• Included in the UI
Never sends flow data SNMP • Tracked individually
• Not available in all interface pages and reports
• Impacts the overall interface scaling properties of the
deployment, but not as much as the other types of
interfaces
Untracked Interfaces
In addition to the data gathered on a per-interface basis, there can be untracked interfaces, which have
the following properties:
• They are on a router that was configured with the “Enable Dynamic Subscriber Interface Handling”
option.
• Their SNMP interface names/descriptions do not match a configured Interface Classification rule OR
the interfaces are not represented in the SNMP data obtained from the involved router.
Note: Only 400,000 interfaces with SNMP information can be processed, even if they are untracked
interfaces. The 700,000-interface limit can only be reached if a very large number of the interfaces
have no SNMP presence whatsoever.
• They do not appear in any interface page or report in the product.
• They do not impact any interface scaling limitation on the deployment. Therefore, there can be an
unlimited number of these kinds of interfaces on a particular collector or on the deployment in
general.
• They can have flow sent for them by the router and it will be tracked on a per-router basis in a single
aggregate interface. This appears in normal interface pages and reports.
• The flow sent for these interfaces is constrained by the normal stated flow processing limits on a per-
appliance basis, as well as the normal licensed limits on a per-deployment basis for flex licensing
deployments.

Additional Information
Downloading the Software
You can download the software releases and user documentation from the Arbor Technical Assistance
Center at https://support.arbornetworks.com using the Software Downloads link.
Contacting Arbor Technical Assistance Center

You can download the software release and user documentation from the Arbor Technical Assistance
Center website. You will need a username and password to access the site.
If you do not already have a customer account, contact Arbor Technical Assistance Center at:
• 1 877 272 6721 [U.S. toll free]
• +1 781 768 4301 [Worldwide]
• https://support.arbornetworks.com/
Documentation for Arbor Networks SP 8.4

The Arbor Networks SP 8.4 user documentation is available from the Arbor Technical Assistance Center
at https://support.arbornetworks.com using the Software Downloads link. The user documentation for
Arbor Networks SP 8.4 includes the following guides:
Document Description
Managed Services Customer Guide Information about deploying and using Arbor Networks SP 8.4 managed
services.
Online Help Information about the feature on the current page is displayed, with links to
supporting information and a table of contents to the complete SP and
TMS User Guide and SP and TMS Advanced Configuration Guide.
REST API Documentation Online information about the REST API endpoints.
Running SP in a Virtual Machine Information about running SP in a virtual machine.
Running Software TMS in a Virtual Information about running Software TMS in a virtual machine.
Machine
Installing Software TMS on Information about installing Software TMS on hardware.
Hardware
SP and TMS Advanced Information about configuring advanced settings in Arbor Networks SP 8.4,
Configuration Guide including those that can only be configured using the command line
interface (CLI).
SP and TMS Licensing Guide Information about cloud-based and locally-managed flexible licensing,
appliance-based licensing, and volumetric licensing for TMS appliances.
SP and TMS Quick Start Cards Information about how to install, connect, and configureArbor Networks SP
8.4 appliances.
SP and TMS User Guide Information about how to useArbor Networks SP 8.4.
SP API Guide Instructions for remotely accessing Arbor Networks SP 8.4 using the
REST, SOAP, and Arbor Web Services APIs.
SP and TMS Deployment and Information about the enforced and guideline limits for an Arbor Networks
Appliance Limits deployment and for Arbor Networks appliances.

Appendixes
Appendix A: Notification Changes from SP/TMS 7.6 to SP/TMS 8.4
Miscellaneous changes to arbornet-sp.mib
Modify interfaceUsage trap to include spInterfaceSpeedHC and spInterfaceUsageHC
The Arbor arbornet-sp.mib file now supports 64-bit (HC) versions of the spInterfaceSpeed and
spInterfaceUsage variables:
• spInterfaceSpeedHC (OID .1.3.6.1.4.1.9694.1.4.1.81)
• spInterfaceUsageHC (OID .1.3.6.1.4.1.9694.1.4.1.82)
For example, using the SNMP query:

% snmptrap -v 2c -m all -c public 192.0.2.22 '' .1.3.6.1.4.1.9694.1.4.3.0.42 spRouter s
"routerName" spInterface s "interfaceName" spInterfaceIndex u 1 spInterfaceSpeedHC C 10000000000
spUsageType s "high" spInterfaceUsageHC C 10000000000
produces a result of the form:

2014-05-20 16:07:35 spsys.example.com [UDP: [192.0.2.53]:21630->[192.0.2.0]:0]:
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (1946607) 5:24:26.07 SNMPv2-
MIB::snmpTrapOID.0 = OID: SNMPv2-SMI::enterprises.9694.1.4.3.0.42 SNMPv2-
SMI::enterprises.9694.1.4.1.2 = STRING: "routerName" SNMPv2-SMI::enterprises.9694.1.4.1.3 =
STRING: "interfaceName" SNMPv2-SMI::enterprises.9694.1.4.1.4 = Gauge32: 1 SNMPv2-
SMI::enterprises.9694.1.4.1.81 = Counter64: 10000000000 SNMPv2-SMI::enterprises.9694.1.4.1.24
= STRING: "high" SNMPv2-SMI::enterprises.9694.1.4.1.82 = Counter64: 10000000000
Add deviceTotalFlowsHC object
The Arbor arbornet-sp.mib file now supports 64-bit (HC) of the deviceTotalFlows object:
• deviceTotalFlowsHC (OID .1.3.6.1.4.1.9694.1.4.2.1.12)
GRE Tunnel Down Alerts Include GRE tunnel name

Notifications (UI alerts, remote syslog, emails, SNMP traps) for downed GRE tunnels now include the
GRE tunnel name in the notification.
Email changes for GRE Tunnel Down Alerts examples
Tunnel Down email

Subject:
[Peakflow SP] GRE tunnel gre-tunnel-001 down to destination 192.0.2.27
Body:
Alert ID: 5516
Leader: spaghetti
The GRE tunnel gre-tunnel-001 to destination 192.0.2.27 has been down since +2014-04-03
18:49:20 GMT.
Tunnel Restored email

Subject:
[Peakflow SP] GRE tunnel gre-tunnel-001 restored to destination 192.0.2.27
Body:
Alert ID: 5516
Leader: spaghetti
The GRE tunnel gre-tunnel-001 to destination 192.0.2.27 was restored at +2014-04-03
18:51:41 GMT

Remote syslog changes for GRE Tunnel Down Alerts examples

Apr 3 18:38:30 spsys.example.com pfsp: GRE tunnel gre-tunnel-001 down for destination
192.0.2.27, leader spsys since 2014-04-03 18:38:20 GMT
Apr 3 18:41:00 spsys.example.com pfsp: GRE tunnel gre-tunnel-001 restored for destination
192.0.2.27, leader spsys at 2014-04-03 18:40:40 GMT
SNMP changes for GRE Tunnel Down Alerts examples

MIB::snmpTrapOID.0 = OID: PEAKFLOW-SP-MIB::greDown PEAKFLOW-SP-MIB::spAlertID =
Gauge32: 12 PEAKFLOW-SP-MIB::spGreTunnelDestination = IpAddress: 192.0.2.0
PEAKFLOW-SP-MIB::peakflowSPCMI.83 = STRING: "gre-tunnel-002"

MIB::snmpTrapOID.0 = OID: PEAKFLOW-SP-MIB::greDownDone PEAKFLOW-SP-MIB::spAlertID =
Gauge32: 12 PEAKFLOW-SP-MIB::spGreTunnelDestination = IpAddress: 192.0.2.0
PEAKFLOW-SP-MIB::peakflowSPCMI.83 = STRING: "gre-tunnel-002"
Profiled Router Alerts

In Arbor Networks SP, Profiled notifications have become Profiled Router notifications and now contain
the IP version in the notification.
Email changes for Profiled Router Alerts examples
Protocol Alert start email

Subject:
[Peakflow SP] IPv6 Protocol attack #7058 Incoming to managed_object_v6
Body:
Type: Protocol
ID: 7058
IP Version: 6
Resource: managed_object_v6
Router: Not Applicable
Interface: Not Applicable
Severity: high
Impact: 208.62 Kbps/25 pps
Started: 00:00:35 ago at 2014-07-14 15:28:00
Link rate: 208.62 Kbps, 2086150.000000% of 10 bps
Protocol: ipv6-icmp
Interfaces: <Data not yet available>
URL: https://spsys.example.com/page?id=profiled_router_alert&alert_id=7058
Protocol Alert end email

Subject:
[Peakflow SP] IPv6 Protocol attack #7058 Incoming to managed_object_v6 done
Body:
Type: Protocol
ID: 7058
IP Version: 6
Resource: managed_object_v6
Severity: high
Impact: 223.23 Kbps/27 pps
Started: 2014-07-14 15:28:00
Ended: 2014-07-14 17:14:18
Link rate: 223.23 Kbps, 2232280.000000% of 10 bps
Protocol: ipv6-icmp

Bandwidth Alert start email

Subject:
[Peakflow SP] IPv4 Bandwidth attack #7060 Incoming to managed_object
Body:
Type: Bandwidth
ID: 7060
IP Version: 4
Resource: managed_object
Severity: high
Impact: 1.48 Mbps/181 pps
Started: 00:00:37 ago at 2014-07-14 15:28:00
Link rate: 1.48 Mbps, 14839200.000000% of 10 bps
Bandwidth Alert end email

Subject:
[Peakflow SP] IPv4 Bandwidth attack #7060 Incoming to managed_object done
Body:
Type Bandwidth
ID: 7060
IP Version: 4
Resource: managed_object
Severity: high
Impact: 1.48 Mbps/181 pps
Started: 2014-07-14 15:28:00
Ended: 2014-07-14 17:14:18
Link rate: 1.48 Mbps, 14839500.000000% of 10 bps
Router: 192.168.201.254 (profiled_router_router)
Input If.: 3 (POS3/3)
Output If.: 1 (POS2/0001)
Remote syslog changes for Profiled Router Alerts examples
Protocol Alert start syslog messages

Jul 7 17:13:44 spsys.example.com pfsp: anomaly Protocol id 6730 status ongoing severity 5
classification high impact "213.63 Kbps/26 pps" ipVer 4 src 0.0.0.0/0 "All" dst 0.0.0.0/0
"managed_object" start 2014-07-07 17:12:32 +0000 duration 62 percent 2136330.000000 rate
10 rateUnit bps protocol ah flags nil url
https://spsys.example.com/page?id=profiled_router_alert&alert_id=6730, (managed object
"managed_object"), (parent managed object "nil"), (Router "nil"), (Interface "nil")
Jul 7 17:13:44 spsys.example.com pfsp: anomaly Protocol id 6731 status ongoing severity 5
"managed_object_v6" start 2014-07-07 17:12:32 +0000 duration 62 percent 2018940.000000
rate 10 rateUnit bps protocol gre flags nil url
"managed_object_v6"), (parent managed object "nil"), (Router "nil"), (Interface "nil")
Protocol Alert end syslog messages

Jul 7 17:20:20 spsys.example.com pfsp: anomaly Protocol id 6730 status done severity 5
"managed_object" start 2014-07-07 17:12:32 +0000 duration 457 percent 2136330.000000 rate
10 rateUnit bps protocol ah flags nil url
Jul 7 17:20:17 spsys.example.com pfsp: anomaly Protocol id 6731 status done severity 5
rate 10 rateUnit bps protocol gre flags nil url

Bandwidth Alert start syslog messages

Jul 7 17:13:50 spsys.example.com pfsp: anomaly Bandwidth id 6740 status ongoing severity
5 classification high impact "1.48 Mbps/181 pps" ipVer 4 src 0.0.0.0/0 "All" dst
0.0.0.0/0 "managed_object" start 2014-07-07 17:12:32 +0000 duration 62 percent
14836900.000000 rate 10 rateUnit bps protocol nil flags nil url
Jul 7 17:13:50 spsys.example.com pfsp: anomaly Bandwidth id 6741 status ongoing severity
5 classification high impact "1.48 Mbps/181 pps" ipVer 6 src 0.0.0.0/0 "All" dst
0.0.0.0/0 "managed_object_v6" start 2014-07-07 17:12:32 +0000 duration 62 percent
14836900.000000 rate 10 rateUnit bps protocol nil flags nil url
Bandwidth Alert end syslog messages

Jul 7 17:20:14 spsys.example.com pfsp: anomaly Bandwidth id 6740 status done severity 5
classification high impact "1.48 Mbps/181 pps" ipVer 4 src 0.0.0.0/0 "All" dst 0.0.0.0/0
"managed_object" start 2014-07-07 17:12:32 +0000 duration 457 percent 14839200.000000
rate 10 rateUnit bps protocol nil flags nil url
Jul 7 17:20:15 spsys.example.com pfsp: anomaly Bandwidth id 6741 status done severity 5
classification high impact "1.48 Mbps/181 pps" ipVer 6 src 0.0.0.0/0 "All" dst 0.0.0.0/0
rate 10 rateUnit bps protocol nil flags nil url
SNMP changes for Profiled Router Alerts examples
Protocol Alert start SNMP messages

iso.3.6.1.2.1.1.3.0 = Timeticks: (728309) 2:01:23.09 iso.3.6.1.6.3.1.1.4.1.0 = OID:
iso.3.6.1.4.1.9694.1.1.3.0.3 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6730
iso.3.6.1.4.1.9694.1.1.1.3 = STRING: "Incoming" iso.3.6.1.4.1.9694.1.1.1.17 =
INTEGER: 4 iso.3.6.1.4.1.9694.1.1.1.4 = STRING: "managed_object"
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 2136330 iso.3.6.1.4.1.9694.1.1.1.16 =
STRING: "high" iso.3.6.1.4.1.9694.1.1.1.11 = STRING: "2014-07-07 17:12:32"
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (6200) 0:01:02.00
iso.3.6.1.4.1.9694.1.1.1.15 = STRING: "data not yet available"
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:
"https://spsys.example.com/page?id=profiled_router_alert&alert_id=6730"
iso.3.6.1.4.1.9694.1.1.1.8 = STRING: "ah"

iso.3.6.1.4.1.9694.1.1.3.0.3 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6731
INTEGER: 6 iso.3.6.1.4.1.9694.1.1.1.4 = STRING: "managed_object_v6"
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 2018940 iso.3.6.1.4.1.9694.1.1.1.16 =
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (6200) 0:01:02.00
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:
iso.3.6.1.4.1.9694.1.1.1.8 = STRING: "gre"
Protocol Alert end SNMP messages

iso.3.6.1.4.1.9694.1.1.3.0.6 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6730
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 2136330 iso.3.6.1.4.1.9694.1.1.1.16 =


iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (45700) 0:07:37.00
iso.3.6.1.4.1.9694.1.1.1.15 = STRING: "router 192.168.201.254 in 3 out 1"
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:
https://spsys.example.com/page?id=profiled_router_alert&alert_id=6730

iso.3.6.1.4.1.9694.1.1.3.0.6 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6731
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 2098430 iso.3.6.1.4.1.9694.1.1.1.16 =
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (45700) 0:07:37.00
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:
Bandwidth Alert start SNMP messages

iso.3.6.1.4.1.9694.1.1.3.0.1 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6740
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 14836900 iso.3.6.1.4.1.9694.1.1.1.16 =
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (6200) 0:01:02.00
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:

iso.3.6.1.4.1.9694.1.1.3.0.1 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6741
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 14836900 iso.3.6.1.4.1.9694.1.1.1.16 =
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (6200) 0:01:02.00
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:
Bandwidth Alert end SNMP messages

iso.3.6.1.4.1.9694.1.1.3.0.6 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6740
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 14839200 iso.3.6.1.4.1.9694.1.1.1.16 =
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (45700) 0:07:37.00
iso.3.6.1.4.1.9694.1.1.1.15 = STRING: "router 192.168.201.254 in 3 out 1"
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:

iso.3.6.1.4.1.9694.1.1.3.0.6 iso.3.6.1.4.1.9694.1.1.1.2 = INTEGER: 6741
iso.3.6.1.4.1.9694.1.1.1.9 = Gauge32: 14839200 iso.3.6.1.4.1.9694.1.1.1.16 =
iso.3.6.1.4.1.9694.1.1.1.12 = Timeticks: (45700) 0:07:37.00
iso.3.6.1.4.1.9694.1.1.1.1 = STRING:

Alert Message Notifications

In Arbor Networks SP 8.1, syslog alert message notifications have been changed as follows:
• Source IP addresses are no longer included in start messages.
• Targeted host and impact value are no longer included in stop messages.
• Dates and times are displayed according to the timezone setting of the notification group.
• A timestamp was added in or at the end of some syslog alert messages.
High interface usage message example (start)

Sep 14 17:15:05 192.0.2.0 pfsp: High interface usage alert #105 started at 2017-09-14
13:15:00 EST for router router-chicago interface "POS1/0" speed 100.00 Mbps threshold 95%
observed 160.01 Mbps pct 160.0%
High interface usage message example (stop)

Sep 14 17:16:05 192.0.2.0 pfsp: High interface usage alert #105 ended at 2017-09-14
14:15:00 EST for router router-chicago interface "POS1/0"
BGP trap message example

Jun 22 17:21:06 192.0.2.0 pfsp: BGP Trap "test": Prefix 0.0.0.0/0 up; Timestamp: 2017-06-
22 06:21:00 SST; Old BGP attributes: ; New BGP attributes:
10420|IGP|203.0.113.15|0|0|13414:20002 13414:21001 13414:30001 13414:30012||NULL|||||NULL
Configuration change message example

Sep 14 15:29:16 192.0.2.0 pfsp: The configuration was changed on leader SP-leader to
version 1.10 by SP-leader/admin at 2017-09-14 15:29:11 EST
Notifications Include Diversion and Protection Prefixes

In Arbor Networks SP 8.2, email and SNMP notifications were updated to include protection and diversion
prefixes.
Mitigation start examples for email notifications
Subject:
[Peakflow SP] TMS mitigation 'IP4Mit' started
Body:
Mitigation ID: 44
Leader: leader05
Name: IP4Mit
Started: 00:00:02 ago at 2017-03-15 18:49:23 UTC
Alert ID: (None)
Managed Object: (None)
Community: (None)
Timeout: (None)
Protection Prefix Count: 3
Protection Prefix 1: 192.168.8.0/24
Diversion Prefix Count: 1
Diversion Prefix 1: 192.168.8.0/24
Filter: (None)
Zombie Threshold (bps): 2000000
Zombie Threshold (pps): 500
Mitigation start example for SNMP notifications

DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (9465101) 1 day, 2:17:31.01 SNMPv2-
MIB::snmpTrapOID.0 = OID: PEAKFLOW-SP-MIB::peakflowSPTrapsEnumerate.57 PEAKFLOW-SP-
MIB::spMitigationID = Gauge32: 44 PEAKFLOW-SP-MIB::spMitigationName = STRING: IP4Mit

PEAKFLOW-SP-MIB::spAlertID = Gauge32: 0 PEAKFLOW-SP-MIB::spManagedObject = STRING: (None)

PEAKFLOW-SP-MIB::spTMSPrefix = STRING: 198.51.100.0/32 PEAKFLOW-SP-MIB::spTMSCommunity =
STRING: PEAKFLOW-SP-MIB::spTMSTimeout = STRING: PEAKFLOW-SP-MIB::spMitigationStart =
STRING: 2016-12-15 00:08:19 UTC PEAKFLOW-SP-MIB::spTMSMultiPrefix = STRING:
192.0.2.16/32, 203.0.113.16/32, PEAKFLOW-SP-MIB::spTMSMultiDiversionPrefix = STRING:
"198.51.100.0/24, 203.0.113.0/24, 192.0.2.0/24"

Arbor SP 8.4.0-Release Notes 20180411

Uploaded by

Copyright:

Available Formats

Arbor SP 8.4.0-Release Notes 20180411

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Arbor SP 8.4.0-Release Notes 20180411

Uploaded by

Copyright:

Available Formats

Arbor Networks SP 8.

2 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Arbor Networks SP 8.4 Release Notes ...................................................................................................... 5

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 3

Supported Models .......................................................................................................................... 21

Other Things to Know about Arbor Networks SP 8.4 ............................................................................ 29

Additional Information .............................................................................................................................. 30

4 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Arbor Networks SP 8.4 Release Notes

Note: Flowspec auto-mitigations apply only to IPv4 traffic.

New misuse types: CLDAP amplification and memcached amplification

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 5

• AS Path Regular Expression

6 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Custom blackhole nexthop template values

Arbor-recommended shared host detection settings

ATLAS Global DDoS Report

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 7

Choosing an AIF template

Merging an AIF template with TMS mitigation templates

SP Insight: Facet relationships visualization method

SP Insight: Enhanced filtering

8 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Example No. Facet Value Result

SP Insight: Router flow ingestion limiting

SP Insight: Custom facets

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 9

Each rule contains the following attributes:

10 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Enhancements in Arbor Networks SP 8.4

Expanded duration for learning mitigations

PKCS#8-format SSL certificates are supported

SSL certificates can be uploaded to any leader regardless of appliance’s role

Resources for alert notifications can be specified by IPv6 CIDR block

TMS auto-mitigations reuse for multiple alerts

SP Insight: Facet descriptions available in the Add/Edit Facet window

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 11

SP Insight: Web UI improvements

SP Insight: Traffic calculation options added

SP Insight: New filter box design

SP Insight: Performance increases

12 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

SP REST API additional endpoints and enhancements

The following endpoints were added to the SP REST API in version 4:

New endpoint Supported methods

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 13

Authorization-based access to SP through the SP REST API

14 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

Download all source IP addresses for an alert in the SP REST API

The new alerts sub-endpoint /alerts/<alert_id>/source_ip_addresses allows you to retrieve a list

Proprietary and Confidential Information of Arbor Networks, Inc. Arbor Networks | 15

Changes in Behavior in Arbor Networks SP 8.4

IP version setting for learning mitigations

Default maximum number of login failures

Unused ATLAS tabs and reports removed

16 | Arbor Networks Proprietary and Confidential Information of Arbor Networks, Inc.

• Routeviews BGP Instability

Change in deployment status graphs in the SP user interface

Previous Graph Name New Graph Name