Arbor SP 8.4.0-Release Notes 20180411
Arbor SP 8.4.0-Release Notes 20180411
Arbor SP 8.4.0-Release Notes 20180411
4
Release Notes
Arbor Networks SP 8.4 Release Notes
The information contained within this document is subject to change without notice. Arbor Networks, Inc.
makes no warranty of any kind with regard to this material, including, but not limited to, the implied
warranties of merchantability and fitness for a particular purpose. Arbor Networks, Inc. shall not be liable
for errors contained herein or for any direct or indirect, incidental, special, or consequential damages in
connection with the furnishings, performance, or use of this material.
Copyright © 2018 Arbor Networks, Inc. All rights reserved. Arbor Networks, the Arbor Networks logo,
ArbOS, and ATLAS are all trademarks of Arbor Networks, Inc. All other brands may be the trademarks of
their respective owners. Proprietary and Confidential Information of Arbor Networks, Inc.
Document Number: SP_ RN-84-2018/04
11 April 2018
Contents
Introduction ................................................................................................................................................. 5
Appendixes ................................................................................................................................................ 31
Appendix A: Notification Changes from SP/TMS 7.6 to SP/TMS 8.4 ................................................... 31
Miscellaneous changes to arbornet-sp.mib ................................................................................... 31
GRE Tunnel Down Alerts Include GRE tunnel name .................................................................... 31
Profiled Router Alerts ..................................................................................................................... 32
Alert Message Notifications ........................................................................................................... 36
Notifications Include Diversion and Protection Prefixes ................................................................ 36
Introduction
This document includes release information about Arbor Networks SP 8.4. Release information about
TMS 8.4.0 is in a separate document.
The Arbor Networks SP 8.4 software release is Generally Available from April 12, 2018 until April 12,
2020, at which time it will go End of Maintenance.
Setting Description
Host detection settings Administration > Monitoring > Managed Objects > Host Detection
These settings determine the criteria used by host detection to detect attacks. They
apply on a per-managed object basis.
Mitigation settings Administration > Monitoring > Managed Objects > Mitigation > IPv4 Flowspec
Auto-Mitigations
These settings determine whether flowspec auto-mitigations are enabled for a
customer managed object. They apply on a per-managed object basis.
System-wide settings Administration > Mitigation > IPv4 Flowspec Auto-Mitigation Settings
These settings determine how flowspec auto-mitigations are carried out. They apply to
all flowspec auto-mitigations.
Support for managed objects that match both IPv4 and IPv6 prefixes
You can now create managed objects that match both IPv4 and IPv6 prefixes. This allows you to
streamline the management of your deployment by including its resources in fewer managed objects.
This feature applies to managed objects with the following match types:
• Advanced Boolean Matching
General notes for managed objects that match both IPv4 and IPv6 prefixes
Keep the following in mind if your deployment includes managed objects that match both IPv4 and IPv6
prefixes:
• Alerts are generated separately for IPv4 and IPv6 traffic.
• Auto-mitigations are started separately for IPv4 and IPv6 traffic.
• Most reports do not include information about IPv6 traffic. If a managed object matches both IPv4 and
IPv6 prefixes, most reports for that managed object include only IPv4 traffic.
• Some reports combine both IPv4 and IPv6 traffic. If you need to view separate reports for IPv4 and
IPv6 traffic, create separate managed objects for IPv4 and IPv6 prefixes.
Profiled network detection for managed objects that match both IPv4 and IPv6 prefixes
When using profiled network detection with managed objects that match both IPv4 and IPv6 prefixes,
note the following limitations:
• If a managed object matches both IPv4 and IPv6 prefixes, the baselines calculated for profiled
network detection consider the combination of both IPv4 and IPv6 traffic.
• Profiled network detection generates alerts for IPv4 traffic only.
• If a managed object matches both IPv4 and IPv6 prefixes, IPv4 traffic must exceed the baselines that
were calculated from a combination of both IPv4 and IPv6 traffic in order for an alert to be generated.
For these reasons, if you are using profiled network detection for a managed object, we recommend
creating separate managed objects for IPv4 prefixes and IPv6 prefixes.
Constrain protected prefixes setting for managed objects that match both IPv4 and IPv6 prefixes
As in previous versions of SP, if you set constraint prefixes, auto-mitigations protect only prefixes that fall
within the constraint prefixes. In SP 8.4, because both IPv4 and IPv6 prefixes can be auto-mitigated as
part of the same managed object, some caution is required when setting constraint prefixes for managed
objects that match both IPv4 and IPv6 prefixes.
For example, if the managed object matches both IPv4 and IPv6 prefixes and you specify only IPv4
prefixes for the Constrain Protected Prefixes setting on the managed object’s Mitigation tab, IPv6
prefixes are not auto-mitigated.
Support for IPv4 and IPv6 auto-mitigations in the same managed object
SP can create auto-mitigations that apply to IPv4 and IPv6 traffic associated with the same managed
object. Auto-mitigations are started separately for IPv4 and IPv6 traffic.
These settings are found on the managed object’s Mitigation tab. Note that some settings apply to IPv4
or IPv6 traffic only, and some settings apply to both IPv4 and IPv6 traffic. For example:
• You can select the auto-mitigation template that applies to IPv4 traffic and IPv6 traffic separately
using the Auto-Mitigation Template – IPv4 setting and the Auto-Mitigation Template – IPv6
setting.
• You can enable alert-triggered auto-mitigations that mitigate both IPv4 and IPv6 traffic by selecting
Alert-triggered.
• You can enable traffic-triggered auto-mitigations by selecting IPv4 Traffic-triggered, but it applies to
IPv4 traffic only.
For details, refer to the SP and TMS User Guide.
AIF templates
If your SP deployment includes TMS, you can now use AIF templates to quickly and easily configure TMS
mitigation templates to block new types of DDoS attacks. AIF templates contain attack-specific settings
for TMS countermeasures. These settings correspond to settings in TMS mitigations and TMS mitigation
templates. With a valid ATLAS Intelligence Feed (AIF) license, you can download the latest AIF templates
automatically or on demand.
The Arbor Security Engineering and Response Team (ASERT) continually configures new AIF templates
to block new types of attacks. The settings in AIF templates reflect the most recent ATLAS intelligence
and the ASERT team’s extensive research, analysis, and experience.
You can merge the settings in an AIF template with the corresponding settings in one or more TMS
mitigation templates. To help you choose the best AIF template to merge, see the list of available AIF
templates on the new AIF Templates page in SP 8.4 (Administration > Mitigation > AIF Templates).
On the AIF Templates page, each list item shows the name and detailed description for an AIF template.
The name tells you the types of attacks that the AIF template can mitigate. The description tells you what
mitigation settings the AIF template contains and how to use them properly. The list also tells you when
the AIF template was last updated, and which versions of SP are compatible with the settings in that AIF
template.
Note: SP can be configured to notify you when it downloads new or changed AIF templates from the AIF
feed. To immediately download the latest AIF templates, click Update Now at the top of the
AIF Templates page.
When you are ready to create new TMS mitigation templates that contains the settings in an AIF
template, go to the Mitigation Templates page (Administration > Mitigation > AIF Templates). Select
one or more TMS mitigation templates in the list and then select Merge AIF Template.
In the Merge AIF Template dialog, select an AIF template to merge, and then choose Save Merged
Templates. SP merges the AIF template with each selected TMS mitigation template. Then, SP saves
each merged template as a new, separate template. Each new TMS mitigation template contains the
settings from the AIF template. They also contain legacy settings that the merge did not change. You can
apply the new, merged templates to the TMS mitigations in your deployment.
For more information about AIF templates, see "About ATLAS Intelligence Feed (AIF) Templates for TMS
Mitigations" and "Merging an AIF Template with TMS Mitigation Templates" in the SP and TMS User
Guide.
The following table describes example SP Insight filter box settings and their results. The first example
describes functionality available in earlier versions of SP Insight; the other examples describe
functionality that is new to SP Insight in SP 8.4.
Command Result
services sp device insight limit_ingestion_routers enable Enables limiting flow by router.
services sp device insight limit_ingestion_routers disable Disables limiting flow by router.
services sp device insight limit_ingestion_routers show Displays whether limiting flow
by router is enabled or
disabled.
services sp device insight limit_routers_set add name Adds the router specified by
name to the set of routers that
may send flow to SP Insight.
services sp device insight limit_routers_set delete name Deletes the router specified by
name from the set of routers
that may send flow to SP
Insight.
services sp device insight limit_routers_set show Shows the current set of
routers that may send flow to
SP Insight.
services sp device insight limit_routers_set clear Clears the list of routers that
may send flow to SP Insight.
SNMP trap destinations for notification groups can be specified by port number,
hostname
When adding or editing a notification group on the Notification Groups page (Administration >
Notification > Groups), you can now specify the SNMP trap destination by IP address:port,
hostname, and hostname:port.
Note: Destinations that contain port numbers and hostnames are removed when sending SNMP trap
information to the TMS. Therefore, when configuring the notification group that is used as the default
notification group, enter at least one destination that is specified by IP address only. For more
information, see “Configuring Notification Groups” in the SP and TMS Advanced Configuration Guide.
Version upgrade
The SP REST API was upgraded from version 3 in SP 8.3 to version 4 in SP 8.4.
For descriptions of breaking changes from version 3 to version 4, see Administration > REST API
Documentation > Breaking Changes > V.4 Breaking Changes in the SP UI.
New endpoints
Updated endpoints
The following endpoints were updated in version 4 with significant new functionality:
• /alerts/
Added the ability to create a new ticket attribute and/or a new classification attribute in a POST
request. You can only POST a new alert if the alert_type attribute is cloud_mit_request. The
ticket value can be any alphanumeric string. For descriptions of alert classification types, see “About
Alert Classification” in the SP and TMS User Guide.
• /alerts/<alert_id>/
▪ Added the mitigation relationship. An alert can have more than one mitigation so the
relationship is “to-many”. The relationship data for each mitigation associated with an alert has a
separate id. The relationship type is mitigation for all mitigation relationships.
▪ Added the ability to PATCH the ticket attribute and/or the classification attribute for an alert
with any alert_type attribute. The ticket value can be any alphanumeric string. See New ways
to POST and PATCH ticket and classification data with alerts endpoints on page 15.
• /alerts/ and /alerts/<alert_id>/
Added support for the include parameter. This parameter value is a comma-separated list of
relationships and/or paths to “nested” relationships. Use dot separators in relationship paths. For
example:
..?include=annotations,traffic.protocols
Note: Relationship paths in the include parameter can have any number of nested relationships.
• /alerts/<alert_id>/traffic
The traffic endpoint for an alert now lists all 13 alert traffic relationships, even if one or more of
those relationships has no data.
• /insight/timeseries and /insight/topn
The calculation attribute was added. This attribute allows the API to return traffic data that is
calculated using one of four different methods (last, average, max, and pct95.)
• /managed_objects/
▪ The match value specified for managed objects with the cidr_blocks match type can now
include both IPv4 and IPv6 prefixes.
▪ Added the mitigation_flowspec_auto_enabled parameter, which allows SP to use flow
specification to auto-mitigate traffic associated with the corresponding managed object. The
global settings that determine how flow specification auto-mitigations are carried out are in the
new global_afsm_settings endpoint.
▪ Added support for a compatibility flag (?compat=managed_objects_v4) that allows you to
continue to use older versions of the SP REST API with the managed_objects endpoint.
• /mitigations/
▪ Flowspec mitigations (mitigations with the flowspec sub-type) now support POST, PATCH, and
DELETE.
For more information about these endpoints, navigate to Administration > REST API Documentation >
SP API V.4 REST Interface in the SP web UI.
Before SP 8.4, all users had administrator access to SP features and data through the SP REST API. As
of SP 8.4, this is no longer the case.
In SP 8.4, your access to SP features and data through the REST API now depends on the following
authorizations that are configured in the SP UI:
• The scoping for your account group (i.e., the managed objects assigned to your account group).
• The capabilities assigned to your account group.
• Whether or not your account group is a managed services group deployed by a managed security
service provider (“mssp”).
How scoping affects access to SP through the SP REST API
Your access to SP through the REST API is scoped to your account group's assigned managed objects
(if any) and their child managed objects.
As a scoped user, you can do the following with managed object data in the SP REST API:
• GET, PATCH, or DELETE managed object data within your scope.
• POST a new child managed object if the parent managed object is assigned to your account group.
If your account group is not scoped, you can GET, POST, PATCH, or DELETE managed object data for
any managed objects if your account group has the required capabilities.
How capabilities affect access to SP through the SP REST API
In addition to scoping, your account group's capabilities determine which REST API endpoints you can
access (GET, POST, PATCH, or DELETE). For example:
• The sp_restapi capability allows you to access an endpoint if you have all other capabilities that are
required to access that endpoint. Your managed object scoping must also allow access to that
endpoint’s managed object data. See How scoping affects access to SP through the SP REST API
above.
• The sp_admin capability allows you to edit and manage your SP configuration through requests to
any REST API endpoint except /mitigations/ and /alerts/. These two endpoints require one or
more separate capabilities, such as sp_tms_mitigations and sp_alerts.
Note: Some capabilities in the SP UI do not affect access to any endpoints in the REST API.
For a complete list of capabilities required by REST API V.4 endpoints in SP 8.4, see Administration >
REST API Documentation > SP API V.4 REST Interface > API Introduction > Authorization in the SP
UI.
How mssp user status affects access to SP through the SP REST API
In the SP 8.4 UI, mssp users (members of a managed services account group) are scoped to one or
more managed objects. However, in the SP REST API, mssp users cannot access the configuration data
for any managed object, including the managed objects in their scope. Specifically, mssp users cannot
GET, POST, PATCH, or DELETE any /managed_objects/ collection or instance endpoint.
Other tasks that mssp users can perform in the UI but cannot perform through the REST API include:
• Commit a system configuration change message. Specifically, mssp users cannot POST to the
/config/ endpoint unless they have the sp_portal_admin capability. See How capabilities affect
access to SP through the SP REST API above.
• Delete an alert that they are authorized to delete in the UI. Specifically, mssp users cannot send a
DELETE request to an /alerts/<alert-id> instance endpoint.
• Edit the classification for an alert that they are authorized to edit in the UI. Specifically, mssp users
cannot PATCH the value of the classification attribute in an /alerts/<alert-id> instance
endpoint.
New ways to POST and PATCH ticket and classification data with alerts endpoints
SP 8.4 extends your ability to POST and PATCH alert ticket and classification data in alerts endpoints.
For example, you can now do the following:
• POST a new cloud_mit_request alert with a ticket number attribute and/or a classification attribute.
• PATCH the ticket number attribute and/or classification attribute in any type of alert.
Note: cloud_mit_request alerts are the only type of alert that you can POST. They are also the only
type of alert in which you can PATCH data other than the ticket number and classification.
For descriptions of alert classification types, see “About Alert Classification” in the SP and TMS User
Guide.
Password requirements
The following are no longer requirements for SP passwords:
• cannot be only letters followed by only digits (for example, abCD123)
• cannot be only digits followed by only letters (for example, 123abCD)
When you change your SP password, the following are requirements for the new password:
• cannot be only digits followed by only uppercase letters (for example, 123ABCD)
• cannot be only digits followed by only lowercase letters (for example, 123abcd)
• cannot be only uppercase letters followed by only digits (for example, ABCD123)
• cannot be only uppercase letters followed by only lowercase letters (for example, ABCDefgh)
• cannot be only lowercase letters followed by only digits (for example, abcd123)
• cannot be only lowercase letters followed by only uppercase letters (for example, abcdEFGH)
Also, the default minimum password length was increased from 7 to 10 characters.
These changes in behavior are a result of SP fixed issues 82682 and 83220.
SP Insight: Links to SP Insight filter query result pages may require updating
As a result of the changes to facet values SP Insight, links to SP Insight filter query result pages created
before SP 8.4 may not work in SP 8.4. In this case you can update the link URL manually, or you can use
the SP Insight page to recreate the filter query and create a new link.
SP REST API: page and perPage query error key name changed from V.3 to V.4
Note: This change only affects the /alerts/ and /mitigations/ endpoints in the SP REST API
versions 3 and 4.
The SP REST API versions 3 and 4 both return an error if you submit a request with an invalid page or
perPage query value. For example, the following request returns an error because the perPage value is a
negative number:
GET https://sp.example.com/api/sp/alerts/?perPage=-1
• The SP REST API V.3 returns perPage error messages in the id key.
• The SP REST API V.4 returns page and perPage error messages in the detail key.
Flexible license files that are used in an SP deployment with a leader running SP 8.3.x or lower
do not work with SP 8.4.x. To obtain a flexible license file that is compatible with SP 8.4.x,
please open a support request with the Arbor Technical Assistance Center (ATAC) at
https://support.arbornetworks.com/
You will receive a new license server URL (for cloud-based flexible licensing) or a new flexible
license file (for locally-managed flexible licensing).
Before you upgrade to SP 8.4.x, set the new license server URL or install the new license file.
For more information, see the SP and TMS Licensing Guide at https://support.arbornetworks.com/
Multi-version compatibility
SP 8.4 is compatible with earlier versions of SP and TMS. This allows you to upgrade the devices in your
deployment in stages. For details about multi-version compatibility, refer to the SP and TMS Compatibility
Guide as described below.
• To determine which versions of SP and TMS software can be paired with each other, see the
“SP/TMS Software Version Compatibility Matrix” in the “SP and TMS Software Compatibility” section.
• For information about multi-version upgrades and deployments, and Arbor’s guidelines for running a
multi-version deployment, see the “Multi-Version Support in SP and TMS Software” section.
The SP and TMS Compatibility Guide is available from the Arbor Technical Assistance Center
(https://support.arbornetworks.com).
IMPORTANT: Before you upgrade appliances in your deployment, refer to the rules and guidelines for
multi-version deployments that are explained in the SP and TMS Compatibility Guide. It includes software
version matrices to help you verify that all post-upgrade software version pairings will be supported in
your multi-version deployment.
Wizard and Classic XML Reports Are Not Synchronized Between User Interface Devices
When upgrading from SP 8.1.x or lower to SP 8.4, wizard reports that reside on non-leader User Interface
(UI) devices must be copied to the leader device in order to access or run the reports. Scheduled wizard
reports cannot run if they are missing from the leader or if they are on non-leader devices, even if they
ran in previous SP versions.
During an upgrade from SP 8.1.x or lower to SP 8.4, the leader device lists missing wizard reports and
non-leaders warn you if local wizard reports are found. The leader device also lists missing wizard reports
when you start services on it.
All classic XML report names appear on both leader and non-leader UI devices, where you can also run
those reports. However, you can edit classic XML reports and see the report results only on the leader.
To check for custom reports that need to be copied to the leader:
4. On the leader, log in to the CLI with your administrator user name and password.
5. In the CLI, enter / services sp reports custom check
To copy custom reports from a non–leader to a leader:
6. On the non–leader, log in to the CLI with your administrator user name and password.
7. To show the reports that need to be copied, enter / services sp reports custom find_old
8. You can copy the reports to the leader individually or together as a group:
• To copy a specific report to the leader, enter / services sp reports custom find_old
copy REPORT_ID
• To copy all the reports to the leader, enter / services sp reports custom find_old
copy all
If there are reports that you do not want to copy, you can delete them using Administration > Reports.
Supported Models
SP Appliances
TMS Models
Router Requirements
SP is compatible with any router that exports RFC-compliant netflow and includes all the RFC-required
fields. SP supports netflow v5, v9, ipfix, and sflow.
Communication Ports
Required Ports
The following table lists the ports that SP uses and that are required for a deployment to operate
correctly. When the following terms appear in this table, they refer to appliance roles with flexible
licensing and to appliance types with appliance‑based licensing:
• data storage
• traffic and routing analysis
• user interface
References in this table to the FS appliance (Flow Sensor) only apply to appliance-based licensing.
Optional Ports
The following ports are optional and only need to be enabled if you are using the corresponding service:
All ATLAS services require you to open access to hosts outside your network. These host live across the
internet and leverage modern content delivery networks and web services.
Important: Because each of these services uses DNS to find the IP address of the ATLAS service, the IP
addresses of the services may change. If an ATLAS service cannot connect to the service IP address,
you may need to check the current DNS results for the addresses listed in the following table and update
your firewall rules. Use of a proxy server for outbound connections is an excellent method for accessing
these services. Contact the Arbor Technical Assistance Center (https://support.arbornetworks.com) if you
have any questions or have special requirements.
The following table lists the ATLAS services:
Untracked Interfaces
In addition to the data gathered on a per-interface basis, there can be untracked interfaces, which have
the following properties:
• They are on a router that was configured with the “Enable Dynamic Subscriber Interface Handling”
option.
• Their SNMP interface names/descriptions do not match a configured Interface Classification rule OR
the interfaces are not represented in the SNMP data obtained from the involved router.
Note: Only 400,000 interfaces with SNMP information can be processed, even if they are untracked
interfaces. The 700,000-interface limit can only be reached if a very large number of the interfaces
have no SNMP presence whatsoever.
• They do not appear in any interface page or report in the product.
• They do not impact any interface scaling limitation on the deployment. Therefore, there can be an
unlimited number of these kinds of interfaces on a particular collector or on the deployment in
general.
• They can have flow sent for them by the router and it will be tracked on a per-router basis in a single
aggregate interface. This appears in normal interface pages and reports.
• The flow sent for these interfaces is constrained by the normal stated flow processing limits on a per-
appliance basis, as well as the normal licensed limits on a per-deployment basis for flex licensing
deployments.
Additional Information
Downloading the Software
You can download the software releases and user documentation from the Arbor Technical Assistance
Center at https://support.arbornetworks.com using the Software Downloads link.
Document Description
Managed Services Customer Guide Information about deploying and using Arbor Networks SP 8.4 managed
services.
Online Help Information about the feature on the current page is displayed, with links to
supporting information and a table of contents to the complete SP and
TMS User Guide and SP and TMS Advanced Configuration Guide.
REST API Documentation Online information about the REST API endpoints.
Running SP in a Virtual Machine Information about running SP in a virtual machine.
Running Software TMS in a Virtual Information about running Software TMS in a virtual machine.
Machine
Installing Software TMS on Information about installing Software TMS on hardware.
Hardware
SP and TMS Advanced Information about configuring advanced settings in Arbor Networks SP 8.4,
Configuration Guide including those that can only be configured using the command line
interface (CLI).
SP and TMS Licensing Guide Information about cloud-based and locally-managed flexible licensing,
appliance-based licensing, and volumetric licensing for TMS appliances.
SP and TMS Quick Start Cards Information about how to install, connect, and configureArbor Networks SP
8.4 appliances.
SP and TMS User Guide Information about how to useArbor Networks SP 8.4.
SP API Guide Instructions for remotely accessing Arbor Networks SP 8.4 using the
REST, SOAP, and Arbor Web Services APIs.
SP and TMS Deployment and Information about the enforced and guideline limits for an Arbor Networks
Appliance Limits deployment and for Arbor Networks appliances.
Appendixes
Appendix A: Notification Changes from SP/TMS 7.6 to SP/TMS 8.4
Miscellaneous changes to arbornet-sp.mib
The Arbor arbornet-sp.mib file now supports 64-bit (HC) versions of the spInterfaceSpeed and
spInterfaceUsage variables:
• spInterfaceSpeedHC (OID .1.3.6.1.4.1.9694.1.4.1.81)
• spInterfaceUsageHC (OID .1.3.6.1.4.1.9694.1.4.1.82)
The Arbor arbornet-sp.mib file now supports 64-bit (HC) of the deviceTotalFlows object:
• deviceTotalFlowsHC (OID .1.3.6.1.4.1.9694.1.4.2.1.12)
Apr 3 18:41:00 spsys.example.com pfsp: GRE tunnel gre-tunnel-001 restored for destination
192.0.2.27, leader spsys at 2014-04-03 18:40:40 GMT
Jul 7 17:13:44 spsys.example.com pfsp: anomaly Protocol id 6731 status ongoing severity 5
classification high impact "201.89 Kbps/25 pps" ipVer 6 src 0.0.0.0/0 "All" dst 0.0.0.0/0
"managed_object_v6" start 2014-07-07 17:12:32 +0000 duration 62 percent 2018940.000000
rate 10 rateUnit bps protocol gre flags nil url
https://spsys.example.com/page?id=profiled_router_alert&alert_id=6731, (managed object
"managed_object_v6"), (parent managed object "nil"), (Router "nil"), (Interface "nil")
Jul 7 17:20:17 spsys.example.com pfsp: anomaly Protocol id 6731 status done severity 5
classification high impact "209.84 Kbps/26 pps" ipVer 6 src 0.0.0.0/0 "All" dst 0.0.0.0/0
"managed_object_v6" start 2014-07-07 17:12:32 +0000 duration 457 percent 2098430.000000
rate 10 rateUnit bps protocol gre flags nil url
https://spsys.example.com/page?id=profiled_router_alert&alert_id=6731, (managed object
"managed_object_v6"), (parent managed object "nil"), (Router "nil"), (Interface "nil")
Jul 7 17:13:50 spsys.example.com pfsp: anomaly Bandwidth id 6741 status ongoing severity
5 classification high impact "1.48 Mbps/181 pps" ipVer 6 src 0.0.0.0/0 "All" dst
0.0.0.0/0 "managed_object_v6" start 2014-07-07 17:12:32 +0000 duration 62 percent
14836900.000000 rate 10 rateUnit bps protocol nil flags nil url
https://spsys.example.com/page?id=profiled_router_alert&alert_id=6741, (managed object
"managed_object_v6"), (parent managed object "nil"), (Router "nil"), (Interface "nil")
Jul 7 17:20:15 spsys.example.com pfsp: anomaly Bandwidth id 6741 status done severity 5
classification high impact "1.48 Mbps/181 pps" ipVer 6 src 0.0.0.0/0 "All" dst 0.0.0.0/0
"managed_object_v6" start 2014-07-07 17:12:32 +0000 duration 457 percent 14839200.000000
rate 10 rateUnit bps protocol nil flags nil url
https://spsys.example.com/page?id=profiled_router_alert&alert_id=6741, (managed object
"managed_object_v6"), (parent managed object "nil"), (Router "nil"), (Interface "nil")
Subject:
[Peakflow SP] TMS mitigation 'IP4Mit' started
Body:
Mitigation ID: 44
Leader: leader05
Name: IP4Mit
Started: 00:00:02 ago at 2017-03-15 18:49:23 UTC
Alert ID: (None)
Managed Object: (None)
Community: (None)
Timeout: (None)
Protection Prefix Count: 3
Protection Prefix 1: 192.168.8.0/24
Diversion Prefix Count: 1
Diversion Prefix 1: 192.168.8.0/24
Filter: (None)
Zombie Threshold (bps): 2000000
Zombie Threshold (pps): 500