APSVision User Guide

APSolute Vision User Guide
Software Version 1.30

Document ID: RDWR-APSV-V0130_UG1205
May, 2012
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 20062012. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 20062012. Tous droits rservs.
Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels
contenus dans ce guide sont la proprit de Radware Ltd.
Ce guide dinformations est fourni nos clients dans le cadre de linstallation et de lusage des
produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui
pour lequel il a t conu.
Les informations rpertories dans ce document restent la proprit de Radware et doivent tre
conserves de manire confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement pralable crit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert:
Copyright Radware Ltd. 20062012. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit.
(http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This code is hereby placed in the public domain.
This product contains code developed by the OpenBSD Project
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1.
Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3.
Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
This product includes software developed by Markus Friedl

This product includes software developed by Theo de Raadt
This product includes software developed by Niels Provos
This product includes software developed by Dug Song
This product includes software developed by Aaron Campbell
This product includes software developed by Damien Miller
This product includes software developed by Kevin Steves
This product includes software developed by Daniel Kouril
This product includes software developed by Wesley Griffin
This product includes software developed by Per Allansson
This product includes software developed by Nils Nordman
This product includes software developed by Simon Wilkinson
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
ALL THE SOFTWARE MENTIONED ABOVE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product contains work derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm. RSA Data Security, Inc. makes no representations concerning either the merchantability
of the MD5 Message - Digest Algorithm or the suitability of the MD5 Message - Digest Algorithm for
any particular purpose. It is provided as is without express or implied warranty of any kind.
Notice traitant du copyright

Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Ce produit inclut un logiciel dvelopp dans le cadre du projet OpenSSL. Pour un usage dans la bote
outils OpenSSL (http://www.openssl.org/).
Copyright (c) 1998-2005 Le projet OpenSSL. Tous droits rservs. Ce produit inclut la catgorie de
chiffre Rijndael.
Limplmentation de Rijindael par Vincent Rijmen, Antoon Bosselaers et Paulo Barreto est du
domaine public et distribue sous les termes de la licence suivante:
@version 3.0 (Dcembre 2000)
Code ANSI C code pour Rijndael (actuellement AES)
@author Paulo Barreto <paulo.barreto@terra.com.br>.
Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes
de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets
source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande
auprs de Radware. Une copie de la licence est rpertorie sur:
Ce code est galement plac dans le domaine public.
Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Copyright (c) 1983, 1990, 1992, 1993, 1995
Les membres du conseil de lUniversit de Californie. Tous droits rservs.
La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies:
1. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.
3.
Le nom de luniversit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour
approuver ou promouvoir un produit driv de ce programme sans lobtention pralable dune
autorisation crite.
Ce produit inclut un logiciel dvelopp par Markus Friedl

Ce produit inclut un logiciel dvelopp par Theo de Raadt Ce produit inclut un logiciel dvelopp par
Niels Provos
Ce produit inclut un logiciel dvelopp par Dug Song
Ce produit inclut un logiciel dvelopp par Aaron Campbell Ce produit inclut un logiciel dvelopp
par Damien Miller
Ce produit inclut un logiciel dvelopp par Kevin Steves
Ce produit inclut un logiciel dvelopp par Daniel Kouril
Ce produit inclut un logiciel dvelopp par Wesley Griffin
Ce produit inclut un logiciel dvelopp par Per Allansson
Ce produit inclut un logiciel dvelopp par Nils Nordman
Ce produit inclut un logiciel dvelopp par Simon Wilkinson.
La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies:
1.
La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.
2.
La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.
LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE
GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS SY LIMITER, TOUTE GARANTIE
IMPLICITE DE QUALIT MARCHANDE ET DADQUATION UN USAGE PARTICULIER EST EXCLUE.
EN AUCUN CAS LAUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS,
INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS
SY LIMITER, LACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE DUSAGE,
DE DONNES OU DE PROFITS OU LINTERRUPTION DES AFFAIRES), QUELLE QUEN SOIT LA CAUSE
ET LA THORIE DE RESPONSABILIT, QUIL SAGISSE DUN CONTRAT, DE RESPONSABILIT
STRICTE OU DUN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE
QUELLE QUE FAON QUE CE SOIT DE LUSAGE DE CE LOGICIEL, MME SIL A T AVERTI DE LA
POSSIBILIT DUN TEL DOMMAGE.
Copyrightvermerke
Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code
Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL
Toolkit. (http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die
Rijndael cipher
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
ffentlich zugnglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES)
@author Paulo Barreto <paulo.barreto@terra.com.br>
Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine
ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter:
Dieser Code wird hiermit allgemein zugnglich gemacht.
Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de
Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses
Produkt enthlt von Dug Song entwickelte Software
Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien
Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses
Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin
entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt
enthlt von Nils Nordman entwickelte Software
Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND (AS IS)
BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH,
DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER
ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN.
UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR
BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR
SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH
NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN
NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE
ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE,
GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT
ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST
WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.
Safety Instructions
The following safety instructions are presented in English, French, and German.
Safety Instructions
CAUTION
A readily accessible disconnect device shall be incorporated in the building installation wiring.
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
The following figure shows the caution label that is attached to Radware platforms with dual power
supplies.
Figure 1: Electrical Shock Hazard Label
DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE

The following figure is the warning for Radware platforms with dual power supplies.
Figure 2: Dual-Power-Supply-System Safety Warning in Chinese
Translation of Dual-Power-Supply-System Safety Warning in Chinese:

This unit has more than one power supply. Disconnect all power supplies before maintenance to
avoid electric shock.
SERVICING
Do not perform any servicing other than that contained in the operating instructions unless you are
qualified to do so. There are no serviceable parts inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided
as much as possible and, when inevitable, must be carried out only by a skilled person who is aware
of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument has been disconnected
from its source of supply.
GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
48V DC-powered platforms have an input tolerance of 36-72V DC.
SPECIFICATION CHANGES
Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN
61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-411For CE MARK Compliance. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required
to correct the interference at his own expense.
VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS
Figure 3: Statement for Class A VCCI-certified Equipment
Translation of Statement for Class A VCCI-certified Equipment:

This is a Class A product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this equipment is used in a domestic environment,
radio disturbance may occur, in which case, the user may be required to take corrective action.
Figure 4: Statement for Class B VCCI-certified Equipment
Translation of Statement for Class B VCCI-certified Equipment:

This is a Class B product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a
domestic environment, it may cause radio interference.
Install and use the equipment according to the instruction manual.
KCC KOREA
Figure 5: KCCKorea Communications Commission Certificate of Broadcasting and

Communication Equipment
Figure 6: Statement For Class A KCC-certified Equipment in Korean
Translation of Statement For Class A KCC-certified Equipment in Korean:

This equipment is Industrial (Class A) electromagnetic wave suitability equipment and seller or user
should take notice of it, and this equipment is to be used in the places except for home.
SPECIAL NOTICE FOR NORTH AMERICAN USERS
For North American power connection, select a power supply cord that is UL Listed and CSA Certified
3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [10 A], with a minimum
length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply
cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum
mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated
250 V, 3 A.
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North America,
equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,
110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.
10
INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:
If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.
If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.
This marking or statement includes the following text warning:

CAUTION
RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Caution To Reduce the Risk of Electrical Shock and Fire
1. This equipment is designed to permit connection between the earthed conductor of the DC
supply circuit and the earthing conductor equipment. See Installation Instructions.
2. All servicing must be undertaken only by qualified service personnel. There are not user
serviceable parts inside the unit.
3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit.
4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.
5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label
adjacent to the power inlet, housing the fuse.
6. Do not operate the device in a location where the maximum ambient temperature exceeds
40C/104F.
7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove
and/or check the main power fuse.
CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60
825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001
AC units for Denmark, Finland, Norway, Sweden (marked on product):
Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark
deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket
outlet which is connected to a protective earth. Socket outlets which are not connected to earth
are not to be used!
Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla

varustettuun pistorasiaan
Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt
Unit is intended for connection to IT power systems for Norway only.
Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.
To connect the power connection:

1. Connect the power cable to the main socket, located on the rear panel of the device.
2. Connect the power cable to the grounded AC outlet.
11
CAUTION
Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one
power supply module. To isolate the unit completely, disconnect all power supplies.
Instructions de scurit
AVERTISSEMENT
Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment.
En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et dincendie,
chaque procdure impliquant louverture des panneaux ou le remplacement de composants sera
excute par du personnel qualifi.
Pour rduire les risques dincendie et de chocs lectriques, dconnectez le dispositif du bloc
dalimentation avant de retirer le couvercle ou les panneaux.
La figure suivante montre ltiquette davertissement appose sur les plateformes Radware dotes
de plus dune source dalimentation lectrique.
Figure 7: tiquette davertissement de danger de chocs lectriques
AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES DALIMENTATION

LECTRIQUE (EN CHINOIS)
La figure suivante reprsente ltiquette davertissement pour les plateformes Radware dotes de
deux sources dalimentation lectrique.
Figure 8: Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois)
Traduction de la Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois):
Cette unit est dote de plus dune source dalimentation lectrique. Dconnectez toutes les sources
dalimentation lectrique avant dentretenir lappareil ceci pour viter tout choc lectrique.
ENTRETIEN
Neffectuez aucun entretien autre que ceux rpertoris dans le manuel dinstructions, moins dtre
qualifi en la matire. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare.
HAUTE TENSION
Tout rglage, opration dentretien et rparation de linstrument ouvert sous tension doit tre vit.
Si cela savre indispensable, confiez cette opration une personne qualifie et consciente des
dangers impliqus.
12
Les condensateurs au sein de lunit risquent dtre chargs mme si lunit a t dconnecte de la
source dalimentation lectrique.
MISE A LA TERRE
Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de
cette unit doivent tre relies au systme de mise la terre du btiment.
LASER
Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1: 1993 + A1:
1997 + A2: 2001.
FUSIBLES
Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en
remplacement. Lusage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre
vits. Lorsquil est pratiquement certain que la protection offerte par les fusibles a t dtriore,
linstrument doit tre dsactiv et scuris contre toute opration involontaire.
TENSION DE LIGNE
Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source
dalimentation correspond aux exigences de linstrument. Consultez les spcifications propres
lalimentation nominale correcte du dispositif.
Les plateformes alimentes en 48 CC ont une tolrance dentre comprise entre 36 et 72 V CC.
MODIFICATIONS DES SPCIFICATIONS
Les spcifications sont sujettes changement sans notice pralable.
Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil
numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022
Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC
61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une
protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un
environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et,
sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des
interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une
zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur
devra corriger le problme ses propres frais.
DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI
Figure 9: Dclaration pour lquipement de classe A certifi VCCI
Traduction de la Dclaration pour lquipement de classe A certifi VCCI:

Il sagit dun produit de classe A, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Si cet quipement est utilis dans un environnement
domestique, des perturbations radiolectriques sont susceptibles dapparatre. Si tel est le cas,
lutilisateur sera tenu de prendre des mesures correctives.
13
Figure 10: Dclaration pour lquipement de classe B certifi VCCI
Traduction de la Dclaration pour lquipement de classe B certifi VCCI:

Il sagit dun produit de classe B, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Sil est utilis proximit dun poste de radio ou dune
tlvision dans un environnement domestique, il peut entraner des interfrences radio.
Installez et utilisez lquipement selon le manuel dinstructions.
KCC Core
Figure 11: KCCCertificat de la commission des communications de Core pour les equipements de
radiodiffusion et communication.
Figure 12: Dclaration pour lquipement de classe A certifi KCC en langue corenne
Translation de la Dclaration pour lquipement de classe A certifi KCC en langue corenne:

Cet quipement est un matriel (classe A) en adquation aux ondes lectromagntiques et le
vendeur ou lutilisateur doit prendre cela en compte. Ce matriel est donc fait pour tre utilis
ailleurs qu la maison.
NOTICE SPCIALE POUR LES UTILISATEURS NORD-AMRICAINS
Pour un raccordement lectrique en Amrique du Nord, slectionnez un cordon dalimentation
homologu UL et certifi CSA 3 - conducteur, [18 AWG], muni dune prise moule son extrmit,
de 125 V, [10 A], dune longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la
connexion europenne, choisissez un cordon dalimentation mondialement homologu et marqu
<HAR>, 3 - conducteur, cble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isole. La
prise lextrmit du cordon, sera dote dun sceau moul indiquant: 250 V, 3 A.
ZONE A ACCS RESTREINT
Lquipement aliment en CC ne pourra tre install que dans une zone accs restreint. CODES
DINSTALLATION
Ce dispositif doit tre install en conformit avec les codes lectriques nationaux. En Amrique du
Nord, lquipement sera install en conformit avec le code lectrique national amricain, articles
110-16, 110 -17, et 110 -18 et le code lectrique canadien, Section 12. INTERCONNEXION DES
UNTES.
14
Les cbles de connexion lunit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou
DP-2. (Remarque- sils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES
SURCHARGES.
Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit
tre intgr au cblage du btiment pour chaque puissance consomme.
BATTERIES REMPLAABLES
Si lquipement est fourni avec une batterie, et quelle est remplace par un type de batterie
incorrect, elle est susceptible dexploser. Cest le cas pour certaines batteries au lithium, les
lments suivants sont donc applicables:
Si la batterie est place dans une zone daccs oprateur, une marque est indique sur la
batterie ou une remarque est insre, aussi bien dans les instructions dexploitation que
dentretien.
Si la batterie est place ailleurs dans lquipement, une marque est indique sur la batterie ou
une remarque est insre dans les instructions dentretien.
Cette marque ou remarque inclut lavertissement textuel suivant:

AVERTISSEMENT
RISQUE DEXPLOSION SI LA BATTERIE EST REMPLACE PAR UN MODLE INCORRECT. METTRE AU
REBUT LES BATTERIES CONFORMMENT AUX INSTRUCTIONS.
Attention - Pour rduire les risques de chocs lectriques et dincendie
1. Cet quipement est conu pour permettre la connexion entre le conducteur de mise la terre du
circuit lectrique CC et lquipement de mise la terre. Voir les instructions dinstallation.
2. Tout entretien sera entrepris par du personnel qualifi. Aucune pice lintrieur de lunit ne
peut tre remplace ou rpare.
3. NE branchez pas, nallumez pas ou nessayez pas dutiliser une unit manifestement
endommage.
4. Vrifiez que lorifice de ventilation du chssis dans lunit nest PAS OBSTRUE.
5. Remplacez le fusible endommag par un modle similaire de mme puissance, tel quindiqu sur
ltiquette de scurit adjacente larrive lectrique hbergeant le fusible.
6. Ne faites pas fonctionner lappareil dans un endroit, o la temprature ambiante dpasse la
valeur maximale autorise. 40C/104F.
7. Dbranchez le cordon lectrique de la prise murale AVANT dessayer de retirer et/ou de vrifier
le fusible dalimentation principal.
PRODUIT LASER DE CLASSE 1 ET RFRENCE AUX NORMES LASER LES PLUS RCENTES: IEC 60
825-1: 1993 + A1: 1997 + A2: 2001 ET EN 60825-1: 1994+A1: 1996+ A2: 2001
Units CA pour le Danemark, la Finlande, la Norvge, la Sude (indiqu sur le produit):
Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les
dviations du Danemark. Le cordon inclut un conducteur de mise la terre. Lunit sera
branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas
utilises!
Finlande (tiquette et inscription dans le manuel) - Laite on liitettv

suojamaadoituskoskettimilla varustettuun pistorasiaan
Norvge (tiquette et inscription dans le manuel) - Apparatet m tilkoples jordet stikkontakt
Lunit peut tre connecte un systme lectrique IT (en Norvge uniquement).
Sude (tiquette et inscription dans le manuel) - Apparaten skall anslutas till jordat uttag.
Pour brancher lalimentation lectrique:

1. Branchez le cble dalimentation la prise principale, situe sur le panneau arrire de lunit.
2. Connectez le cble dalimentation la prise CA mise la terre.
15
AVERTISSEMENT
Risque de choc lectrique et danger nergtique. La dconnexion dune source dalimentation
lectrique ne dbranche quun seul module lectrique. Pour isoler compltement lunit, dbranchez
toutes les sources dalimentation lectrique.
ATTENTION
Risque de choc et de danger lectriques. Le dbranchement dune seule alimentation stabilise ne
dbranche quun module Alimentation Stabilise. Pour Isoler compltement le module en cause, il
faut dbrancher toutes les alimentations stabilises.
Attention: Pour Rduire Les Risques dlectrocution et dIncendie
1.
Toutes les oprations dentretien seront effectues UNIQUEMENT par du personnel dentretien
qualifi. Aucun composant ne peut tre entretenu ou remplace par lutilisateur.
2.
NE PAS connecter, mettre sous tension ou essayer dutiliser une unit visiblement dfectueuse.
3.
Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES.
4.
Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme
capacit, comme indiqu sur ltiquette de scurit proche de lentre de lalimentation qui
contient le fusible.
5.
NE PAS UTILISER lquipement dans des locaux dont la temprature maximale dpasse 40
degrs Centigrades.
6.
Assurez vous que le cordon dalimentation a t dconnect AVANT dessayer de lenlever et/ou
vrifier le fusible de lalimentation gnrale.
Sicherheitsanweisungen
VORSICHT
Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert
integrieren.
Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge,
in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von
qualifiziertem Servicepersonal durchgefhrt werden.
Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der
Abdeckung oder der Paneele von der Stromversorgung getrennt werden.
Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit
Doppelspeisung angebracht ist.
Figure 13: Warnetikett Stromschlaggefahr
16
SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FR SYSTEME MIT DOPPELSPEISUNG

Die folgende Abbildung ist die Warnung fr Radware-Plattformen mit Doppelspeisung.
Figure 14: Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung
bersetzung von Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung:

Die Einheit verfgt ber mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von
Stromschlag vor Wartungsarbeiten smtliche Stromversorgungsleitungen ab.
WARTUNG
Fhren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angefhrt sind, es sei
denn, Sie sind dafr qualifiziert. Es gibt innerhalb des Gertes keine wartungsfhigen Teile.
HOCHSPANNUNG
Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geffneten Gert unter
Spannung mssen so weit wie mglich vermieden werden. Sind sie nicht vermeidbar, drfen sie
ausschlielich von qualifizierten Personen ausgefhrt werden, die sich der Gefahr bewusst sind.
Innerhalb des Gertes befindliche Kondensatoren knnen auch dann noch Ladung enthalten, wenn
das Gert von der Stromversorgung abgeschnitten wurde.
ERDUNG
Bevor das Gert an die Stromversorgung angeschlossen wird, mssen die Schrauben der
Erdungsleitung des Gertes an die Erdung der Gebudeverkabelung angeschlossen werden.
LASER
Dieses Gert ist ein Laser-Produkt der Klasse 1 in bereinstimmung mit IEC60825 - 1: 1993 +
A1:1997 + A2:2001 Standard.
SICHERUNGEN
Vergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstrke und der
angefhrten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie die
Kurzschlieung von Sicherungsfassungen muss vermieden werden. In Fllen, in denen
wahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeintrchtigt ist, muss das
Gert abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden.
LEITUNGSSPANNUNG
Vor Anschluss dieses Gertes an die Stromversorgung ist zu gewhrleisten, dass die Spannung der
Stromquelle den Anforderungen des Gertes entspricht. Beachten Sie die technischen Angaben
bezglich der korrekten elektrischen Werte des Gertes.
Plattformen mit 48 V DC verfgen ber eine Eingangstoleranz von 36-72 V DC. NDERUNGEN DER
TECHNISCHEN ANGABEN
nderungen der technischen Spezifikationen bleiben vorbehalten.
Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der
Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC
61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung.
Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb
des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt
elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im
Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn
beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu
schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese
Interferenzen auf eigene Kosten zu korrigieren.
17
ERKLRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ
Figure 15: Erklrung zu VCCI-zertifizierten Gerten der Klasse A
bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse A:

Dies ist ein Produkt der Klasse A gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten. In einem solchen Fall wre der Benutzer
verpflichtet, korrigierend einzugreifen.
Figure 16: Erklrung zu VCCI-zertifizierten Gerten der Klasse B
bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse B:

Dies ist ein Produkt der Klasse B gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten.
Montieren und benutzen Sie das Gert laut Anweisungen im Benutzerhandbuch.
KCC KOREA
Figure 17: KCCKorea Communications Commission Zertifikat fr Rundfunk-und

Nachrichtentechnik
Figure 18: Erklrung zu KCC-zertifizierten Gerten der Klasse A
18
bersetzung von Erklrung zu KCC-zertifizierten Gerten der Klasse A:

Verkufer oder Nutzer sollten davon Kenntnis nehmen, da dieses Gert der Klasse A fr industriell
elektromagnetische Wellen geeignete Gerten angehrt und dass diese Gerte nicht fr den
heimischen Gebrauch bestimmt sind.
BESONDERER HINWEIS FR BENUTZER IN NORDAMERIKA
Whlen Sie fr den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgefhrt
und CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, fr 125 V, [10 A],
mit einer Mindestlnge von 1,5 m [sechs Fu], doch nicht lnger als 4,5 m. Fr europische
Anschlsse verwenden Sie ein international harmonisiertes, mit <HAR> markiertes Stromkabel,
mit 3 Leitern von mindestens 0,75 mm2, fr 300 V, mit PVC-Umkleidung. Das Kabel muss in einem
gegossenen Stecker fr 250 V, 3 A enden.
BEREICH MIT EINGESCHRNKTEM ZUGANG
Das mit Gleichstrom betriebene Gert darf nur in einem Bereich mit eingeschrnktem Zugang
montiert werden.
INSTALLATIONSCODES
Dieses Gert muss gem der landesspezifischen elektrischen Codes montiert werden. In
Nordamerika mssen Gerte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden.
VERKOPPLUNG VON GERTEN Kabel fr die Verbindung des Gertes mit RS232- und Ethernetmssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem
nicht-LPS-Stromkreis)
BERSTROMSCHUTZ
Ein gut zugnglicher aufgefhrter berstromschutz mit Abzweigstromkreis und 15 A Strke muss fr
jede Stromeingabe in der Gebudeverkabelung integriert sein.
AUSTAUSCHBARE BATTERIEN
Wird ein Gert mit einer austauschbaren Batterie geliefert und fr diese Batterie durch einen
falschen Batterietyp ersetzt, knnte dies zu einer Explosion fhren. Dies trifft zu fr manche Arten
von Lithiumsbatterien zu, und das folgende gilt es zu beachten:
Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung.
Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder einer Erklrung in der Wartungsanleitung.
Diese Markierung oder Erklrung enthlt den folgenden Warntext: VORSICHT

EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD.
GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN.
Denmark - Unit is class I - mit Wechselstromkabel benutzen, dass fr die Abweichungen in

Dnemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine
geerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden!
Finland - (Markierungsetikett und im Handbuch) - Laite on liitettv

suojamaadoituskoskettimilla varustettuun pistorasiaan
Norway - (Markierungsetikett und im Handbuch) - Apparatet m tilkoples jordet stikkontakt

Ausschlielich fr Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen
Sweden - (Markierungsetikett und im Handbuch) - Apparaten skall anslutas till jordat uttag.
Anschluss des Stromkabels:

1. Schlieen Sie das Stromkabel an den Hauptanschluss auf der Rckseite des Gertes an.
2. Schlieen Sie das Stromkabel an den geerdeten Wechselstromanschluss an.
VORSICHT
Stromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur ein
Stromversorgungsmodul von der Stromversorgung. Um das Gert komplett zu isolieren, muss es
von der gesamten Stromversorgung getrennt werden.
19
Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr

1.
Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des
Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe
Montageanleitung.
2.
Wartungsarbeiten jeglicher Art drfen nur von qualifiziertem Servicepersonal ausgefhrt

werden. Es gibt innerhalb des Gertes keine vom Benutzer zu wartenden Teile.
3.
Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen,
einzuschalten oder zu betreiben.
4.
Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT
SIND.
5.
Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der
selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem
Stromkabelanschluss, am Sicherungsgehuse.
6.
Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung
40C berschreitet.
7.
Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die
Hauptsicherung entfernen und/oder prfen.
Document Conventions
The following describes the conventions and symbols that this guide uses:
Item
Description
Description (French)
Beschreibung (German)
An example scenario
Un scnario dexemple
Ein Beispielszenarium
Possible damage to
equipment, software, or
data
Endommagement
Mgliche Schden an
possible de lquipement, Gert, Software oder
des donnes ou du
Daten
logiciel
Additional information
Informations
complmentaires
Zustzliche
Informationen
A statement and
instructions
Rfrences et
instructions
Eine Erklrung und

Anweisungen
A suggestion or
workaround
Une suggestion ou
solution
Ein Vorschlag oder eine

Umgehung
Example
Caution:
Note:
To
Tip:
Possible physical harm to Blessure possible de
the operator
loprateur
Verletzungsgefahr des
Bedieners
Warning:
20
Table of Contents
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Safety Instructions ......................................................................................................... 8
Document Conventions ............................................................................................... 20
Chapter 1 Introduction to APSolute Vision ....................................................... 27

What is APSolute Vision? ............................................................................................ 27
APSolute Vision Three-Tier Architecture ..................................................................... 29
Overview of APSolute Vision Features ........................................................................ 29
Online Device Configuration ................................................................................................ 30
Monitoring of Managed Devices and Services .................................................................... 30
Operation Control and Maintenance .................................................................................... 30
Device Drivers ..................................................................................................................... 31
Scheduling ........................................................................................................................... 31
Auditing and Alerts ............................................................................................................... 31
User Management and Role-based Access Control (RBAC) .............................................. 32
APSolute Vision Platform Security ....................................................................................... 32
APSolute Vision Platform Management ............................................................................... 32
Supported Alteon Environments .......................................................................................... 32
DefensePro Security Groups ............................................................................................... 33
Real-Time Security Reporting .............................................................................................. 33
Historical Security ReportingAPSolute Vision Reporter .................................................. 33
Online Help .......................................................................................................................... 33
APSolute Vision Interface Navigation .......................................................................... 34

Configuration Perspective .................................................................................................... 34
Monitoring Perspective ........................................................................................................ 38
Security Monitoring Perspective .......................................................................................... 42
Asset Management Perspective .......................................................................................... 43
APSolute Vision Sites .......................................................................................................... 43
Chapter 2 Getting Started with APSolute Vision............................................... 45

APSolute Vision Client Installation .............................................................................. 45
APSolute Vision Client Requirements ................................................................................. 45
APSolute Vision Reporter Requirements ............................................................................. 46
Installing the APSolute Vision Client .................................................................................... 47
Logging into APSolute Vision ...................................................................................... 47

Changing a Password for a Local User ....................................................................... 48
Filtering the Display of Tree Elements in the System Tabs ......................................... 49
21

Table of Contents
Chapter 3 Monitoring and Controlling the APSolute Vision System .............. 53

Monitoring APSolute Vision ........................................................................................ 53
Monitoring APSolute Vision Basic, Version, and Hardware Information .................... 53
Managing Device Drivers ........................................................................................... 54
Managing Stored Device Configuration/Backup Files ................................................ 57
Managing Configuration Templates ............................................................................ 58
Managing DefensePro Security Groups ..................................................................... 60
Controlling APSolute Vision Operations ..................................................................... 63
Chapter 4 Managing Auditing and Alerts .......................................................... 65

APSolute Vision Auditing ............................................................................................ 65
Enabling Configuration Auditing for Managed Devices .............................................. 66
Managing Alerts .......................................................................................................... 66
Events Handled in the Alerts Pane .....................................................................................
Alert Information ..................................................................................................................
Displaying Alert Information ................................................................................................
Filtering Alerts .....................................................................................................................
Configuring Preferences for the Alerts Pane .......................................................................
67
67
69
71
72
Chapter 5 Basic Device Configuration............................................................... 73

Locking and Unlocking Devices .................................................................................. 73
Configuring and Using Configuration Templates ........................................................ 74
Alteon Configuration ManagementGlobal Commands ........................................... 76
AppDirector Setup ...................................................................................................... 78
Configuring AppDirector Global Parameters .......................................................................
Configuring AppDirector Date and Time Synchronization ...................................................
Configuring AppDirector Daylight Savings ..........................................................................
Configuring AppDirector E-mail Settings .............................................................................
Configuring AppDirector Syslog Settings ............................................................................
Configuring AppDirector DNS Client ...................................................................................
Configuring AppDirector BOOTP ........................................................................................
Configuring AppDirector Session Table Settings ................................................................
Configuring AppDirector Suspend Settings .........................................................................
Configuring AppDirector Threshold Warning Levels ...........................................................
Configuring AppDirector Statistics Monitoring .....................................................................
Configuring AppDirector Static Forwarding Table ...............................................................
78
79
80
82
83
85
87
87
88
89
91
92
DefensePro Setup ...................................................................................................... 93

Configuring DefensePro Global Parameters ....................................................................... 94
Configuring DefensePro Date and Time Synchronization ................................................... 94
Configuring DefensePro Daylight Saving ............................................................................ 95
Configuring DefensePro E-mail Settings ............................................................................. 96
Configuring DefensePro Syslog Settings ............................................................................ 97
Configuring DefensePro BOOTP ...................................................................................... 100
22

Table of Contents
Configuring DefensePro High Availability .........................................................................

Configuring Dynamic Protocols for DefensePro ...............................................................
Configuring IP Fragmentation for DefensePro ..................................................................
Configuring Security Reporting Settings ...........................................................................
Configuring Out-of-Path Settings for DefensePro .............................................................
Configuring DefensePro Session Table Settings ..............................................................
Configuring DefensePro Suspend Settings ......................................................................
Configuring DefensePro Advanced Settings ....................................................................
Configuring Tunneling Inspection .....................................................................................
101
106
108
108
112
112
119
120
121
General Device Setup .............................................................................................. 122

Configuring Access Protocols ...........................................................................................
Configuring SNMP Supported Versions ...........................................................................
Configuring RADIUS Authentication for Device Management ..........................................
Configuring the Device Event Scheduler ..........................................................................
122
124
124
126
Upgrading a License for a Managed Device ............................................................ 127

Managing Certificates ............................................................................................... 131
Certificates ........................................................................................................................
Keys ..................................................................................................................................
Self-Signed Certificates ....................................................................................................
Modifying Certificate Information for a Selected Device ...................................................
Configuring Certificates ....................................................................................................
Configuring Default Certificate Attributes ..........................................................................
Importing Certificates ........................................................................................................
Exporting Certificates ........................................................................................................
Showing Certificate Content .............................................................................................
131
131
131
132
132
133
134
135
136
Configuring SNMP .................................................................................................... 136

Configuring SNMP Users ..................................................................................................
Configuring SNMP Community Settings ...........................................................................
Configuring the SNMP Group Table .................................................................................
Configuring SNMP Access Settings .................................................................................
Configuring SNMP Notify Settings ....................................................................................
Configuring SNMP View Settings .....................................................................................
Configuring the SNMP Target Parameters Table .............................................................
Configuring SNMP Target Addresses ...............................................................................
137
138
139
140
141
142
142
144
Configuring Device Users ......................................................................................... 144

Configuring Access Permissions on Physical Ports ................................................. 146
Configuring Port Pinging ........................................................................................... 147
Configuring Tuning Parameters ................................................................................ 147
Configuring Tuning Parameters for AppDirector ...............................................................
Configuring Tuning Parameters for DefensePro ...............................................................
Configuring Classifier Tuning ............................................................................................
Configuring BWM Tuning ..................................................................................................
147
150
157
159
23

Table of Contents
Chapter 6 Device Network Configuration ........................................................ 161

Configuring Device IP Interfaces .............................................................................. 161
Managing IP Routing ................................................................................................ 164
Configuring IP Routing in AppDirector ..............................................................................
Configuring IP Routing in DefensePro ..............................................................................
Configuring ICMP ..............................................................................................................
Configuring the ARP Table ...............................................................................................
Configuring Spanning Tree Protocol in AppDirector .........................................................
Configuring NHRs in AppDirector ......................................................................................
Configuring VIP-NHR Interfaces in AppDirector ................................................................
Configuring RIP in AppDirector .........................................................................................
Configuring OSPF in AppDirector .....................................................................................
Configuring Border Gateway Protocol in AppDirector .......................................................
Configuring the Neighbor Cache in AppDirector ...............................................................
164
166
167
168
169
172
173
174
176
178
179
Configuring Ports ...................................................................................................... 180

Configuring Link Aggregation ............................................................................................ 181
Configuring Port Mirroring ................................................................................................. 188
Configuring AppDirector Redundancy ...................................................................... 190

Configuring AppDirector Redundancy Global Settings .....................................................
Configuring VRRP .............................................................................................................
Configuration Guidelines for AppDirector Redundancy Using VRRP ...............................
Configuring Proprietary Redundancy ................................................................................
Configuring Mirroring for Redundancy ..............................................................................
Online Configuration Synchronization ...............................................................................
191
195
200
204
205
206
Configuring AppDirector VLANs ............................................................................... 214

AppDirector Regular and Switch VLANs ........................................................................... 215
Configuring AppDirector VLAN Ports ................................................................................ 216
Configuring AppDirector VLAN Advanced Parameters ..................................................... 216
Configuring Segmentation for AppDirector ............................................................... 218

Segmentation in AppDirector 2.11 .................................................................................... 220
Associating NHRs to Segments ........................................................................................ 221
Configuring AppDirector Advanced Networking Parameters .................................... 223

Configuring DefensePro Redundancy ...................................................................... 225
Configuring Basic Networking Parameters in DefensePro ....................................... 226
Configuring Port Pairs for DefensePro ..................................................................... 230
Internal Bypass for RJ-45 Ports in DefensePro ................................................................. 231
Configuring SSL Inspection for DefensePro ............................................................. 232

Configuring SSL Inspection Layer 4 Ports for DefensePro ...................................... 234
IPv6 Support in AppDirector ..................................................................................... 234
Chapter 7 Managing AppShape-Template Instances ..................................... 237

Configuring an SAP Portal AppShape Instance ....................................................... 238
Configuring a SharePoint AppShape Instance ......................................................... 241
24

Table of Contents
Chapter 8 Managing Device Operations and Maintenance ............................ 243

Rebooting a Managed Device .................................................................................. 243
Shutting Down a Managed Device ........................................................................... 244
Enabling and Disabling APSolute Vision Monitoring ................................................ 244
Viewing and Setting Device Date and Time ............................................................. 245
Upgrading Device Software ...................................................................................... 245
Downloading a Devices Log File to the APSolute Vision Client .............................. 246
Updating a Radware Signature File or RSA Signature File in DefensePro Devices
247
Downloading a Devices Technical Support File to the APSolute Vision Client ....... 248
Managing Device Configurations .............................................................................. 249
Configuration File Content ................................................................................................
Downloading a Devices Configuration File ......................................................................
Restoring a Devices Configuration ..................................................................................
Synchronizing AppDirector Configurations .......................................................................
249
249
251
251
Updating Policy Configurations ................................................................................ 252

Checking Device Memory Availability ....................................................................... 253
Purging AppDirector HTTP and OCPF Caches ........................................................ 253
Resetting the Baseline for DefensePro Devices ....................................................... 253
Enabling and Disabling Interfaces ............................................................................ 254
Chapter 9 Scheduling APSolute Vision and Device Tasks ............................ 255

Overview of Scheduling ............................................................................................ 255
Managing Tasks in the Scheduler ............................................................................ 256
Task Parameters ...................................................................................................... 257
APSolute Vision Configuration Backup .............................................................................
APSolute Vision Reporter Backup ....................................................................................
AppShape SharePoint Configuration Validation ...............................................................
Device Configuration Backup Parameters ........................................................................
Device Reboot Parameters ...............................................................................................
SAP Message Server Automated Configuration Parameters ...........................................
Synchronize Active Device Configuration Parameters .....................................................
Update RSA Signatures File Parameters .........................................................................
Update Radware Security Signatures Files for a Device ..................................................
Update APSolute Vision Attack Description File Parameters ...........................................
257
259
260
262
263
264
265
267
268
270
Radware Ltd. End User License Agreement....................................................... 271
25

Table of Contents
26
Chapter 1 Introduction to APSolute Vision

This guide is intended for general users of APSolute Vision. The guide describes the relevant aspects
of APSolute Vision and how to use it.
Notes:
>> For information about installing the APSolute Vision server and client, initial settings on
the APSolute Vision platform, and connecting the client to the server, see the Radware
Installation and Maintenance Guide and the APSolute Vision Administrator Guide.
>> For information about administrator operations, see the APSolute Vision Administrator
Guide.
>> For information about the required workflows for configuring application delivery with
Alteon, see the Alteon Application Switch Operating System Application Guide.
>> For information about the required workflows for configuring application delivery with
AppDirector, see the AppDirector User Guide.
>> For information about the required workflows for configuring network security with
DefensePro, see the DefensePro User Guide.
>> For information about APSolute Vision Reporter and how to use it, see its online help and
the APSolute Vision Reporter User Guide.
The following topics introduce APSolute Vision:
What is APSolute Vision?, page 27
APSolute Vision Three-Tier Architecture, page 29
Overview of APSolute Vision Features, page 29
APSolute Vision Interface Navigation, page 34
What is APSolute Vision?

APSolute Vision is Radwares next-generation management system. APSolute Vision simplifies and
standardizes the management of Radware application delivery control (ADC) and security solutions.
Use APSolute Vision to manage and track Radware hardware devices, virtual devices, and software
components in IP-based enterprise networks.
APSolute Vision provides:
Online configuration per device, including support for templates as well as AppShape, which
automates/streamlines ADC configuration for common applications, such as SAP Portal and
Microsoft SharePoint Server.
Monitoring and control of multiple devices, including enabling and disabling entities within a
device. APSolute Vision can monitor multiple devices in a single view.
DefensePro Security Groups, which enable DefensePro devices to share threat information and
block malicious sources as a group.
Reporting and statistics at the device level, and on logical entities within a device. For real-time
and historical security reporting, APSolute Vision can also provide site and network-level reports
for immediate problem isolation, convenient attack and status visibility and information drilldown.
27

Introduction to APSolute Vision
A highly customized Role-Based Access Control system that allows granular control and
monitoring of various security aspects for different users.
Management capabilities, including:
Scheduling device control and maintenance tasks, such as, backup and restore, and so on.
Auditing
Viewing alerts and Alteon configuration messages (Alerts pane)
Device software management
APSolute Vision includes a database for administrative, operational, and security events to facilitate
the creation of long and short-term reports.
APSolute Vision provides stability, capacity, and usability, due to its:
Scalable, three-tier architecture
Optimized device access
Reduced client-to-server traffic
Operational use cases focus
Figure 19: APSolute Vision Solution Model

Email/Syslog/SQL client
APSolute Vision clients
SSL
LAN/WAN
hb
or t
ou
nd
Firewall
APSolute Vision Server
(physical appliance or virtual appliance)
Customer Management Network
Alteon devices
28
AppDirector devices
SNMP V1/V2c/V3
IRP real-time statistics
HTTP(S)/TFTP
DefensePro devices

APSolute Vision Three-Tier Architecture

APSolute Vision is a three-tier management system with client, server and device tiers. APSolute
Vision server can run as a standalone physical appliance or as a virtual appliance (VA). The client
tier does not connect to devices directly.
The client tier does the following:
Runs as a Windows application on a PC and provides a Windows-based graphical user interface

with separate perspectives for configuration, monitoring and control, and reports.
Transmits user requests to the server tier and displays the results in the APSolute Vision
interface in an intuitive and easy-to-read format.
The server tier does the following:
Runs on the APSolute Vision platform
Processes user commands
Transmits and stores data from other tiers
Makes logical decisions and performs calculations
Performs user authentication and authorization
Collects statistics and generates reports
Collects alerts from the devices
Communicates with the managed devices
The network physical device tier enables management of the collection of network elements
connected to APSolute Vision. This includes devices that provide server load-balancing, security,
intrusion prevention and denial-of-service (DoS) protection.
Overview of APSolute Vision Features

This section provides an overview of APSolute Visions main features:
Online Device Configuration, page 30
Monitoring of Managed Devices and Services, page 30
Operation Control and Maintenance, page 30
Device Drivers, page 31
Scheduling, page 31
Auditing and Alerts, page 31
User Management and Role-based Access Control (RBAC), page 32
APSolute Vision Platform Security, page 32
APSolute Vision Platform Management, page 32
Supported Alteon Environments, page 32
DefensePro Security Groups, page 33
Real-Time Security Reporting, page 33
Historical Security ReportingAPSolute Vision Reporter, page 33
Online Help, page 33
29

Online Device Configuration

Online device configuration supports the following:
Easy access for all device configuration topics
Hierarchical logical element grouping
Graphical change notation
Drill-down configuration topics
Inline filtering
Online configuration per device, including support for templates as well as AppShape, which
automates/streamlines ADC configuration for common applications, such as SAP Portal and
Microsoft SharePoint Server.
Configuration and propagation of templates for specific configuration elements in supported

AppDirector and DefensePro device versions
Monitoring of Managed Devices and Services

Monitoring of managed devices and services in APSolute Vision supports the following:
Easy access for device monitoring topics
Logical-element grouping
Hierarchical browsing
Propertiesstatus, management IP address, software version, device-driver version, hardware

platform, license information, and the time of the last configuration change
Routing table
IP Statisticsreceived and discarded
Information on ports, VLANs, and trunks, such as:
General status
Statistics
Presents device statistics tables for device level and logical level
Operation Control and Maintenance

Control and maintenance operations include:
Enabling and disabling all relevant entities on a device
Managing configuration templates for AppDirector and DefensePro devices. These configuration
templates
Managing DefensePro Security Groups, which enable DefensePro devices to share threat
information and block malicious sources as a group. Managing DefensePro Security Groups is
done in the Asset Management perspective.
Managing pairs of devices for high availability (HA)
Performing file transfers
Managing configuration backups
Rebooting devices
30

Device Drivers
APSolute Vision device drivers enable you to install or upgrade Radware devices without the need to
upgrade your APSolute Vision server.
A device driver in APSolute Vision defines the graphical user interface and configuration for the
software version of a managed device. The software version of a managed device defines the
baseline driver version. You can install a newer version of the device driver, and you can revert to
the baseline version.
You can have only one device-driver version in use on any single APSolute Vision server (but, there
may be multiple device-driver versions released for a single software version of a device). Typically,
subsequent versions of device drivers for a particular software version of a managed device only
includes very minor changes and/or bug fixes.
Notes:
>> When you upgrade device software, you need to reboot the device. However, when you
install a new version of a device driver or revert to the baseline version, you do not need
to reboot the device.
>> Device drivers do not include the online help. If the APSolute Vision server is configure
so that the clients get help from the server (the default option), the APSolute Vision
administrator should make sure that the APSolute Vision server has the latest version of
the online-help package.
>> The Properties pane that is displayed for a device of includes the name of the device
driver.
Scheduling
Scheduling in APSolute Vision supports various operations for the APSolute Vision server and
managed devices, which enable you to automate the tasks and to run repeated tasks.
Scheduled tasks run according to the time as configured on the APSolute Vision client.
Auditing and Alerts

Auditing and alerts in APSolute Vision logs all alerts and actions for APSolute Vision and, optionally,
for the managed devices. You can view auditing information and other alerts in the APSolute Vision
Alerts pane.
Alerts are created with the time at which the APSolute Vision server processed them, but the time
displayed in the Alerts pane is the time of the APSolute Vision client with the proper time offset.
APSolute Vision provides the audit trail for system messages and modifications to the configuration
of managed devices.
APSolute Vision can forward alarms and notifications. System Alarms can be forwarded via APSolute
Vision. Security service alarms can be forwarded via APSolute Vision Reporter. E-mail notifications
can be sent via SMTP. Notifications can be sent to a syslog server.
The Alerts tab in the Alerts pane provides fault management by supporting the following system and
audit alarms:
APSolute Vision server alarms
General device alarms (fan, CPU, and so on)
Audit trail messages
31

User Management and Role-based Access Control (RBAC)

The APSolute Vision server supports multi-user access and role-based access control (RBAC).
RBAC provides the following:
Predefined basic roles and permissions
Customized permissions per role and device
Access-control configuration and management in a local user table or using an external RADIUS
server (using RADIUS vendor attributes)
Note: For more information on RBAC, see the APSolute Vision Administrator Guide.
APSolute Vision Platform Security

APSolute Vision supports user security with user-account options for the following parameters:
Password expirationspecified in days
Inactivity timeoutauto logout
Forbidding use of old passwords
Password challenge configuration
Password constraints
Administrative actions to create users, reset user passwords, and locking out users
Tracking user statistics for successful logins, failed logins, account locks, and so on
APSolute Vision Platform Management

The APSolute Vision Server supports the following management interfaces:
CLI shell commandsFor installation, first-time configuration, and special maintenance

activities
APSolute Vision clientFor APSolute Vision server options, such as, timeouts, connectivity,
event forwarding, and so on, and for server monitoring
Supported Alteon Environments

APSolute Vision supports the following Alteon environments (or modes):
StandaloneThe traditional Alteon hardware Application Delivery Controller (ADC).
Alteon VAA software-based ADC supporting AlteonOS functionality and running on the
VMware virtual infrastructure.
ADC-VXA specialized ADC hypervisor that runs multiple virtual ADC instances on dedicated
ADC hardware, Radwares OnDemand Switch platforms.
vADCA virtualized instance of the Alteon operating system (AlteonOS).
32

Notes:
>> For more information, see the Alteon Application Switch Operating System Application
Guide.
>> The Messages tab in the Alerts pane displays Alteon configuration messages. A message
is displayed in the Messages tab after each Alteon configuration-management action
(Apply, Save, Diff, Diff Flash, Revert, Revert Apply, and Dump). If the Alerts pane is
collapsed, it automatically expands immediately after the configuration-management
action. When you double-click a message, APSolute Vision opens an autonomous
window. The window contains the full message text, which you can copy to the
clipboard.
DefensePro Security Groups

APSolute Vision enables DefensePro devices to share and act upon detected security threats.
Real-Time Security Reporting

APSolute Vision provides real-time attack views and security service alarms for managed devices.
Historical Security ReportingAPSolute Vision Reporter

APSolute Vision Reporter is a historical security reporting engine, which provides the following:
Customizable dashboards, reports, and notifications
Advanced incident handling for security operating centers (SOCs) and network operating centers
(NOCs)
Standard security reports
In-depth forensics capabilities
Ticket workflow management
Note: For information on the products and versions that APSolute Vision Reporter supports,
see the APSolute Vision Release Notes.
Online Help
By default, APSolute Vision clients get online help from the APSolute Vision server. Installation of the
APSolute Vision server includes online-help files.
Depending on the APSolute Vision server configuration, the clients get online help from one of the
following locations:
An internal, hard-coded, location on the serverInstallation of the APSolute Vision server

includes online-help files, but if managed devices are somehow upgraded later (with a new
device, new device version, or new device driver), the online-help files on the server should be
updated. It is the responsibility of the APSolute Vision administrator to make sure that the help
files on the server are updated as necessary.
radware.comThe online-help files at radware.com are always the most up-to-date, but
clients may encounter latency or connectivity problems.
33

APSolute Vision Interface Navigation

The APSolute Vision interface follows a consistent hierarchical structure, organized functionally to
enable easy access to options. You start at a high functional level and drill down to a specific
module, function, or object.
Each high-level function, such as device configuration, monitoring, or viewing real-time reports, is
accessible from a separate perspective.
APSolute Vision supports the following perspectives:
Configuration Perspective, page 34
Monitoring Perspective, page 38
Security Monitoring Perspective, page 42
Asset Management Perspective, page 43
Note: You can configure which perspective is displayed by default when you start an APSolute
Vision client session.
Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to
configure in the Configuration perspective system pane Organization tab. You can view and modify
device settings in the content pane tabs, which have their own navigation panes for easier
navigation through configuration tasks.
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.
The Configuration perspective also includes the Properties pane, which displays information about
the currently selected device.
When APSolute Vision manages Alteon, you choose the standalone, vADC or VA device to configure
in the Configuration perspective system pane Organization tab. You manage ADC-VXs and the
hosted vADCs in the Configuration perspective system pane Physical tab.
34

Figure 20: Configuration PerspectiveAlteon

System pane Organization tabDisplays, according to your filter, the
configured sites and Alteon standalone, vADC, and VA devices
System pane Physical tabDisplays, according to your filter,
configured sites and Alteon ADC-VXs with the hosted vADCs
AppShape tab
Alteon configurationmanagement buttons
Configuration buttonOpens
the Configuration perspective
Navigation area for the tab
Content area
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab displays Alteon configuration messages.
35

Figure 21: Configuration PerspectiveAppDirector

System pane Organization tabDisplays,
according to your filter, the site tree,
configured sites, and configured devices
Button that
opens the
APSolute Vision
Reporter
Navigation are for the tab
Content area
Properties pane
The Messages tab is not relevant for AppDirector.
36

Figure 22: Configuration PerspectiveDefensePro

System pane Organization tabDisplays,
according to your filter, the site tree,
configured sites, and configured devices
Button that opens
the APSolute
Vision Reporter
Navigation area for the tab
Content area
Properties pane
The Messages tab is not relevant for DefensePro.
37

The following points apply to all configuration tasks in the Configuration perspective:
To configure a device, you must lock it. For more information, see Locking and Unlocking
Devices, page 73.
When you change a field value, the field label is displayed in italics.
Mandatory fields are displayed in red. You must enter data, or select an option in these fields.
After setting a mandatory field, the field label changes to black.
By default, tables display up to 20 rows per table page. You can change the number of rows per
table up to a maximum of 100 rows.
You can perform one or more of the following operations on table entries:
Add a new entry to the table, and define its parameters.
Edit one or more parameters of an existing table entry.
Delete a table entry.
Device configuration information is saved only on the managed device, not in the APSolute
Vision database. To commit information to the device, you must do the following:
Click OK when you modify settings in a configuration dialog box.
Click
Some configuration changes require an immediate device reboot. When you submit the
configuration change the device will reboot immediately.
Some configuration changes require a device reboot to take effect, but you can save the
change without an immediate reboot. When you submit a change without a reboot, the
Properties pane displays a Reboot Required notification until you reboot the device.
For AppDirector and DefensePro, click Update Policies to implement policy-configuration

changes if necessary. Policy-configuration changes for a device are saved on the managed
device, but the device does not apply the changes until you perform a device configuration
update.
For Alteon, APSolute Vision supports the configuration-management options: Apply, Save,
Diff, Diff Flash, Revert, Revert Apply, and Dump.
(Submit) when you modify settings in a configuration page.
Example Device selection in the Configuration perspective

The following example shows the selections you would make to view or change configuration
parameters for a Radware device:
1.
Open the Configuration perspective by clicking
at the top of the window.
2.
Select the required device in the system pane by drilling down through the sites and subsites.
3.
Right-click the device name, and select Lock Device.
4.
Select the required configuration tab in the content pane. Each tab displays a tab navigation
pane and configuration options.
5.
Select an option in the navigation pane.
6.
You can now view and change configuration parameters.
Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects,
such as farms and servers. The Monitoring perspective navigation pane contains two navigation
tabs. The System tab contains the physical devices and interfaces. The Application Delivery tab
contains the logical entities for AppDirector. The Properties pane displays information about the
currently selected device. The content pane for each type of entity contains tabs in which you can
view different types of information. Some tabs contain a navigation pane.
38

Figure 23: Monitoring PerspectiveAlteon

System paneIncludes the Organization,
Application Delivery, and Physical tabs
Monitoring buttonOpens the

Monitoring perspective
Navigation area for tab

Content area
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab. The
Alerts tab displays APSolute Vision and device alerts. The
Messages tab displays Alteon configuration messages.
39

Figure 24: Monitoring PerspectiveAppDirector

Application Delivery, and Physical tabs. The
Organization and Application Delivery tabs are
relevant for AppDirector.
Monitoring buttonOpens the

Content area

The Messages tab is not relevant for AppDirector.
40

Figure 25: Monitoring PerspectiveDefensePro

Application Delivery, and Physical tabs. The
Organization tabs is relevant for DefensePro.
Monitoring buttonopens
Content area
Properties pane
The Messages tab is not relevant for DefensePro.
41

Security Monitoring Perspective

The Security Monitoring perspective is displayed only for devices that support the relevant Security
module.
In the Security Monitoring perspective, you can access a collection of real-time security-monitoring
tools that provide visibility regarding current attacks that the managed device has detected. The
Properties pane displays information about the currently selected device.
The Security Monitoring perspective includes the following tabs:
Security DashboardA graphical summary view of all current active attacks in the network
with color-coded attack-category identification, graphical threat-level indication, and instant
drill-down to attack details.
Current AttacksA view of the current attacks in a tabular format with graphical notations of
attack categories, threat-level indication, drill-down to attack details, and easy access to the
protecting rules for immediate fine-tuning.
Traffic MonitoringA real-time graph and table displaying network information, with the
attack traffic and legitimate traffic filtered according to specified traffic direction and protocol.
Geo MapA graphical map view that displays threats by origin with hierarchical drill-down to IP
level.
Protection MonitoringReal-time graphs and tables with statistics on rules, protections

according to specified traffic direction and protocol, along with learned traffic baselines.
HTTP ReportsReal-time graphs and tables with statistics on rules, protections according to
specified traffic direction and protocol, along with learned traffic baselines.
Figure 26: Security Monitoring PerspectiveShowing the Security Dashboard
42

Asset Management Perspective

The Asset Management perspective is displayed only to users with the Administrator or User
Administrator role. A user with the User Administrator role can only view and configure local users.
For more information about roles and the Asset Management perspective, see the APSolute Vision
Administrator Guide.
APSolute Vision Sites

You can organize the Radware devices that APSolute Vision manages according to sites. APSolute
Vision displays the sites and managed devices in the system tab. Typically, a site is a group of
devices that share properties, such as location, services, or device type. You can nest sites; that is,
each site can contain subsites and devices.
In the context of RBAC, sites enable administrators to define the scope of each user.
Sites also play a role in the context of vADCs and ADC-VXs. When you manage a vADC hosted by an
ADC-VX in the Physical tab, you specify the site under which that vADC is displayed in the
Organization tab.
43

44
Chapter 2 Getting Started with APSolute

Vision
The following topics describe how to get started and set up APSolute Vision before configuring and
monitoring your Radware devices:
APSolute Vision Client Installation, page 45
Logging into APSolute Vision, page 47
Changing a Password for a Local User, page 48
Filtering the Display of Tree Elements in the System Tabs, page 49
Note: For information about installing the APSolute Vision server and client, and connecting
the client to the server, see the Radware Installation and Maintenance Guide.
APSolute Vision Client Installation

The APSolute Vision client is installed on a PC.
This section includes the following topics:
APSolute Vision Client Requirements, page 45
APSolute Vision Reporter Requirements, page 46
Installing the APSolute Vision Client, page 47
APSolute Vision Client Requirements

Before you install the APSolute Vision client, ensure your computer meets the hardware and
software requirements.
Caution: You install the APSolute Vision client by first accessing the APSolute Vision appliance
using a Web browser. Therefore, APSolute Vision appliance must have a proper IP
address installed already. For information on configuring the IP address of the
APSolute Vision appliance, see the APSolute Vision Administrator Guide.
This section includes the following topics:
APSolute Vision Client Hardware Requirements, page 46
APSolute Vision Client Supported Operating Systems, page 46
APSolute Vision Client Software Requirements, page 46
45

Getting Started with APSolute Vision
APSolute Vision Client Hardware Requirements

The PC on which APSolute Vision client runs requires the following hardware:
2.66 GHz or faster
2 GB RAM or more recommended
300 MB free disk space
CD-ROM
Network interface card (NIC)
768X1024 minimum recommended screen resolution
APSolute Vision Client Supported Operating Systems

The following operating systems support APSolute Vision client:
Windows XP SP3 32-bit
Windows Server 2008R2 64-bit
Windows 7 32-bit and 64-bit
Windows 7 SP1 32-bit and 64-bit
Caution: There are certain compatibility issues with Windows 7. For more information, see
the APSolute Vision Release Notes.
APSolute Vision Client Software Requirements

The PC that APSolute Vision client runs on requires the following:
Any Web browser that has a Java plug-in installed. The browser is needed only for downloading
the APSolute Vision client to the PC.
Java client version 1.6.0_17 or later must be installed to run the APSolute Vision Reporter.
APSolute Vision Reporter Requirements

APSolute Vision Reporter is a separate process that runs with the APSolute Vision client. After
installing the APSolute Vision client, you can connect to APSolute Vision Reporter.
You can run APSolute Vision Reporter on the following browsers:
Windows Internet Explorer 6 and 7.x and later
Mozilla Firefox 3.5 and 3.6
Google Chrome unofficially supported
46

Installing the APSolute Vision Client
To install APSolute Vision client

1. Open your browser and enter the IP address of the APSolute Vision server. An Authentication
Required dialog box is displayed.
2. Do the following:
In the User Name field, type, visionweb.
In the Password field, type the password. Use the password that you receive from your
system administrator. The initial default password is radware.
3. Click OK. The following Web page opens.
4. Click the Download Client icon.

5. Save the EXE file to a directory on your hard drive.
6. Start the startup EXE file. The startup EXE file is named in the format
APSoluteVision_<major version>.<minor version>_Setup.exe.

7. Follow the instructions, enter the appropriate information, and accept the terms of the license
agreement.
Logging into APSolute Vision

To start working with APSolute Vision, you log into the APSolute Vision client.
After successfully logging in with a username and authenticated password, the APSolute Vision client
application opens. The APSolute Vision client connects to the specified APSolute Vision server. This
means that you always works online with APSolute Vision and its managed network elements.
Up to 10 users can access the APSolute Vision server simultaneously.
47

APSolute Vision supports role-based access control (RBAC) to manage user privileges. Your
credentials and privileges may be managed through a RADIUS Authentication server or through the
local APSolute Vision user database.
For RBAC users, after successful authentication of your username and password, your role is
determined together with the devices that you are authorized to manage. The assigned role remains
fixed throughout your user session, and you can access only the content panes, menus, and
operations that the role allows.
Depending on the configuration of the APSolute Vision server, you may be prompted to change your
user password when you log in for the first time.
If you enter the credentials incorrectly, you are is prompted to re-enter the information. After a
globally defined number of consecutive failures, the APSolute Vision server locks you out of the
system. If you use local user credentials, a user administrator can release the lockout by resetting
the password to the global default password. If you use RADIUS credentials, you must contact the
RADIUS administrator.
To log into APSolute Vision as an existing user

1.
Click the APSolute Vision Client program icon.
2.
In the login dialog box, specify the following:
3.
User NameThe name of the user.
PasswordThe password for the user. Depending on the configuration of the server, you
may be required to change your password immediately. Default: radware.
Vision ServerThe name or IP address of the APSolute Vision server. This parameter is
displayed if you click Options. Otherwise, the login procedure tries to connect to the
APSolute Vision server that was specified previously.
AuthenticationThe method to authenticate the user: Local or RADIUS. That is, select
whether to use the credential stored in the APSolute Vision server or the credentials
managed by the specified RADIUS Authentication server. This parameter is displayed if you
click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server
using the authentication method that was specified previously.
Click OK.
Changing a Password for a Local User

If your user credentials are managed through the local APSolute Vision Users table (not RADIUS),
you can change your user password at the login.
To change a password for a local user

1.
Click the APSolute Vision Client program icon.
2.
Click Options.
3.
Click Change Password.
4.
In the Change Password dialog box, enter your username, old password, new password, and
confirm the new password.
5.
Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.
48

Filtering the Display of Tree Elements in the System Tabs

contents of the tree, only how APSolute Vision displays the tree to you. By default, APSolute Vision
displays all the sites and devices that you have permission to view. The selected filter configuration
applies across all relevant perspectives and trees. The filters and/or filter categories that APSolute
Vision displays are contextual. That is, which filters and/or filter categories APSolute Vision displays
is based on whether the Organization, Physical, or Application Delivery tab is displayed.
APSolute Vision can store and display up to 10 filter configurations. The Filter label includes the filter
criteria. When you open an APSolute Vision client session, APSolute Vision displays the last filter
configuration that you applied.
To each node in the tree, APSolute Vision appends the number of elements (that is, sites and/or
devices) matching the filter at that level and the total number of elements at that level. The total
number of elements is the number of elements that you can see according to your RBAC
permissions.
Example Filter Result Showing Two Sites

Figure 27 - Filter Result Showing Two Sites, page 49 shows a small portion of a tree in the
Organization tab on which you have applied a filter named MyFilter2. The root of the tree is
named MyRootSite. APSolute Vision has appended (1/5) to the label MyRootSite. This
indicates that there is only one element (in this case, the element is a site) that matches the
filter at the level immediately below MyRootSite; and MyRootSite contains five child elements for
which you have permission to view. APSolute Vision has appended (13/28) to the label
MyDeviceSite1. This indicates that there are 13 elements that match the filter at the level
immediately below MyDeviceSite1; and MyDeviceSite1 contains 28 child elements for which you
have permission to view.
Figure 27: Filter Result Showing Two Sites
49

To create a new filter

1.
Click Filter to expand the Filter group box.
2.
From the Filter drop-down list, select New. The contents of Filter Name drop-down list
disappear.
3.
In the Filter drop-down list, specify a name for the filter.
4.
Configure the filter criteria.
5.
Click Save.
To modify a filter
1.
2.
From the Filter drop-down list, select the filter.
3.
Configure the filter criteria.
4.
Click Save.
To apply an existing filter

1.
2.
From the Filter drop-down list, select the filter.
Note: To disable filtering (that is, show all the elements in the tree), select None.
3.
Click Apply.
To display all the sites and devices

Click Reset.
To delete a filter
From the Filter drop-down list, select the filter; and then, click Delete.
50

Table 1: Filter Criteria Parameters
Category
Description
Device Name
The name of device or regular expression. This criterion is useful if

device names indicate device features, organizational location, or
geographical location.
This field supports a wildcard (*) character.
Device IP Address
The device IP address, IP range, or IP mask.
Device Type
The type of device.
Property
Values:
Values: Alteon, AppDirector, DefensePro

StatusExposes the Up and Down checkboxes. You can
specify whether the filter displays only devices that are up or
only devices that are down.
Software VersionExposes the Software Version drop-down
list with the options corresponding to the selected Device Type.
Device Driver VersionExposes the Device Driver Version
drop-down list with the options corresponding to the selected
Device Type.
Form FactorWhen the selected Device Type is Alteon,
exposes Standalone, VX, vADC, and VA checkboxes.
Licensing InformationExposes the Licensing Information
drop-down list with the options corresponding to the selected
Device Type.
Last Configuration Backup
Date
The timestamp, in yyyy-MM-dd hh:mm:ss format, of the last

APSolute Vision configuration backup.
Last Software Version

Upgrade Date
The timestamp, in yyyy-MM-dd hh:mm:ss format, of the last

device software upgrade. This criterion is useful to help you plan an
upgrade process. For example, with the Alteon vADC form factor,
you can filter all the vADCs whose software was updated at same
time.
AppShape
The Alteon devices with the specified AppShape deployed.
Organization Site
The site in the Organization tab.

Note: This filter criterion applies only in the Organization tab.
Physical Container
Values:
Physical ContainerThe ADC-VX in the Physical tab.
Payload BladeSpecifies a specific payload blade, or any
payload blade when the field is empty.
Enabled vADCsSpecifies whether the enabled vADCs are
displayed.
Disabled vADCsSpecifies whether the disabled vADCs are
displayed.
Note: This filter criterion applies only in the Physical tab.
51

52
Chapter 3 Monitoring and Controlling the

APSolute Vision System
APSolute Vision monitors and controls the APSolute Vision server and platform, and the associated
database.
This chapter contains the following sections:
Monitoring APSolute Vision, page 53
Monitoring APSolute Vision Basic, Version, and Hardware Information, page 53
Managing Device Drivers, page 54
Managing Stored Device Configuration/Backup Files, page 57
Managing Configuration Templates, page 58
Managing DefensePro Security Groups, page 60
Controlling APSolute Vision Operations, page 63
Monitoring APSolute Vision

APSolute Vision monitors the APSolute Vision server and platform, and the associated database. The
system monitors performance and operational status, and stores the processed monitoring
information in the APSolute Vision database. When a problem is identified, an alert is issued, and
displayed in the Alerts pane.
Monitoring APSolute Vision Basic, Version, and Hardware

Information
You can view the version number and build details of the management software on the APSolute
Vision server.
To display APSolute Vision basic, version, and hardware information

1.
In the Asset Management perspective system pane, select General Settings.
2.
In the content pane, select the Overview tab.
Table 2: APSolute Vision Server Basic, Version, and Hardware Information
Parameter
Description
Basic Parameters
Operational Status
Specifies whether the of the APSolute Vision server is currently up or

down.
Management IP Address
The IP address of the of the APSolute Vision server used for

management.
Hardware Platform
The type of hardware platform of the APSolute Vision server.
53

Monitoring and Controlling the APSolute Vision System
Table 2: APSolute Vision Server Basic, Version, and Hardware Information
Parameter
Description
Vision Server Uptime
The up time of the APSolute Vision server, in days, hours, minutes, and
seconds.
MAC Address of Port G1
The MAC address of the APSolute Vision server G1 management port.1
The MAC address of the APSolute Vision server G2 management port.1
The MAC address of the APSolute Vision server G3 management port.1, 2
Software
Software Version
The version of the APSolute Vision server.
Build
The date and build number of the current software version.
Hardware
RAM Size
The amount of RAM, in megabytes.
Attack Description
Attack Descriptions Last
Update
The time of the latest update of the Attack Description file on the
APSolute Vision server.
1 If the port is down, the field is empty.

2 If the port is not supported, the field displays the value Unsupported.
Managing Device Drivers

A device driver in APSolute Vision defines the GUI and configuration of the software version of a
managed device. The software version of a managed device defines the baseline driver version.
There may be multiple device-driver versions for a single software version of a device, but there can
be only one device-driver version in use on any single APSolute Vision server. That is, each device
driver applies to all devices in the system that use the same device-software version. That is, each
device driver applies to all devices in the system that use the same device-software version. That is,
each device driver applies to all devices in the system that use the same device-software version.
Typically, subsequent versions of device drivers include only fixes for GUI and configuration bugs.
You can install a newer version of the device driver, and you can revert to the baseline version.
When you upgrade device software, you need to reboot the device. However, when you install a new
version of a device driver or revert to the baseline version, you do not need to reboot the device.
Caution: Device drivers do not include changes to the online help. Depending on the
configuration of the APSolute Vision server, the APSolute Vision clients get online help
either from the APSolute Vision server (the default option) or radware.com. The
online-help files at radware.com are always the most up-to-date; but clients may
encounter latency or connectivity problems. If the APSolute Vision clients get online
help from the APSolute Vision server, after updating a device driver, the online-help
files on the server should be updated. It is the responsibility of the APSolute Vision
administrator to make sure that the help files on the server are updated as necessary.
54

Notes:
>> For device software versions that were released prior to the release of APSolute Vision
1.10, all the baseline versions of the device drivers reside on the APSolute Vision server.
>> For device software versions that were released after the release of APSolute Vision
1.10, the baseline versions of the device drivers reside on the devices themselves.
>> The device driver includes the minimum APSolute Vision version.
When an APSolute Vision server detects that a new device has been installed or that a new device
software version has been installed on an existing device, the server does the following:
1. Retrieves the driver version from the device.
2. Checks whether it already has a driver version that corresponds to the device software version,
and uses the newest device driver.
3. If the driver version on the device is newer than the device version on the server, the server
downloads the new driver from the device, but does not apply it. The table in the Device Drivers
tab (in the Asset Management perspective) displays the device-version row shaded gray.
4. If the device driver is incompatible or not found, APSolute Vision behaves as follows:
Issues an appropriate error message, but displays the device in the tree of the System pane
with a special icon (?) on top of it.
When you click the device in the tree, no screen is displayed, but the following information is
displayed is the Properties pane: Device Name (from Vision), Device Type (if known),
Status: Unsupported, and Software Version: <SW_version>
The Properties pane includes the name of the device driver.

You can update the drivers of the devices of a particular software version, you can update all the
device drivers that are not updated in the APSolute Vision server, and you can revert the driver to
the baseline driver version.
If one or more of the relevant devices is locked, APSolute Vision prompts you whether to continue or
not. If you change the driver version when a device is locked by other users, you may lose the
changes for those users.
Table 3: Driver Parameters
Column
Description
Product Name
The device type.

Values: Alteon, AppDirector, DefensePro
Product Version
The device software version.
No. of Devices
The number of devices that use the same device software version.
Driver Baseline
The baseline version of the driver used for this device software version.
Driver in Use
The driver version in use for this device software version.
Latest Driver
The latest driver version for this device software version that is stored in
the APSolute Vision server.
55

To update a device driver

1.
In the Asset Management perspective system pane, select General Settings > Device
Drivers.
2.
Right-click in the row with the relevant device and device version.
3.
Select Update Driver.
4.
Browse to the driver and click Open. APSolute Vision verifies that the device driver version is
relevant for the device software.
5.
Read the confirmation message; and then, accept or abort the action.
The version of the driver that you install cannot be the same version or an older version of the
driver baseline version. If the driver version that you install is newer than the baseline version
but older than the driver version in use, APSolute Vision prompts you for confirmation to
downgrade the current driver. If the driver version that you install is newer than the baseline
version and new than the driver version in use, APSolute Vision prompts you for confirmation to
downgrade the current driver.
To revert to baseline driver version that resides on the APSolute Vision server
1.
Drivers.
2.
Right-click in the row with the relevant device and device version.
3.
Select Revert to Baseline Version.
Note: This option is displayed only when the driver version in use is different from the
baseline driver release.
To update all the device drivers to the latest ones that are stored in the APSolute
Vision server
1.
Drivers.
2.
Click Update All Drivers to Latest.
Note: This command is available only when the APSolute Vision server has device driver
version that is later than one of the device drivers in use.
56

Managing Stored Device Configuration/Backup Files

You can manage configuration files of managed devices that are stored on the APSolute Vision
server.
You can do the following:
View details of the configuration files of managed devices
Save configuration files from the server to your PC
Delete configuration files from the server
Edit configuration file descriptions
For information about configuring the maximum number of configuration files per device that can be
stored, see the APSolute Vision Administrator Guide.
To manage stored configuration file information

1. In the Asset Management perspective system pane, select Device Backups.
2. From the Device drop-down list, select the relevant device and click Go. Details of the stored
configuration files for the selected device are displayed in the table.
3. To delete a displayed configuration file from the server:
a.
b.
Right-click the entry and select Delete File.

Click OK in the confirmation message.
4. To edit the description of a configuration file:

a.
b.
Right-click the Description cell for the file and select Edit Description.
In the Description cell, add or edit the text, up to 50 characters.
5. To get the configuration file of the device from the APSolute Vision server and download the file
to the local PC:
a.
Right-click the entry and select Get Device Configuration File.
a.
b.
In the Save As text box, enter the path of the file or browse to the file.
Click Save.
Table 4: Device Configuration File Parameters
Parameter
Description
File Name
The name of the stored configuration file.
File Type
An Alteon or AppDirector device can have configuration files for itself, its
peer device, and its backup device.
(This parameter is not

available for
AppDirector 1.07.12.)
For all other devices, this field is set to Device.
SW Version
The software version of the device.
Backup Date
The date and time that the file was saved on the APSolute Vision server.
Description
A description of the file. You can enter and edit text in this field.
57

Managing Configuration Templates

Only certain device versions and device drivers support this feature. For the list of supported device
versions and device drivers, refer to the release notes.
The Configuration Template feature enables you to configure an object with multiple parameters
with just a few actions. You create a configuration template in the relevant area of any managed
device that supports the Configuration Template feature. You can apply (that is, propagate) the
template on the same device or another device that supports that template. You can manage the
existing configuration templates stored on the APSolute Vision server in the Asset Management
perspective Templates tab.
Examples of configuration objects that support configuration templates:
AppDirector Farm
DefensePro BDoS Profile
For information about configuring configuration templates, see Configuring and Using Configuration
Templates, page 74.
Use the Templates tab (Asset Management perspective, Configuration Templates) to do the
following:
Filter the display of the list of the configuration templates
View and modify details of the configuration templates of managed devices
Edit configuration-template descriptions
Delete configuration templates
The Templates tab (Asset Management perspective, Configuration Templates) comprises a filter
and the Templates table, which displays data on each template.
The Templates table, supports the following columns:
EnabledSpecifies whether the template is enabled. When a template is enabled, you can use
it to create new configuration objects and propagate the values of the template onto existing
configuration objects. If the template is disabled, you cannot use it or edit it; the template is
only stored in APSolute Vision.
NameThe user-defined name of the template.
DescriptionThe user-defined description of the template.
Screen IDThe internal identifier of the user-interface that supports the template.
TypeThe configuration-object type of the template.
Device TypeThe type of the device that supports the template.
Software VersionThe software version of the device that supports the template.
Modified OnThe timestamp, in dd MMM hh:mm:ss format when the template was last
modified.
Modified ByThe APSolute Vision user who last modified the template.
Device Driver IDThe device driver filename.
Created OnThe timestamp, in dd MMM hh:mm:ss format when the template was created.
Created ByThe APSolute Vision user who created the template.
Total PropagationsThe total number of propagations of the template.
Successful PropagationsThe number of successful propagations of the template.
Failed PropagationsThe number of failed propagations of the template.
58

To filter the templates that the Templates table shows

1. In the Asset Management perspective system pane, select Configuration Templates.
2. In the Template Filter group box, configure the parameters; and then, click Go.
Table 5: Template Filter Parameters
Parameter
Description
Enabled
The status of the templates.

Values:
AllThe Templates table shows enabled and disabled templates.
trueThe Templates table shows enabled templates.
falseThe Templates table shows disabled templates.
Device Type
The device type of the templates.

Values:
AllThe Templates table shows templates of all relevant device types.
AppDirectorThe Templates table shows the templates of AppDirector
devices. templates.
DefenseProThe Templates table shows the templates of DefensePro
devices.
Software Version
The software version of the devices with templates.

Values:
AllThe Templates table shows templates of all software versions with
templates.
Software versionThe Templates table shows the templates of the
selected version.
Type
The configuration-object type with templates.

Values:
AllThe Templates table shows all configuration-object type with
templates.
Configuration-object typeThe Templates table shows the templates of
the selected configuration-object type.
To edit template properties and view read-only data

1. In the Asset Management perspective system pane, select Configuration Templates.
2. In the Templates group box, right-click in the row and select Edit Row.
3. Configure or view the parameters; and then, click Save.
59

Table 6: Template Parameters
Parameter
Description
Template
Enabled
Specifies whether the template is enabled. When a template is enabled,

you can use it to create new configuration objects and propagate the
values of the template onto existing configuration objects. If the template
is disabled, you cannot use it; it is only stored in APSolute Vision.
Values: true, false
Name
The user-defined name of the template.

Maximum characters: 255
Description
The user-defined description of the template.

Type
(Read-only) The configuration-object type of the template.
Template Statistics
The values in this group box are read-only.
Screen ID
The internal identifier of the user-interface that supports the template.
Device Driver ID
The device driver filename.
Software Version
The software version of the device that supports the template.
Device Type
The type of the device that supports the template.
Created On
The timestamp, in dd MMM hh:mm:ss format when the template was

created.
Created By
The APSolute Vision user who created the template.
Modified On
The timestamp, in dd MMM hh:mm:ss format when the template was last
modified.
Modified By
The APSolute Vision user who last modified the template.
Total Propagations
The total number of propagations of the template.
To delete a configuration template

1.
In the Asset Management perspective system pane, select Configuration Templates.
2.
In the Templates group box, right-click in the row and select Delete Row.
Managing DefensePro Security Groups

APSolute Vision can manage Security Groups, which are groups of DefensePro devices that share
security-threat information. The configuration of a Security Group includes senders and receivers.
Senders send security-threat information detected by the Anti-Scanning and/or Server Cracking
modules to APSolute Vision. Receivers receive security-threat information from APSolute Vision as
Dynamic Black List rules. A device can be both a sender and a receiver in the same group. When a
sender detects an attack and sends the information to APSolute Vision, APSolute Vision configures
each receiver with a Dynamic Black List rule that corresponds to the detected threat information.
60

DefensePro devices running version 6.05 and later can be senders and/or receivers. DefensePro
devices running versions prior to 6.05 can be senders only.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
Security Groups reduce false-negatives in various environments and enhance DefensePros proactive
approach to security. Especially in asymmetrical network environments, there are cases where a
DefensePro device inspects only one direction of the traffic while other DefensePro devices inspect
the rest of the traffic. In such cases, without a Security Group to share information, when a
DefensePro device identifies a source as a threat and suspends it (blocks it), other DefensePro
devices can continue to forward traffic from the same source. In an extreme example of an
asymmetric (stateful) environment, a DefensePro device may identify a malicious source based on
server responses, though the DefensePro device cannot block the source because the sources
originated traffic passes through another DefensePro device. In such cases, with a Security Group to
share the information, all the receiver DefensePro devices can block the malicious traffic.
Caution: The Security Groups feature does not support redundant APSolute Vision servers.
Unexpected results may occur if more than one APSolute Vision server manages the
DefensePro devices that are members of a Security Group.
Note: APSolute Vision does not limit the number of Security Groups, the number of senders, or
the number of receivers. Radware has tested the feature with five Security Groups, each
with five senders and five receivers.
Security Group behavior:
1. The Anti-Scanning or Server Cracking module of a sender detects an attack. The configuration of
the Security Group includes the modules (Anti-Scanning and/or Server Cracking) that
participate in the group.
2. The sender notifies APSolute Vision using the regular security-event traps.
3. APSolute Vision configures each receiver with a Dynamic Black List rule.
The rule name is in the following format:
<SecurityGroupName> hhmm $$$$

where:
hhmm is the time (hour and minutes) that the Security Group configured the rule. This is the
time set in the APSolute Vision server (and not on the DefensePro receiver or sender).
$$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.

The configuration of the black-list rule (in the receiver) exposes the Detector Module and the
Detector IP Address (in the Detector Security Module and Detector text boxes), which
identify the protection module (for example, Anti-Scanning) and the sender that detected the
attack.
APSolute Vision does not configure a sender with a black-list rule based on its own security
events. That is, if a DefensePro device is a sender and a receiver in a Security Group, when the
device sends a security-event trap to the Security Group, APSolute Vision does not configure
that same device with the corresponding black-list rule.
61

The configuration of the Security Group determines the blocking period and whether the rule
blocks all the traffic from the source or only combination of the following:
Attacked address
Attacked port
Protocol
To configure a DefensePro Security Group

1.
In the Asset Management perspective Networking tab navigation pane, select Security Groups.
2.
Do one of the following:
3.
To add an entry, click the
(Add) button.
To edit an entry, double-click the row.
Configure the parameters; and then, click OK.
Table 7: Security Group Parameters
Parameter
Description
Enabled
Specifies whether the Security Group is enabled. This enables you to keep
a Security Group configuration even when it is not in use.
Default: Disabled
Group Name
The name of the Security Group.
Blocking Period
The time, in minutes, that the receivers block traffic. This is the value of
the Expiration Timer in the black-list rule with which APSolute Vision
configures the receivers. The Expiration Timer fields display the time
remaining.
Values: 1120
Note: For information on black lists, see Configuring Black Lists,
page 651.
Blocking Rule Parameters

The Security Group uses a Boolean AND operator to determine which packets to block. That is, the
more parameters enabled here, the more specific the blocked traffic.
Source
(Read-only always enabled) Specifies that the receivers always block all the
traffic from the IP address of the source of the attack.
Destination IP Address Specifies that the receivers block the IP address of the attacked machine.
Default: Disabled
Destination Port
Specifies that the receivers block the attacked port of the attacked
machine.
Default: Disabled
Protocol
Specifies that the receivers block the protocol used in the attack.
Default: Disabled
Security Modules
Anti-Scanning
Specifies that the receivers block malicious traffic detected by the AntiScanning module of the senders.
Default: Enabled
62

Table 7: Security Group Parameters
Parameter
Description
Server Cracking
Specifies that the receivers block malicious traffic detected by the Server
Cracking module of the senders.
Default: Enabled
Senders
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the senders of the Security Group.
Receivers
available DefensePro devices. The Selected Devices list displays the receivers of the Security
Group.
Controlling APSolute Vision Operations

You can perform the following operations on APSolute Vision:
Backing up the APSolute Vision dataYou can back up the configuration tables and other
APSolute Vision data. Backup operations run by means of CLI commands. For more information
about APSolute Vision CLI commands, see the APSolute Vision Administrator Guide.
Note: APSolute Vision backs up the Audit table at regular intervals.
Updating the Attack Description file. For information about updating the Attack Description file,
see the APSolute Vision Administrator Guide.
You can perform the following operations using APSolute Vision CLI:
Restoring the appliance configuration.
Restoring the server configuration.
Management upgrade of appliance and server software.
Restarting the APSolute Vision server.
For more information about APSolute Vision CLI commands, see the APSolute Vision Administrator
Guide.
63

64
Chapter 4 Managing Auditing and Alerts

APSolute Vision logs all alerts and actions for APSolute Vision and, optionally, for the managed
devices. You can view auditing information and other alerts in the Alerts pane.
The following topics describe APSolute Vision auditing and the Alerts pane:
APSolute Vision Auditing, page 65
Enabling Configuration Auditing for Managed Devices, page 66
Managing Alerts, page 66
APSolute Vision Auditing

APSolute Vision auditing meets compliance requirements by automatically logging:
All APSolute Vision alerts and user actions.
All configuration changes made to managed devices via APSolute Vision.
This meets Sarbanes-Oxley requirements to audit any configuration change that might affect the
network. In APSolute Vision, you can also configure the managed devices to log all configuration
changes on the device.
The Auditing log is stored in the APSolute Vision database. All audit logs are sent to the Alerts pane,
and can be displayed in the Alerts pane depending on the alerts filter configuration.
The following information is logged to the audit log:
All user management events and user activities (for example, successful login, password change
by user, password reset by admin, and so on).
Actions performed on the device (for example, uploading or downloading a file to a device,
device reboot and shutdown, log file retrieval, and so on).
APSolute Vision activities (including appliance activities, APSolute Vision upgrade, and so on).
Device changes through CLI or WBM (if device auditing is enabled).
Alarms received from the device (if device auditing is enabled).
Device configuration activities (if device auditing is enabled). The audit log records all
configuration changes applied to the managed devices.
Device addition and deletion.
To manage APSolute Vision auditing
Enable or disable configuration auditing for devices. For more information, see Enabling
Configuration Auditing for Managed Devices, page 66.
Enable and configure syslog and e-mail settings for sending audit information from the Alerts
pane. For more information, see the APSolute Vision Administrator Guide.
65

Managing Auditing and Alerts
Enabling Configuration Auditing for Managed Devices

When configuration auditing for devices is enabled on the APSolute Vision server and on the device,
any configuration change on a device using APSolute Vision creates two records in the Audit
database, one from the APSolute Vision server, and one from the device audit message.
Note: To prevent overloading the managed device and prevent degraded performance, the
feature is disabled by default.
To enable configuration auditing for a managed device

1.
In the Configuration perspective system pane, select the device for which you want to configure
auditing.
2.
In the Advanced Parameters tab navigation pane, select Configuration Audit.
3.
To enable configuration auditing, select the Enable Configuration Auditing checkbox.
4.
Click
(Submit) to submit changes.
Managing Alerts
The Alerts tab in the Alerts pane stores and displays alerts.
Note: The Alerts pane includes the Messages tab, which displays Alteon configuration
messages.
The alerts are based on events that are received from:
SNMP traps sent by managed Radware devices.
Auditing messages from all APSolute Vision modules.
APSolute Vision server events.
Configuration auditing messages for managed devices, if enabled on the device.
All alert information is stored in the APSolute Vision database in a separate table from the audit
information. Alert information can be sent to a central audit repository via syslog, and to a
configured recipient via e-mail.
66

Events Handled in the Alerts Pane

The following types of events are handled by the Alerts pane:
SNMP Traps, page 67
Auditing Messages, page 67
APSolute Vision Server Events, page 67
SNMP Traps
The Alerts pane handles all error traps generated by APSolute Vision and the managed devices,
including:
Generic traps, such as, Cold Start, Link Down, Link Up, Authentication Failure, and so on
Radware traps common to all Radware devices
Device-specific Radware traps
Auditing Messages
APSolute Vision forwards all logged audit events from all APSolute Vision modules and managed
devices to the Alerts pane, including:
Successful and failed login attempts
Backup and restore operations
Configuration changes to APSolute Vision and the managed devices
Monitoring and control changes
Successful and failed task scheduling changes
User management configuration changes
APSolute Vision Server Events

APSolute Vision server events include events from:
Server and database monitoring processes
The APSolute Vision appliance
The watchdog process, which monitors APSolute Vision server processes
Alert Information
All alert information is stored in the APSolute Vision database.
Double-click on a an alert in the Alerts tab to open the Alert Details dialog box, which displays all the
information with the expanded alert message.
Each alert in APSolute Vision contains the following information:
67

Alert Information
Description
Ack
A check box indicating whether the alert has been

Yes, by default
acknowledged. Alerts of Info severity are acknowledged
automatically when raised. Alerts of severity higher than
Info require user acknowledgement. Acknowledging an
alert indicates that it has been seen by the user and
remains in the Alerts pane display. You can select or
clear the check box to acknowledge or un-acknowledge
alerts.
Severity
The APSolute Vision severity of the event: Critical, Major, Yes, by default
Minor, Warning, Info. SNMP trap severities are mapped
as shown in SNMP Trap to APSolute Vision Severity
Mappings, page 69.
Time
Displayed in
Alerts Pane?
The date and GMT time at which the event occurred.
Yes, by default
In the Alert Details dialog box, this value is displayed

with the label Raised Time.
Device Name
The values differ according to the alert type, as follows: Yes, by default
SNMP trapsThe value is the name of the device
that generated them.
APSolute Vision auditing events, which have device
context (configuration, monitoring). The value is the
name of the device to which the event relates.
When the alert is generated by the APSolute Vision
server, no device name is displayed.
Device IP
The IP address of the device to which the message

relates. No value is provided for alerts generated by
APSolute Vision.
Yes, by default
Message
The description of the event.
Yes, by default
Module
The source module of the event.
Yes, by default
Values:
Device SecurityFor network security alerts
Device GeneralFor all other device alerts
Vision ConfigurationAPSolute Vision configuration
auditing messages
Vision ControlAPSolute Vision Monitoring auditing
messages
Vision GeneralIncludes general APSolute Vision
auditing messages and APSolute Vision server
events
User Name
68
For APSolute Vision auditing, the name of the user

whose action was audited.
Yes, if
configured

Alert Information
Description
Displayed in
Alerts Pane?
Device Type
The type of device that generated the alert:
Yes, by default
Any Alteon device

Any AppDirector device
Any DefensePro device
The APSolute Vision serverfor auditing, appliance,
server and database monitoring, and watchdog
alerts
Trap SID
The trap SID for SNMP traps. There is no value for

events that are not SNMP traps.
Yes, if
configured
Port
The port number included in the alert information, if it

Yes, by default
exists (for example, when a port link goes up or down).
The Raised Time, Device Name, and Message uniquely identify an alert, and are together considered
the Alert key.
Table 8: SNMP Trap to APSolute Vision Severity Mappings
Trap Severity
APSolute Vision Severity Severity Description
Fatal
Critical
Indicates a severe problem, which prevents or

disrupts normal use of the object.
Error
Major
Indicates a problem of relatively high severity,

which is likely to prevent normal use of the
object.
Minor
Indicates a problem of relatively low severity,

which should not prevent normal use of the
object.
Warning
While the managed object is functioning as it

is intended to function, conditions exist that
could potentially cause a problem.
(APSolute Vision uses

predefined criteria to
assign Major or Minor
severity)
Warning
Info
Info
Information only. There are no problems and

the object is functioning normally.
Displaying Alert Information

Alert information is displayed in the Alerts pane, which, by default, is below the content pane. For
more information about the information displayed, see Alert Information, page 67.
By default, alert information is displayed for one hour after the alert is raised. The information is
then cleared from the display, but remains in the Alerts database. You can change the default in the
Filtering dialog box. For more information, see Filtering Alerts, page 71.
The configured number of most recent critical alerts are always displayed at the top of the table on
a colored background.
You can maximize and minimize the Alerts pane. For more information about Alerts pane navigation
features, see APSolute Vision Interface Navigation, page 34.
The number of unacknowledged alerts for each severity are displayed in the bar above the table.
The information in the alert table is refreshed according to your configured preferences.
69

In the Alerts pane, you can:
Show and hide columns.
Acknowledge and unacknowledge displayed alerts. Alerts of severity higher than Info require
user acknowledgement to indicate that they have been seen by the user. The alert remains in
the Alerts pane display.
Filter the alerts in the alert table to display a subset of alerts. For more information, see Filtering
Alerts, page 71.
Clear individual alerts from the alert table display.
Clear all the alerts in APSolute Vision database that match the current filter, whether or not the
alerts are visible in the Alerts pane.
Turn off automatic refresh of alert information.
To view details of an alert

Double-click the alert row that you want to view. The alert details are displayed in the Alert
Details dialog box.
For more information about the information displayed, see Alert Information, page 67.
To show and hide columns in the alert table

To show or hide a column, right-click in the header row and select the required column from the
list.
Displayed columns are indicated by a
next to their name in the list.
To clear all the alerts in APSolute Vision database that match the current filter,
whether or not the alerts are visible in the Alerts pane
Click the
(Clear All Alerts) button.
To acknowledge alerts
70
To acknowledge an alert, right-click the alert row in the table and select Acknowledge
Alert.
To acknowledge several alerts, select the corresponding rows, then right-click and select
Acknowledge Alert.
To acknowledge all alerts in the alert table, click the
(Acknowledge All Alerts) button.

To unacknowledge alerts
To unacknowledge an alert, right-click the alert row in the table and select Unacknowledge Alert.
To unacknowledge multiple alerts, select the corresponding rows, then right-click and select
Un-acknowledge Alert.
To clear alerts from display

To clear alerts, do one of the following:
To clear an alert, right-click the alert row in the table and select Clear Alert.
To clear several alerts, select the corresponding rows, then right-click and select Clear
Alert.
Notes:
>> Cleared alerts remain in the database, but cannot be viewed.
>> Clearing an unacknowledged alert automatically acknowledges the alert.
Automatic refresh is indicated by the selected
(Refresh) button.
To turn off automatic refresh of alert information

Click the
(Refresh) button to deselect it.
Note: Radware recommends turning off automatic refresh while you are analyzing alert
information to prevent alerts disappearing from the display.
Filtering Alerts
You can display a subset of the currently displayed alerts by filtering the alerts according to various
alert information criteria.
The criteria are organized according to categories, for example, alert severity, device module, and
so on. Criteria from the same category are combined with logical OR. Criteria from different
categories are combined with logical AND.
The default filter settings include all criteria in all categories, meaning, by default, all alerts raised in
the last hour are displayed.
71

Use the filtering criteria to define how long an alert is displayed in the Alerts Browser.
Note: Regardless of the filter defined, the configured number of most recent critical alerts are
always displayed at the top of the table on a colored background. This means that
critical alerts that match the filter criteria are displayed twice.
To filter alerts in the alert table

1.
In the Alerts pane, click the
(Filter) button.
2.
Set filtering criteria parameters and click OK. The table is updated at the next automatic
refresh.
3.
To restore the default filtering criteria, click Restore Defaults, then click OK.
For more information about the filtering criteria, see Alert Information, page 67.
Table 9: Filtering Criteria Parameters
Parameter
Select Devices
Description
Click to select a subset of managed devices for which to display alerts.
In the Select Devices dialog box, move the required devices from the
Available list to the Selected list.
Select All Devices
When selected, matching alerts for all devices are displayed.
Raised Time
Alerts raised within the defined time period are displayed. For
example, if you define 1 hour, alerts raised in the last hour are
displayed. After the defined time, alerts are cleared from the display
(not from the Alerts database).
Values: 124 hours
Default: 1 hour
Severity
Alerts of the selected severities are displayed.
Module
Alerts for the selected modules are displayed.
Device Type
Alerts for the selected device types are displayed.
Acknowledgment
Specifies whether to display acknowledged alerts, unacknowledged

alerts, or both.
Configuring Preferences for the Alerts Pane

You can configure the following preferences for the Alerts pane:
Client preferencesDefine how many critical alerts to display and how often the client polls the
server for alert information. For more information, see the APSolute Vision Administrator Guide.
Server preferencesDefine how the APSolute Vision server handles alerts. You can enable and
configure reporting and logging events from the Alerts browser to a syslog server. You can
configure sending alert information via e-mail to a defined recipient. For more information, see
the APSolute Vision Administrator Guide.
72
Chapter 5 Basic Device Configuration

Users with the proper permissions can add devices to the site tree and configure them.
The following topics describe basic device configuration tasks:
Locking and Unlocking Devices, page 73
Configuring and Using Configuration Templates, page 74
Alteon Configuration ManagementGlobal Commands, page 76
AppDirector Setup, page 78
DefensePro Setup, page 93
General Device Setup, page 122
Upgrading a License for a Managed Device, page 127
Managing Certificates, page 131
Configuring SNMP, page 136
Configuring Device Users, page 144
Configuring Access Permissions on Physical Ports, page 146
Configuring Port Pinging, page 147
Configuring Tuning Parameters, page 147
Locking and Unlocking Devices

When you have permissions to perform device configuration on a specific device, you must lock the
device before you can configure it. Locking the device ensures that other users cannot make
configuration changes at the same time. The device remains locked until you unlock the device, you
disconnect, until the Device Lock Timeout elapses, or an Administrator unlocks it.
Locking a device does not apply to the same device that is configured on another APSolute Vision
server, using Web Based Management, or using CLI.
Note: Only one APSolute Vision server should manage any one Radware device. For more
information, see the APSolute Vision Administrator Guide.
While the device is locked:
The device icon in the system pane includes a small lock symbol
AppDirector,
for Alteon,
for
for DefensePro.
Configuration panes are displayed in read-only mode to other users with configuration
permissions for the device.
If applicable, the
(Submit) button is displayed.
If applicable, the
(Add) button is displayed.
73

Basic Device Configuration
To lock a device
In the Configuration perspective system pane, right-click the device name, and select Lock
Device.
To unlock a device
In the Configuration perspective system pane, right-click the device name, and select Unlock
Device.
Configuring and Using Configuration Templates

Only certain device versions and device drivers support this feature. For the list of supported device
versions and device drivers, refer to the release notes.
Notes:
>> This section describes configuration templates and how to configure and use them. For
information about managing configuration templates, see Managing Configuration
Templates, page 58.
>> For information on the parameters of the configuration object itself, refer to section on
the specific configuration object.
>> The device must be locked to configure and use configuration templates.
The Configuration Template feature enables you to configure a configuration object with multiple
parameters with just a few actions. For example, AppDirector Farm and DefensePro BDoS Profile are
configuration objects that supports the Configuration Template feature.
The APSolute Vision server stores and manages configuration templates, so you can use them on
any managed device of the same type and supported version.
With the Configuration Template feature, you can:
Create a new configuration object based on a template.
Propagate the values of a specified configuration template onto an existing configuration object.
Configuring Configuration Templates

You create a configuration template in the relevant area of a locked managed device that supports
the Configuration Template feature.
When you are in the configuration area of a configuration object that supports the Configuration
Template feature, the right-click menu supports following actions:
Create New <Configuration Object Type> TemplateCreates a new configuration

template from scratch based on the parameters of the configuration object but with no
existing user-defined values.
Create Template from <Configuration Object Type>Creates a new configuration

template from an existing configuration objectwith existing user-defined values. If no instance
of the configuration object exists in the device, this option is not exposed.
Edit <Configuration Object Type> TemplateOpens the Edit <Configuration Object Type>
Configuration Template dialog box. The dialog box comprises a table with the corresponding
74

configuration templates and template statistics. Double-click the required template to open the
Edit Template dialog box. There, you can modify the values of the configuration template. If no
instance of the configuration object exists in the device, this option is not exposed.
When you configure a configuration template, the parameters displayed in the dialog box that opens
are identical to that of the corresponding configuration object except for the following:
You configure the following fields:
EnabledSpecifies whether you can use the template to create new configuration objects
or propagate the template onto existing configuration objects. If the template is disabled,
you cannot use it or edit it; the template is only stored in APSolute Vision.
NameThe user-defined name of the template. Maximum characters: 255.
DescriptionThe user-defined description of the template. Maximum characters: 255.
The type of the configuration object is displayed read-only.
The read-only template statistics are displayed in the Template Statistics group box.
Certain parameters expose the following two, additional values:
Existing ValueThe propagation process preserves the existing value of the parameter.
Use Default Value The propagation process changes the existing value of the parameter
to the default value for the parameter.
Table 10: Template Statistics
Parameter
Description
Screen ID
The internal identifier of the user-interface that supports the template.
Device Driver ID
The device driver filename.
Software Version
The software version of the device that supports the template.
Device Type
The type of the device that supports the template.
Created On
The timestamp, in dd MMM hh:mm:ss format when the template was

created.
Created By
The APSolute Vision user who created the template.
Modified On
The timestamp, in dd MMM hh:mm:ss format when the template was last
modified.
Modified By
The APSolute Vision user who last modified the template.
Total Propagations
The total number of propagations of the template.
Using Configuration Templates

If you are in a configuration area of a locked device and there is a configuration template of the
corresponding type, the following actions are available from the right-click menu:
Add New <Configuration Object> from TemplateCreates a new configuration object from
a template. This option is available only if the configuration option supports manually adding a
new parameter.
Propagate <Configuration Object> TemplatePropagates the values from a specified

configuration template onto the selected values. This option is available only if the configuration
object supports changing the value of parameters.
75

Configuration-Template Behavior
The Configuration Template feature supports the following:
APSolute Vision applies configuration templates sequentially for all selected configuration
objects within a device.
APSolute Vision logs changes in the audit trail (like other configuration changes): SuccessIf
the change was successfully applied; FailedIf something failed during the update.
APSolute Vision issues success and failure alerts for propagations of configuration templates.
Managed devices issue alerts on changed parameter values caused by template-propagation

action (that is, audit alerts on success, error alerts on error).
APSolute Vision logs propagation information in the propagate.log files, which you can access
via the Web interface of the APSolute Vision server. APSolute Vision cyclically stores up to 10
propagate.log files of 5 MB each, appending the appropriate number to the .log extension.
To download the propagate.log file

1.
Open your browser and enter the IP address of the APSolute Vision server. An Authentication
Required dialog box is displayed.
2.
Enter the User Name and password, type the password. Use the username and password that
you receive from your system administrator. The initial default user name is visionweb. The
initial default password is radware.
3.
Click OK. The Radware Web page opens.
4.
Click the Maintenance Files icon. The maintenance page opens.
5.
Click the link to the required propagate.log file.
Alteon Configuration ManagementGlobal Commands

Alteon devices support the following configuration-management actionsalso referred to as global
commands.
Table 11: Alteon Device Configuration Management Actions
Action
Description
Apply
Applies any changes that have been made to the device configuration.
This option is available only if the device is locked.
Save
Saves the current configuration in backup memory and saves the active
configuration by overwriting the current configuration.
This option is available only if the device is locked.
Revert
Reverts the device to the current active configuration.

This option is available only if the device is locked and the new
configuration settings were not applied.
Revert Apply
Reverts the device to the current saved configuration.

This option is available only if the device is locked and the new
configuration settings were applied but not saved.
76

Table 11: Alteon Device Configuration Management Actions
Action
Description
Diff
Collects the pending configuration changes. You can view, save, and
copy the text when you double-click the associated message in the
Messages tab in the Alerts pane.
Diff Flash
Collects the pending configuration changes and the affected

configuration stored in flash memory on the device. You can view, save,
and copy the text when you double-click the associated message in the
Dump
Collects a dump of the current device configuration. You can view, save,
and copy the text when you double-click the associated message in the
When an Alteon device is selected in the site tree, APSolute Vision exposes the configurationmanagement options in the device shortcut menu and in the main toolbar.
To perform an Alteon configuration-management action

In the Configuration perspective system pane, right-click the device name; and then, select
the required option.
In the Configuration perspective system pane, select the device name, and; and then, from
main toolbar, click the required button. The Diff Flash button is displayed when you click
the arrow of the Diff button. The Revert Apply button is displayed when you click the
arrow of the Revert button.
Figure 28: Alteon Configuration Management Options in the Shortcut MenuDevice Is Locked
Figure 29: Alteon Configuration Management Options in the Shortcut MenuDevice Is Not Locked
77

Figure 30: Alteon Configuration Management Options in the ToolbarDevice Is Locked
Figure 31: Alteon Configuration Management Options in the Toolbar MenuDevice Is Locked
AppDirector Setup
You can configure the following setup parameters for a selected AppDirector device:
Configuring AppDirector Global Parameters, page 78
Configuring AppDirector Date and Time Synchronization, page 79
Configuring AppDirector Daylight Savings, page 80
Configuring AppDirector E-mail Settings, page 82
Configuring AppDirector Syslog Settings, page 83
Configuring AppDirector DNS Client, page 85
Configuring AppDirector BOOTP, page 87
Configuring AppDirector Session Table Settings, page 87
Configuring AppDirector Threshold Warning Levels, page 89
Configuring AppDirector Statistics Monitoring, page 91
Configuring AppDirector Static Forwarding Table, page 92
Configuring AppDirector Global Parameters

You can view the following device information:
Basic device parameters
The time and date settings on the device
Device hardware and software versions
To view and configure AppDirector global parameters

1.
In the Configuration perspective Setup tab, select Global Parameters.
2.
Configure location and contact information, if required.
3.
Click
78
(Submit) to submit the changes.

Table 12: AppDirector Global Parameters
Parameter
Description
Basic Parameters
Device Description
(Read-only) The description configured on the device.
Device Name
(Read-only) The device name configured in APSolute Vision.
Peer Device Name
The name of the peer device. This parameter is required for

configuration synchronization between this device and its peer.
(This parameter is available

only in AppDirector 2.30 and
later.)
Location
Enter the device location, if required.
Contact Information
Enter contact information, if required.
System Up Time
(Read-only) The length of time that the device has been up since last
device reboot.
Date and Time

Device Time
(Read-only) The time setting on the device.
Device Date
(Read-only) The date setting on the device.
Version Information
Software Version
(Read-only) The version of the product software on the device.
Hardware Version
(Read-only) The version of device hardware.
Serial Number
(Read-only) The serial number of the device hardware.
Configuring AppDirector Date and Time Synchronization

AppDirector uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device
synchronization by distributing an accurate clock across the network. At predefined intervals, a
device sends time query messages to the NTP Server. The server sends the date and time to the
device.
Enabling or disabling the NTP capability results in different levels of accuracy.
Note: When NTP is disabled, the time and date must be set manually for the device.
To configure AppDirector date and time synchronization

1. In the Configuration perspective Setup tab, select Time Settings.
2. Configure the parameters; and then, click
79

Table 13: NTP Parameters
Parameter
Description
Enable NTP
Enables or disables the NTP feature.

Default: disabled
Note: The NTP Server Address must be configured to enable the
NTP feature.
Server IP Address
The address of the NTP server.
L4 Port
The NTP server port.

Default: 123
Polling Interval
The interval, in seconds, between time query messages sent to the

NTP server.
Default: 172,800
Time Zone
The timezone offset from GMT (-12:00 to + 12:00 hours).

Default: 00:00
Configuring AppDirector Daylight Savings

AppDirector supports daylight savings time. You can configure the daylight savings time by defining
the start and end date or by defining recurring daylight savings using day and week or the month
parameters.
During daylight savings time, the device automatically adds one hour to the system clock. The
device also indicates whether it is on standard time or daylight saving time.
Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.
To configure AppDirector daylight saving

1.
In the Configuration perspective Setup tab, select Time Settings > Daylight Saving.
2.
Configure the parameters; and then, click
Table 14: AppDirector Daylight Savings Parameters
Parameter
Description
Daylight Saving Time Parameters
Enabled
Enables or disables daylight saving time.

Default: Disabled
Current Mode
80
(Read-only) Indicates whether the device is on standard time or

daylight saving time.

Table 14: AppDirector Daylight Savings Parameters
Parameter
Description
Delta
The difference, in hours, between Daylight Savings Time and

Standard Time. This is the number of hours by which the clock is to
be adjusted.
Default: 1
Daylight Saving Time Begins

Mode
The mode of defining when daylight saving begins.

Values:
DateSelect to define the exact date on which daylight savings
begins.
RecurringSelect to define the conditions for the recurring start
of daylight saving, for example, first Sunday in April.
Month
The month in which daylight saving begins.
Day
Day of the month when daylight saving begins.
(Date mode only)
Values: 131
Week Day (Recurring mode

only)
The day of the week on which daylight saving begins.
Instance
(Recurring mode only)
The instance of the day in the month when daylight saving begins.
For example, if daylight saving begins on the first Sunday in April,
the value is 1.
Hour
The hour at which daylight saving begins.

Values: 024
Begin Date and Time
(Read-only) Displays the date and time at which daylight savings will
take effect.
Daylight Saving Time Ends

Mode
The mode of defining when daylight saving ends.

Values:
DateSelect to define the exact date on which daylight savings
ends.
RecurringSelect to define the conditions for the recurring end
of daylight saving, for example, last Sunday in October.
Month
The month in which daylight saving ends.
Day
Day of the month when daylight saving ends.
(Date mode only)
Values: 131
Week Day
The day of the week on which daylight saving ends.

Instance
The instance of the day in the month when daylight saving ends. For
example, if daylight saving ends on the last Sunday in October, the
value is 4.
Hour
The hour at which daylight saving ends.

Values: 024
End Date and Time
(Read-only) Displays the date and time at which daylight saving

ends.
81

Configuring AppDirector E-mail Settings

You can configure the device to send information messages via e-mail to device users. This feature
can be used for sending trap information via e-mail. When you configure device users, you can
specify whether an individual user should receive notifications via e-mail and the minimal event
severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity
and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the device.
Note: The device optimizes the mailing process by gathering reports and sending them in a
single notification message once the buffer is full or once a timeout of 60 seconds
expires.
To configure AppDirector e-mail settings

1.
In the Configuration perspective Setup tab navigation pane, select Email Settings.
2.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 144.
Table 15: AppDirector E-mail Parameters
Parameter
Description
Basic SMTP Parameters
Enable Email Client
Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled
Enable Sending Email upon Enables sending notifications via e-mail.

Errors
Default: Disabled
SMTP Server Parameters

Primary Server Address
IP address of the SMTP Server.
Alternative Server Address
An IP address of an alternative SMTP Server. The alternate SMTP

server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP server
closed the connection. The device tries to establish connection to the
main SMTP server, and starts re-using it when available.
SMTP Client Parameters

Email Address
82
Mail address that is displayed in the Sender field of e-mail messages

generated by the device, for example device1@domain.com.

Table 15: AppDirector E-mail Parameters
Parameter
Description
Name in To Field
The text that is displayed in the Recipient field of e-mail messages

generated by the device.
Backup Device Email

Address
The e-mail address of the Backup AppDirector device.

available in AppDirector
1.07.12.)
Configuring AppDirector Syslog Settings

In AppDirector 2.14.03, event traps can be mirrored to one or more syslog servers. For each
managed device, you can configure the appropriate information. Any traps generated by the device
will be mirrored to specified syslog servers.
In AppDirector versions other than 2.14.03, event traps can be mirrored to one syslog server. For
each managed device, you can configure the appropriate information. Any traps generated by the
device will be mirrored to the specified syslog server.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the
type of device of the sender. Severity indicates the importance or impact of the reported event. The
user-defined Facility value is used when the device sends syslog. The Severity value is determined
dynamically by the device for each message that is sent.
Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.
To configure syslog in AppDirector 2.14.03

1. In the Configuration perspective Setup tab, select Syslog.
2. Do one of the following:
To enable the syslog feature, select the Enable Syslog checkbox.
To disable the syslog feature, clear the Enable Syslog checkbox.
Default: Enabled
(Add) button.
To modify an entry, double-click the entry in the table.
83

Table 16: Syslog Parameters for AppDirector 2.14.03
Parameter
Description
Address or Hostname
The IP address or hostname of the device running the syslog

service (syslogd).
Source Port
The syslog source port.

Default: 514
Destination Port
The syslog destination port.

Default: 514
Facility
The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alerts
FTP Daemon
Log Audit
Kernel Messages
Mail System
Line Printer Subsystem
Network New Subsystem
Local 0
NTP Daemon
Local 1
Security Messages
Local 2
Syslogd Messages
Local 3
System Daemons
Local 4
User Level Messages
Local 5
UUCP
Default: Local Use 6

Operational Status
Specifies whether the syslog server is enabled.

Default: Enabled
To configure syslog in AppDirector versions other than 2.14.03

1.
In the Configuration perspective Setup tab, select Syslog.
2.
Table 17: Syslog Parameters for AppDirector Versions Other Than 2.14.03
Parameter
Description
Enable Syslog
Enables or disables syslog reporting.
Server Address
IP address of the device running the syslog service (syslogd).
84

Table 17: Syslog Parameters for AppDirector Versions Other Than 2.14.03
Parameter
Description
Facility
Values:
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alerts
FTP Daemon
Log Audit
Kernel Messages
Mail System
Local 0
NTP Daemon
Local 1
Security Messages
Local 2
Syslogd Messages
Local 3
System Daemons
Local 4
User Level Messages
Local 5
UUCP
Configuring AppDirector DNS Client

You can configure AppDirector to operate as a Domain Name Service (DNS) client. When the DNS
client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must
configure servers for which AppDirector will send out queries for host name resolving.
You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic
DNS. In addition you can set static DNS parameters.
For a detailed description of how DNS works, see the AppDirector User Guide.
To configure DNS client settings

1. In the Configuration perspective Setup tab, select DNS Client.
2. Configure basic DNS client parameters; and then, click
3. To add or modify static DNS entries, do one of the following:
(Add) button.
4. Configure the static DNS parameters and click OK.
85

Table 18: DNS Client Parameters in AppDirector 2.30 and Later
Parameter
Description
Enable DNS Client
Enables AppDirector to operate as a DNS client to resolve IP

addresses.
Primary Network Type
The network type of the primary DNS server.

Values: IPv4, IPv6
Default: IPv6
Primary DNS Server Address The IP address of the primary DNS server to which AppDirector sends
queries.
Alternative Network Type
The network type of the alternate DNS server.

Values: IPv4, IPv6
Default: IPv6
Alternative DNS Server

Address
The IP address of the alternative DNS server to which AppDirector

sends queries.
Table 19: Static DNS Parameters in AppDirector 2.30 and Later
Parameter
Description
Host Name
The domain name for the specified IP address.
IPv4 Address
The IPv4 address for the specified domain name.
IPv6 Address
The IPv6 address for the specified domain name.
Table 20: DNS Client Parameters in AppDirector Versions Prior to 2.30
Parameter
Description
Enable DNS Client
Enables AppDirector to operate as a DNS client to resolve IP

addresses.
Primary DNS Server Address The IP address of the primary DNS server to which AppDirector sends
queries.
Alternative DNS Server
Address
The IP address of the alternative DNS server to which AppDirector

sends queries.
Table 21: Static DNS Parameters in AppDirector Versions Prior to 2.30
Parameter
Description
Host Name
The domain name for the specified IP address.
IP Address
The IP address for the specified domain name.
86

Configuring AppDirector BOOTP

BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.
To configure BOOTP settings

1. In the Configuration perspective Setup tab navigation pane, select BootP.
Table 22: BootP Parameters for AppDirector
Parameter
Description
Server Address
The IP address of the BootP server. The device forwards BootP requests
to the BootP server and acts as a BootP relay.
Relay Threshold
The time, in seconds, that the device waits before relaying requests to
the BootP server. This delay allows local BootP servers to answer first.
Configuring AppDirector Session Table Settings

AppDirector devices include a Session table, which tracks sessions bridged and forwarded by the
device.
For information about monitoring the session table, see the APSolute Vision online help.
To configure session table settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.
Table 23: AppDirector Session Table Parameters
Parameter
Description
Enable Session Table
When enabled, the device uses the Session table.

Default: Enabled
Remove Session Entry at

Session End
When enabled, the device removes sessions from the Session

Table five seconds after receiving a FIN or RST packet if no
additional packets are received on the same session within the
five seconds. This option is available only for Full Layer 4 Lookup
Mode. When enabled, Radware recommends that you free
resources when the Aging Time of the Session Table is set at a
high value. However, this can cause a slight performance
degradation.
Default: Enabled
87

Table 23: AppDirector Session Table Parameters
Parameter
Description
Send Reset to Server When No

Data is Received
When enabled, the device sends a TCP RST packet to the server
if no data is transmitted through the session because it may be a
SYN attack.
Default: Disabled
Lookup Mode
The layer of address information that is used to categorize

packets in the Session Table.
Values:
Full Layer 4An entry exists in the Session Table for each
source IP, source port, destination IP, and destination port
combination of packets passing through the device. This is
the default mode for the Session Table. Radware
recommends selecting this option when traffic classification
on Layer 4 or 7 is required.
Dest Layer 4 PortEnables traffic to be recorded based only
on the TCP/UDP destination port. This mode uses minimal
Session Table resources (only one entry for each port that is
secured).
Aging Time
The time, in seconds, that the device keeps a non-active session

in the Session Table.
Default: 100
Configuring AppDirector Suspend Settings

A managed device can suspend traffic from an IP address that was the source of an attack, for a
defined period of time.
Dynamic blocking duration is implemented by the Anti-Scanning and Server Cracking protections
based on the suspend settings that you configure. (Although connection-rate limits and intrusion
signatures can be set manually to suspend the source, they do not support dynamic duration.)
The dynamic blocking duration is usually set by the managed devices Anti-Scanning and Server
Cracking protections:
The initial suspend time period cannot be lower than the Minimal Aging Timeout.
Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.
When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.
To configure Suspend-table settings

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.
2.
88

Table 24: Suspend Table Parameters
Parameter
Description
Minimal Aging Timeout
The time, in seconds, for which the managed device suspends firsttime offending source IP addresses.
Default: 10
Maximal Aging Timeout
The maximal time, in seconds, for which the managed device

suspends a specific source. Each time the managed device suspends
the same source, the suspension length doubles until it reaches the
Maximal Aging Timeout.
Default: 600
Maximum Entries with Same The number of times the managed device suspends the same source
Source IP
IP address before the managed device suspends all traffic from that
source IP addressregardless of the specified Suspend Action. For
example, if the value for this parameter is 4 and the specified
Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the managed device
suspends all traffic from a source IP address that had an entry in the
Suspend list more than four times, even if the destination IP address,
source port, and destination ports were different for the previous
updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0
Configuring AppDirector Threshold Warning Levels

To optimize AppDirector configuration and resource thresholds, AppDirector can indicate and alert
usage of various tables and other parameters. AppDirector continuously monitors this usage and can
notify you when usage thresholds are exceeded.
To configure threshold warning levels

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Threshold
Warning Levels.
89

Table 25: Threshold Warning Parameters
Parameter
Description
Send Threshold Warnings
Enables the threshold warning traps mechanism.

Default: Enabled
Minimum Time Between

Warnings
Minimum time, in seconds, between consecutive warnings

AppDirector sends about the same resource.
Default: 60
Note: 0 specifies that traps are sent continuously.
Client Table
The percentage of Client Table use above which a warning is

issued.
Statistics are kept as follows:
Current number of entries
Average value for last 5 seconds
Average value for the last 60 seconds
Default: 85
L3 Client Table
The percentage of L3 Client Table use above which a warning is

issued.
Default: 85
Application Servers Connection

Limit Threshold
The percentage of L3 Client Table use above which a warning is

issued.
Default: 85
Physical Servers Connection

Limit Threshold
The percentage of Physical Servers Connection Limit use above

which a warning is issued.
Default: 85
Farms Capacity Threshold
The percentage of farm capacity use above which a warning is

issued.
Default: 85
Client NAT Threshold
The percentage of Client NAT ports use above which a warning is

issued.
Default: 85
Outbound NAT Threshold
The percentage of Outbound NAT ports use above which a

warning is issued.
Default: 85
Session ID Threshold
The percentage of Session ID table use above which a warning is

issued.
Values: 199
Default: 85
Requests Threshold
The percentage of Request table use above which a warning is

issued.
Default: 85
90

Table 25: Threshold Warning Parameters
Parameter
Description
CPU Utilization Threshold
The percentage of CPU use above which a warning is issued.

High CPU usage on the device is caused by many reasons. A
device should actively notify its status, if this status is suspected
to be a non-valid status. To do this, a trap can be sent if for a
period of 30 seconds the average CPU usage in the device is
higher than a specified threshold. Another trap can be sent if the
device had 30 seconds of CPU usage lower than the specified
threshold.
You can configure the threshold using CLI, or WBM and SNMP.
Default: 95
Throughput Utilization
Threshold
The percentage of the licensed throughput use above which a

warning is issued.
(This parameter is not available Default: 95

in AppDirector 1.07.)
SSL CPS Utilization Threshold
The percentage of licensed SSL CPS use above which a warning is

(This parameter is not available issued.
in AppDirector 1.07.12.)
Default: 95
Compression Utilization
Threshold
The percentage of licensed compression use above which a

warning is issued.
(This parameter is not available Default: 95

in AppDirector 1.07.12.)
Configuring AppDirector Statistics Monitoring

You can configure polling and reporting of statistics. The statistics are sent from the device to the
APSolute Vision server via Statistics Reporting Protocol (SRP), a private Radware protocol.
To configure statistics monitoring

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Statistics
Monitoring.
Note: Since the statistics files are cumulative, you must ensure that you disable the Statistics
Reporting Mode before you create files larger than you desire. Failure to do so can result
in creating files that fill all available memory.
91

Table 26: Statistics Monitoring Parameters
Parameter
Description
Basic Parameters
Statistics Reporting
Mode
Enables the creation of statistics files. Select the type of statistics to send:
FullSends all statistics.
DisabledDisables creation and sending of statistics files.
FlowSends statistics concerning flow.
Health MonitoringSends statistics concerning health.
Default: Disabled
Flow Statistics Polling

Time
How often, in seconds, to update the statistics file with new flow rate data.
The file is cumulative, and new data is added to existing data.
Default: 60 seconds
Health Monitoring
Statistics Polling Time
How often, in seconds, to update the statistics file with new health data.
The file is cumulative, and new data is added to existing data.
Default: 60 seconds
Acceleration Statistics
Interval
All Application Acceleration measuring and statistics are performed for the
defined interval, in seconds. The statistics are updated at the end of every
(This parameter is not interval. This means that a longer interval will give better average results
available in AppDirector but will lower the ability to see Security Monitoring values.
1.07.12.)
Default: 5
SRP Configuration
SRP Management Host
IP Address
The APSolute Vision server IP address.

Statistics Reporting Protocol (SRP) is a private Radware protocol for
efficient transmission of statistical data from the device to the APSolute
Vision server.
Configuring AppDirector Static Forwarding Table

Once a regular VLAN is defined, AppDirector performs bridging among interfaces assigned to the
same VLAN. Bridging within a VLAN means that AppDirector learns the MAC addresses of frames
arriving from each physical interface, and maintains a list of MAC addresses per interface.
AppDirector enables you to statically add MAC addresses to the interface list.
When a frame arrives from one interface, AppDirector looks for the frame Destination addresses
within its address list according to the following conditions:
If the Destination address is listed in the same interface as the Source address, AppDirector
discards the frame.
If the Destination address is listed in another interface, AppDirector forwards the frame to the
relevant interface.
If the Destination address is not listed in any interface, AppDirector broadcasts the frame to all
interfaces participating in the VLAN.
You can create and edit static bridge forwarding nodes.
92

To configure the Static Forwarding table

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Static
Forwarding.
2. To add or modify static forwarding entries, do one of the following:
To add a static forwarding entry, click the
(Add) button.
To edit an entry, double-click the entry in the table.
3. Configure the parameters; and then, click OK.
Table 27: Static Forwarding Parameters
Parameter
Description
Destination MAC Address
The static nodes MAC address.
Receive Port
Port through which frames are received from this entry.
Type
Describes how the node entry behaves upon device reset.

Values:
PermanentThe entry remains after device reset.
Delete On RebootThe entry is deleted by a device reset.
DefensePro Setup
You can configure the following setup parameters for a selected DefensePro device:
Configuring DefensePro Global Parameters, page 94
Configuring DefensePro Date and Time Synchronization, page 94
Configuring DefensePro Daylight Saving, page 95
Configuring DefensePro E-mail Settings, page 96
Configuring DefensePro Syslog Settings, page 97
Configuring DefensePro BOOTP, page 100
Configuring DefensePro High Availability, page 101
Configuring Dynamic Protocols for DefensePro, page 106
Configuring IP Fragmentation for DefensePro, page 108
Configuring Security Reporting Settings, page 108
Configuring Out-of-Path Settings for DefensePro, page 112
Configuring DefensePro Session Table Settings, page 112
Configuring DefensePro Suspend Settings, page 119
Configuring DefensePro Advanced Settings, page 120
Configuring Tunneling Inspection, page 121
93

Configuring DefensePro Global Parameters

You can view the following device information:
Basic device parameters
The time and date settings on the device
Device hardware and software versions
To view and configure DefensePro global parameters

1.
In the Configuration perspective Setup tab navigation pane, select Global Parameters.
2.
Configure location and contact information, if required; and then, click

the changes.
(Submit) to submit
Table 28: DefensePro Global Parameters
Parameter
Description
Basic Parameters
Device Description
(Read-only) The description configured on the device.
Device Name
(Read-only) The device name configured in APSolute Vision.
Location
Enter the device location, if required.
Contact Information
Enter contact information, if required.
System Up Time
(Read-only) The length of time since that the device has been up
since last device reboot.
Date and Time

Device Time
(Read-only) The time setting on the device.
Device Date
(Read-only) The date setting on the device.
Version Information
Software Version
(Read-only) The version of the product software on the device.
Hardware Version
(Read-only) The version of device hardware.
Configuring DefensePro Date and Time Synchronization

DefensePro uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device
synchronization by distributing an accurate clock across the network. At predefined intervals, a
device sends time query messages to the NTP Server. The server sends the date and time to the
device.
Enabling or disabling the NTP capability results in different levels of accuracy.
Note: When NTP is disabled, the time and date must be set manually for the device.
94

To configure DefensePro date and time synchronization

1. In the Configuration perspective Setup tab navigation pane, select Time Settings.
Table 29: NTP Parameters
Parameter
Description
Enable NTP
Enables or disables the NTP feature.

Default: Disabled
Note: The NTP Server Address must be configured to enable the NTP
feature.
Server Name
The IP address of the NTP server.
L4 Port
The NTP server port.

Default: 123
Polling Interval
The interval, in seconds, between time query messages sent to the NTP
server.
Default:
64For DefensePro 5.11
172,800For DefensePro versions other than version 5.11
Time Zone
The time-zone offset from GMT (-12:00 to +12:00 hours).

Default: 00:00
Configuring DefensePro Daylight Saving

DefensePro supports daylight savings time. You can configure the daylight savings time start and
end dates and times. During daylight savings time, the device automatically adds one hour to the
system clock. The device also indicates whether it is on standard time or daylight saving time.
Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.
To configure DefensePro daylight saving

1. In the Configuration perspective Setup tab navigation pane, select Time Settings > DayLight
Saving.
95

Table 30: Daylight Saving Parameters
Parameter
Description
Enabled
Enables or disables daylight saving time.

Default: Disabled
Begins at
The start date and time for daylight saving time.
Ends at
The end date and time for daylight saving time.
Current Mode
Specifies whether the device is on standard time or daylight saving

time.
Configuring DefensePro E-mail Settings

You can configure the device to send information messages via e-mail to device users. This feature
can be used for sending trap information via e-mail. When you configure device users, you can
specify whether an individual user should receive notifications via e-mail and the minimal event
severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity
and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the device.
Note: The device optimizes the mailing process by gathering security and system events,
which it sends in a single notification message when the buffer is full, or when a timeout
of 60 seconds expires.
To configure DefensePro e-mail settings

1.
In the Configuration perspective Setup tab navigation pane, select Email Settings.
2.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 144.
Table 31: DefensePro E-mail Parameters
Parameter
Description
Basic SMTP Parameters
Enable Email Client
Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled
Enable Sending Email upon Enables sending notifications via e-mail.

Errors
Default: Disabled
96

Table 31: DefensePro E-mail Parameters
Parameter
Description
SMTP Server Parameters
Primary Server Address
IP address of the SMTP Server.
Alternate Server Address
An IP address of an alternative SMTP Server. The alternate SMTP

server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP server
closed the connection. The device tries to establish connection to the
main SMTP server, and starts re-using it when available.
SMTP Client Parameters

Email Address
Mail address that will appear in the Sender field of e-mail messages
generated by the device, for example device1@domain.com.
Configuring DefensePro Syslog Settings

In DefensePro 6.00 and later, event traps can be mirrored to up to five syslog servers. For each
DefensePro device, you can configure the appropriate information. Any traps generated by the
device will be mirrored to the specified syslog servers.
In DefensePro versions prior to 6.00, event traps can be mirrored to one syslog server. For each
DefensePro device, you can configure the appropriate information. Any traps generated by the
device will be mirrored to the specified syslog server.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the
type of device of the sender. Severity specifies the importance or impact of the reported event. The
user-defined Facility value is used when the device sends syslog messages; the Severity value is
determined dynamically by the device for each message that is sent.
Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.
To configure syslog in DefensePro 6.00 and later

1. In the Configuration perspective Setup tab, select Syslog.
To enable the syslog feature, select the Enable Syslog checkbox.
To disable the syslog feature, clear the Enable Syslog checkbox.
Default: Enabled
(Add) button.
97

Table 32: Syslog Parameters for DefensePro 6.00 and Later
Parameter
Description
Enable Syslog Server
Specifies whether the syslog server is enabled.

Default: Enabled
Server Address
The IP address or hostname of the device running the syslog service

(syslogd).
Source Port

Default: 514
Note: Port 0 specifies a random port.
Destination Port

Default: 514
Facility
Values:
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alert
FTP Daemon
Log Audit
Kernel Messages
Mail System
Network News Subsystem
Local 0
NTP Daemon
Local 1
Syslogd Messages
Local 2
System Daemons
Local 3
User Level Messages
Local 4
UUCP
Local 5
98

Table 32: Syslog Parameters for DefensePro 6.00 and Later
Parameter
Description
Protocol
The protocol that the device uses to send syslog messages.
(This parameter is
available only in
DefensePro version
6.02 and later.)
Values:
UDPThe device sends syslog messages using UDP. That is, the
device sends syslog messages with no verification of message
delivery.
TCPThe device sends syslog messages using TCP. That is, the device
verifies the message delivery. The device holds undelivered messages
in a backlog. As soon as the connection to the syslog server is reestablished, the device sends them. If the backlog is full (100
messages, non-configurable), the device replaces lower-priority
messages with higher-priority messages (FIFO).
TLSThe device sends syslog messages using TCP with Transport
Layer Security (TLS) and uses the CA certificate specified in the CA
Certificate Name field. That is, the device verifies message delivery.
The device holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the device sends
them. If the backlog is full (100 messages, non-configurable), the
device replaces lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Note: Report notification of lost syslog messages to your network
administrator.
CA Certificate Name
(This parameter is
available only in
DefensePro version
6.02 and later.)
The name of the CA certificate in the Certificate Table that the device uses
to send syslog messages when TLS is selected in the Protocol field.
To configure a new CA certificate, from the drop-down list, select New.
To view the existing certificates, click
in the dialog box, double-click on it.
. And then, to edit a certificate
For information on configuring certificates, Managing Certificates,

page 131.
To configure syslog for DefensePro versions prior to 6.00

1. In the Configuration perspective Setup tab navigation pane, select Syslog.
Table 33: Syslog Parameters for DefensePro Versions Prior to 6.00
Parameter
Description
Enable Syslog
Enables or disables syslog reporting.
Server Address
IP address of the device running the syslog service (syslogd).
99

Table 33: Syslog Parameters for DefensePro Versions Prior to 6.00
Parameter
Description
Facility
Values:
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alerts
FTP Daemon
Log Audit
Kernel Messages
Mail System
Local 0
NTP Daemon
Local 1
Security messages
Local 2
Syslogd Messages
Local 3
System Daemons
Local 4
User Level Messages
Local 5
UUCP

L4 Source Port

Default: 514
L4 Destination Port

Default: 514
Configuring DefensePro BOOTP

BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.
To configure BOOTP settings

1.
In the Configuration perspective Setup tab navigation pane, select BootP.
2.
Table 34: BOOTP Parameters for DefensePro
Parameter
Description
Server Address
The IP address of the BootP server. The device forwards BootP requests to
the BootP server and acts as a BootP relay.
Relay Threshold
The time, in seconds, that the device waits before relaying requests to the
BootP server. This delay allows local BootP servers to answer first.
100

Configuring DefensePro High Availability

This feature is available in DefensePro 5.10 and later.
This section contains the following topics:
High-Availability in DefenseProOverview, page 101
Monitoring DefensePro Cluster in the System Tab, page 103
Configuring the Settings for a DefensePro High-Availability Cluster, page 104
Switching the Device States, page 106
High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in
a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software
license, throughput license, and Radware signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
When you configure a cluster and submit the configuration, the newly designated primary device
configures the required parameters on the designated secondary device.
You can configure a DefensePro high-availability cluster in the following ways:
To configure the primary device of the cluster, the failover parameters, and the advanced
parameters, you can use the High Availability pane (Configuration perspective, Setup >
High Availability). When you specify the primary device, you specify the peer device, which
becomes the secondary member of the cluster.
To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and
Associated Management Ports), you can use the Configuration perspective system pane.
The members of a cluster work in an active-passive architecture.

When a cluster is created:
The primary device becomes the active member.
The secondary device becomes the passive member.
The primary device transfers the relevant configuration objects to the secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, routing, and
the port-pair Failure Mode.
A primary device immediately transfers each relevant change to its secondary device. For example,
after you make a change to a Network Protection policy, the primary device immediately transfers
the change to the secondary device. However, if you change the list of device users on the primary
device, the primary device transfers nothing (because the secondary device maintains its own list of
device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
The following situations trigger the active device and the passive device to switch states (active to
passive and passive to active):
The passive device does not detect the active device according to the specified Heartbeat
Timeout.
All links are identified as down on the active device according to the specified Link Down
Timeout.
Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the
specified Idle Line Timeout.
You issue the Switch Over command. To switch the device states, in the Monitoring perspective
system pane, right-click the cluster node; and then select Switch Over.)
101

You cannot perform many actions on a secondary device.
You can perform only the following actions on a secondary device:
Switch the device state (that is, switch over active to passive and passive to active)
Break the cluster if the primary device is unavailable
Configure management IP addresses and routing
Configure the port-pair Failure Mode.
Manage device users
Download a device configuration
Upload a signature file
Download the device log file
Download the support log file
Reboot
Shut down
Change the device name
Change the device time
Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.
Notes:
>> Before you can configure a cluster, the devices must be locked.
>> By design, an active device does not to fail over during a user-initiated reboot. Before
you reboot an active device, you can manually switch to the other device in the cluster.
>> You can initiate a baseline synchronization if a cluster member is passive, using CLI or
Web Based Management.
>> When you upgrade the device software, you need to break the cluster (that is, ungroup
the two devices). Then, you can upgrade the software and reconfigure the cluster as you
require.
>> In an existing cluster, you cannot change the role of a device (primary to secondary or
vice versa). To change the role of a device, you need to break the cluster (that is,
ungroup the two devices), and then, reconfigure the cluster as you require.
>> If the devices of a cluster belong to different sites, APSolute Vision creates the cluster
node under the site where the primary device resides; and APSolute Vision removes the
secondary device from the site where it was configured.
>> APSolute Vision issues an alert if the state of the device clusters is ambiguous. For
example, if there has been no trigger for switchover and both cluster members detect
traffic. This state is normal during the initial synchronization process.
>> There is no failback mechanism. There is only the automatic switchover action and the
manual Switch Over command.
>> When a passive device becomes active, any grace time resets to 0 (for example, the
time of the Graceful Startup Mode Startup Timer).
>> You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
>> The Properties pane displays the high-availability information of the selected device.
102

Monitoring DefensePro Cluster in the System Tab

In the system pane, APSolute Vision identifies the high-availability cluster elements, roles, modes,
and states using various combinations of icons and icon elements.
Note: You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
The following table describes the icons that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.
Table 35: Icons in the System Pane for DefensePro High-Availability Clusters
Icon
Description
Cluster
Primary device
Secondary device
The following table describes the icon elements that APSolute Vision displays in the system pane for
Table 36: Icons Elements in the System Pane for DefensePro High-Availability Clusters
Icon Element Description

Active device
Synchronizing
Unavailable
The following table describes some icons that APSolute Vision can displays in the system pane for
Table 37: Icons in the System Pane for DefensePro High-Availability ClustersExamples
Icon
Description
The cluster is operating nominally.
The cluster is synchronizing its members.
The cluster is unavailable.
The primary device is active, unlocked, and operating nominally.
The primary device is passive, unlocked, and operating nominally.
The secondary device is passive, unlocked, and operating nominally.
103

Table 37: Icons in the System Pane for DefensePro High-Availability ClustersExamples
Icon
Description
The secondary device is active, unlocked, and operating nominally.
The secondary device is unlocked and unavailable.
Configuring the Settings for a DefensePro High-Availability Cluster

You can use the High Availability pane in the Configuration perspective to specify the primary device
of the cluster, and configured the failover parameters and advanced parameters.
When you specify the primary device, you specify the peer device, which becomes the secondary
member of the cluster.
To configure the settings for a high-availability cluster

1.
In the Configuration perspective Setup tab navigation pane, select High Availability.
2.

(Submit) to submit the changes. APSolute Vision
names the cluster Cluster_<IP address of primary device>.
Note: To rename the cluster, in the Configuration perspective system pane, right-click the
cluster node, and select Rename <Cluster Name>. Rename the cluster (up to
32 characters); and then, click outside the cluster node.
Table 38: High Availability Parameters for DefensePro
Parameter
Description
Cluster Definition
Cluster Member
Specifies whether the device is a member of a two-node cluster for high

availability. If you clear the Cluster Member checkbox in the configuration
(of the primary or secondary member), APSolute Vision breaks the cluster
(after you submit the changes).
Note: You can clear the Cluster Member checkbox in the configuration
of the secondary only when the primary member is unavailable.
Peer Device
The name of the other device in the cluster. The drop-down list contains
the names of all the DefensePro devices that are not part of a cluster.
When the device is a member of an existing high-availability cluster, the
drop-down list is unavailable.
Associated
Management Ports
Specifies the management (MNG) port or ports through which the primary
and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if the
cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.
104

Table 38: High Availability Parameters for DefensePro
Parameter
Description
Failover
Heartbeat Timeout
The time, in seconds, that the passive device detects no heartbeat from the
active device before the passive device becomes active.
Values: 110
Default: 5
Link Down Timeout
The time, in seconds, after all links to the active device are identified as
being down before the devices switch states.
Values: 165,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members,
there is no switchover.
Use Idle Line

Detection
Specifies whether the devices switch states due to an idle line detected on
the active device.
Default: Disabled
Note: If an idle line is detected on both cluster members, there is no
switchover.
Idle Line Threshold
The minimum bandwidth, in Kbit/s, that triggers a switchover when the

Use Idle Line Detection option is enabled.
Values:
5124,294,967,296In version 6.02 and later
51265,535In versions prior to 6.02
Default: 512
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Idle Line Timeout
The time, in seconds, with line bandwidth below the Idle Line Threshold
that triggers a switchover when the Use Idle Line Detection option is
enabled.
Values: 365,535
Default: 10
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Advanced Configuration
Baseline Sync.
Interval
The interval, in seconds, that the active device synchronizes the BDoS and
HTTP Mitigator baselines.
Values: 360086400
Default: 3600
Note: The active device synchronizes the baselines also when the
cluster is created.
Switchover Sustain
Timeout
The time, in seconds, after a manual switchover that the cluster members
will not change states.
Values: 303600
Default: 180
105

Switching the Device States
To switch the device states

1.
In the Monitoring perspective system pane, right-click the cluster node.
2.
Select Switch Over.
Configuring Dynamic Protocols for DefensePro

Dynamic protocols use control or signaling channels that handle data, voice, and audio streaming
channels. For example, FTP has control session and data session; SIP has signaling sessions, data
sessions (RTP), and control sessions (RTCP).
Some dynamic sessions are in the Session Table longer than regular sessions. With VoIP, SIP and
H255, there are times with no traffic, however, the call is still active and the session does not age.
You can configure different aging times for various dynamic protocols, and different policies for
different connections of the same session. In FTP, for example, you can set one policy for FTP data
and another policy for FTP control.
Before you configure dynamic protocols, ensure that the Session table Lookup Mode is Full L4 (which
is the default). To change settings, see Configuring DefensePro Session Table Settings, page 112.
To configure dynamic protocols

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic
Protocols.
2.
Table 39: Dynamic Protocol Parameters
Parameter
Description
FTP
Enable FTP
Enables/disables FTP Dynamic Protocol.

Default: Enabled
Control Session Aging Time
Specifies the Control Session Aging Time, in seconds.

Default: 0
Data Session Aging Time
Specifies the Data Session Aging Time, in seconds.

Default: 0
TFTP
Enable TFTP
Enables/disables TFTP Dynamic Protocol.

Default: Enabled

Default: 0
106

Table 39: Dynamic Protocol Parameters
Parameter
Description
Rshell
Enable Rshell
Enables/disables Rshell Dynamic Protocol.

Default: Enabled

Default: 0
Enter a value for Data Session Aging Time, in seconds.
Rexec
Enable Rexec
Enables/disables Rexec Dynamic Protocol.

Default: Enabled

Default: 0
H.225
Enable H.225
Enables/disables H.225 Dynamic Protocol.

Default: Enabled

Default: 0
H.245 Data Session Aging

Time

Default: 0
SIP
Enable SIP
Enables/disables SIP Dynamic Protocol.

Session Initiation Protocol (SIP) is an IETF standard for initiating an
interactive user session involving multimedia elements such as video,
voice, chat, gaming, and so on. SIP can establish, modify, or
terminate multimedia sessions or Internet telephony calls.
When a policy for SIP is configured to block traffic from one direction,
it is not possible to open a SIP connection from another direction (SIP
uses the same port number for both source and destination).
Default: Disabled
Signaling Session Aging

Time
Specifies the Signaling Session Aging Time, in seconds.

When the clients communicate directly with each other, or work with
non-standard SIP ports, increase the aging time of the Signaling
Session Aging Time parameter.
Default: 20
RTCP Session Aging Time
Specifies the RTCP Session Aging Time, in seconds.

Default: 0
TCP Segments Aging Time
Specifies the SIP TCP Segments Aging Time, in seconds.

Default: 5
107

Configuring IP Fragmentation for DefensePro

This section is relevant only for DefensePro versions prior to 5.12.
Note: In DefensePro 5.12 and later, you configure the IP Fragmentation parameters in the
Basic Parameters pane under the Configuration perspective Networking tab.
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the managed device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments that belong to same datagram, then classifies and forwards
them accordingly. The device does not reassemble the original IP packet, but forwards the
fragmented datagrams to their destination, even if the datagrams arrive at the device out of order.
To configure IP fragmentation In DefensePro versions prior to 5.12

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select IP

Fragmentation.
2.
Table 40: IP Fragmentation Parameters
Parameter
Enable IP Fragmentation
Description
When selected, enables IP fragmentation.
Default: Enabled
Queuing Limit
The percentage of IP packets the device allocates for out-ofsequence fragmented IP datagrams.
Values: 0100
Default: 25
Aging Time
The time, in seconds, that the device keeps the fragmented

datagrams in the queue.
Values: 1255
Default: 1
Configuring Security Reporting Settings

This feature is available only in AppDirector version 2.30 and later and DefensePro.
To support historical and real-time security-monitoring capabilities and provide in-depth attack
information for each attack event, the managed device establishes a data-reporting protocol
between the device and APSolute Vision. This protocol, called Statistical Real-time Protocol (SRP),
uses UDP packets to send attack information.
In addition, DefensePro can provide the APSolute Vision server sampled captured packets that were
identified by the DefensePro as part of the specific attack. DefensePro sends these packets to the
defined IP address, encapsulated in UDP packets.
You can enable the reporting channels used by managed devices to receive information about
attacks, and to report detected attacks based on their various risk levels.
108

You can also configure DefensePro devices to send captured attack packets along with the attack
event for further offline analysis. Packet reporting and SRP use the same default port, 2088.
To configure security reporting channels

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Security
Reporting Settings.
Table 41: Security Reporting Parameters
Parameter
Description
Basic Parameters
Report Interval
The frequency, in seconds, the reports are sent though the

reporting channels.
Values: 165,535
Default: 5
Maximal Number of Alerts per

Report
The maximum number of attack events that can appear in

each report (sent within the reporting interval).
Values: 12000
Default: 1000
Report per Attack Aggregation

Threshold
The number of events for a specific attack during a reporting

interval, before the events are aggregated to a report. When
the number of the generated events exceeds the Aggregation
Threshold value, the IP address value for the event is
displayed as 0.0.0.0, which specifies any IP address.
Values: 165,535
Default: 5
L4 Port for Reporting
The port used for packet reporting using SRP.

Values: 165,535
Default: 2088
Enable Sending Traps
When selected, the device uses the traps reporting channel.

Default: Enabled
Minimal Risk Level for Sending

Traps
The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low
Enable Sending Syslog
When selected, the device uses the syslog reporting channel.

Default: Disabled

Syslog
Default: Low
Enable Sending Terminal Echo
When selected, the device uses the Terminal Echo reporting

channel.
Default: Disabled
109

Parameter
Description

Terminal Echo
Default: Low
Enable Sending Email
When selected, the device uses the e-mail reporting channel.

Default: Disabled

Email
Default: Low
Enable Security Logging
When selected, the device uses the security logging reporting

channel.
Default: Low
Packet Reporting and Packet Trace

This group box and the parameters in it are available only in DefensePro 5.11 and later.
Enable Packet Reporting
Specifies whether the DefensePro device sends sampled

attack packets along with the attack event.
Default: Enabled
Maximum Packets per Report
The maximum number of packets that the device can send

within the Report Interval.
Values: 165,535
Default: 100
Destination IP Address
The destination IP address for the packet reports.

Default: 0.0.0.0
Note: Only one destination IP address can be configured
for packet reporting, even when more than one
APSolute Vision server manages the device.
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the
feature and specifies the physical port to which the
DefensePro device sends identified attack traffic (when the
Packet Trace feature is enabled in the policy rule or profile).
Values:
noneThe Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the
management ports)
Default: none
Caution: A change to this parameter takes effect only
after you update policies.
Note: DefensePro x06 models support the Packet Trace
functionality only for dropped traffic.
Maximum Rate
The maximum number of packets per second that the Packet

Trace feature sends.
Values: 1200,000
Default: 50,000
110

Parameter
Description
Maximum Length of Dropped

Packets
The maximum length, in bytes, of dropped packets that the

Packet Trace feature sends. DefensePro can limit the size of
Packet Trace sent packets only for dropped packets. That is,
when a rule is configured with Report Only (as opposed to
Block), the Packet Trace feature sends the whole packets.
Values: 641550
Default: 1550
Tip: If you are interested only in the packet headers of the
dropped packets, to conserve resources, modify the minimal
value, 64.
Packet Reporting
This group box and the parameters in it are available only in DefensePro versions prior to 5.11.
Enable Packet Reporting
When selected, DefensePro sends sampled attack packets

along with the attack event.
Maximal Number of Packets per

Report
The maximum number of packets that the device can send

within the Report Interval.
Destination Address
By default, this is the destination IP address of the

management station.
netForensics Reporting
Enable netForensics Reporting
When selected, enables reporting using netForensics

reporting agent.
Default: Disabled
Agent IP Address
The IP address of the netForensics agent.
L4 Port
The port used for netForensics reporting.

Values: 165,535
Default: 555
Data Reporting Destinations

Destination IP Address
The target addresses for data reporting.

The table can contain up to 10 addresses. By default, when
there is room in the table, addresses are added automatically
when you add a DefensePro device to the tree in the system
pane.
To add an address, click the
(Add) button. Enter the
destination IP address; and then, click OK.
111

Configuring Out-of-Path Settings for DefensePro

When you install DefensePro outside the critical path of the traffic, you can configure the Out-of-Path
Mode to mitigate DoS attacks using the capabilities of the routers access list. When the device
operates in the Out-of-Path mode, the traffic is copied to the device and verified separately from the
main traffic route. When an attack is identified, Behavioral DoS translates the footprint into a router
Access List (ACL) command and configures the router accordingly.
Note: The feature works on Cisco routers that have the capability to mirror an interface and
accept ACL commands to reroute traffic. This feature was tested on Cisco 6509
IOS 12.2.
To configure out-of-path settings

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Out of Path.
2.
Table 42: Out of Path Parameters
Parameter
Description
Enable Out of Path

Mode
You must enable and reboot the device before you can configure out-ofpath settings.
When Out of Path is enabled, the only available protection is BDoS.
Router IP Address
The IP address of the organization router that manages all the incoming
traffic.
Routers Enable
Password
Administrators password for the router.
Verify Password
Verification of password for the router.
SSH User Name
The name of the SSH user.
SSH Password
The password of the SSH user.
Verify SSH Password
Verification of password for the SSH user.
Router Interface for

Receiving Traffic
The router interface that is being monitored, and traffic from it will be
redirected.
Configuring DefensePro Session Table Settings

DefensePro includes a Session table, which tracks sessions bridged and forwarded by the device.
To configure Session table settings

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.
2.
112

Table 43: Session Table Parameters in Defense Pro 6.05 and Later
Parameter
Description
Basic Parameters

Default: Enabled
Session Aging Parameters

Note: When the Access Control List (ACL) feature is enabled, aging times are determined by the
relevant ACL parameters.
Idle TCP-Session Aging Time
The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 17200
Default: 100
Idle UDP-Session Aging Time
The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 17200
Default: 100
Idle SCTP-Session Aging Time
The time, in seconds, that the Session table keeps idle SCTP
sessions.
Values: 17200
Default: 100
Idle ICMP-Session Aging Time
The time, in seconds, that the Session table keeps idle ICMP
sessions.
Values: 17200
Default: 100
Idle GRE-Session Aging Time
The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 17200
Default: 100
Idle Other-Protocol-Session
Aging Time
The time, in seconds, that the Session table keeps idle sessions
of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 17200
Default: 100
Incomplete TCP Handshake

Timeout
How long, in seconds, the device waits for the three-way

handshake to be achieved for a new TCP-session. When the
timeout elapses, the device deletes the session and, if the Send
Reset To Server checkbox is selected, sends a reset packet to
the server.
Values:
0The device uses the specified Session Aging Time.
110The TCP Handshake Timeout in seconds.
Default: 10
113

Parameter
Description
Advanced Parameters

Session End
Specifies whether the device removes sessions from the Session

Table after receiving a FIN or RST packet if no additional packets
are received on the same session within the Remove Session
Entry at Session End Timeout period.
Default: Enabled

Session End Timeout
(This option is available only if
Session End is enabled.)
When Remove Session Entry at Session End is enabled, the time,

in seconds, after which the device removes sessions from the
Session Table after receiving a FIN or RST packet if no additional
packets are received on the same session.
Values: 160
Default: 5
Send Reset to Destination of

Aged TCP Connection
Specifies whether the DefensePro device sends a RST packet to

the destination of aged TCP sessions.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled
Session-Table-Full Action
The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold
The percentage of full capacity of the Session Table when the

device starts issuing alerts.
Default: 95
Alert-Stop Threshold

device stops issuing alerts.
Default: 90
114

Parameter
Description
Lookup Mode

Values:
Full L4 An entry exists in the Session Table for each source
IP, source port, destination IP, and destination port
combination of packets passing through the device.
L4 Destination PortEnables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session Table resources (only one entry for each
port that is secured).
Default: Full L4
Caution: Radware recommends that you always use the
Full L4 option. When Session Table Lookup Mode is
Layer 4 Destination Port, the following
Protections do not work:
ACL
Anti Scanning
Connection Packet Rate Limit
Connection Rate Limit
HTTP Mitigator
HTTP Replies Signatures
Out-of-State protection
Server Cracking
Stateful Inspection
SYN Protection
Disable Session Aging
When enabled, the device enables aging sessions in the Session

(This option is available only for table.
L4 Destination Port Lookup
Default: Disabled
Mode.)
Table 44: Session Table Parameters in Defense Pro Versions 5.10 through 6.03
Parameter
Description

Default: Enabled

Session End

Mode (default mode).
Default: Enabled
115

Parameter
Description
Send Reset to Destination When Specifies whether the DefensePro device sends a RST packet for
No Data is Received
TCP sessions where the device has seen the three-way
handshake (SYN and then ACK from the source) but has not seen
subsequent data packets.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled
Lookup Mode

Values:
recommends that you always use this option.
Note: When Session Table Lookup Mode is set to Layer 4
Destination Port, the following Protections do not
work:
Aging Time
ACL
Anti Scanning
Connection Rate Limit
HTTP Mitigator
Server Cracking
Stateful Inspection
SYN Protection

Default: 100
Note: When the Access Control List (ACL) feature is enabled,
Session table aging is determined by the relevant ACL
parameter.
116

Parameter
Description
Advanced Parameters
TCP Handshake Timeout

the server.
Values:
Default: 10
Session Table Full Action
The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold

device starts issuing alerts.
Default: 95
Alert-Stop Threshold

device stops issuing alerts.
Default: 90
Table 45: Session Table Parameters in Defense Pro 5.01
Parameter
Description

Default: Enabled

Session End

Mode (default mode).
Default: Enabled
Send Reset to Server When No

Data is Received
When enabled, the device sends a TCP RST packet to the server
if no data is transmitted through the session because it may be a
SYN attack.
Default: Disabled
117

Parameter
Description
Lookup Mode

Values:
recommends that you always use this option.
Note: When Session Table Lookup Mode is set to Layer 4
Dest Port, the following Protections do not work:
Aging Time
Server Cracking
HTTP Mitigator
Anti Scanning
Stateful Inspection
ACL

Default: 100
Note: When the Access Control List (ACL) feature is enabled,
Session table aging is determined by the relevant ACL
parameter.
Enable Table Protection
Session Table Protection prevents the Session Table from

overflowing.
When enabled, when the Session Table reaches 80% of its
capacity, the device acts as follows:
For TCP traffic, the device performs Delayed Binding for
every new TCP session. Only after the three way handshake
is completed, does the device add the entry to the Session
Table.
For non-TCP traffic, the device limits the number of new
entries in the Session Table, per second. Once the device
reaches the Max non-TCP New Sessions limit, any additional
sessions (during the same second) are dropped.
Default: Enabled
Advanced Parameters
Session Protection Short
Lifetime
The different aging time, in seconds, for new sessions when

Session Protection is triggered. Entries already in the Session
Table are aged according to the regular Session Table Aging
Time.
Values: 110
Default: 5
118

Parameter
Description
Maximum Non-TCP New

Sessions
The maximum number of new non-TCP sessions per second

allowed when Session Protection is triggered.
Values:
11,500,000For OnDemand Switch 2. Radware
recommends not to reduce the value to below the default.
14,290,000,000For OnDemand Switch 3. Radware
recommends not to reduce the value to below the default.
Default: 100
TCP Handshake Timeout

the server.
Values:
Default: 10
Configuring DefensePro Suspend Settings

A managed device can suspend traffic from an IP address that was the source of an attack, for a
defined period of time.
Dynamic blocking duration is implemented by the Anti-Scanning and Server Cracking protections
based on the suspend settings that you configure. (Although connection-rate limits and intrusion
signatures can be set manually to suspend the source, they do not support dynamic duration.)
The dynamic blocking duration is usually set by the managed devices Anti-Scanning and Server
Cracking protections:
The initial suspend time period cannot be lower than the Minimal Aging Timeout.
Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.
When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.
To configure Suspend-table settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.
119

Table 46: Suspend Table Parameters
Parameter
Description
Minimal Aging Timeout
The time, in seconds, for which the managed device suspends firsttime offending source IP addresses.
Default: 10
Maximal Aging Timeout
The maximal time, in seconds, for which the managed device

suspends a specific source. Each time the managed device suspends
the same source, the suspension length doubles until it reaches the
Maximal Aging Timeout.
Default: 600
Maximum Entries with Same The number of times the managed device suspends the same source
Source IP
IP address before the managed device suspends all traffic from that
source IP addressregardless of the specified Suspend Action. For
example, if the value for this parameter is 4 and the specified
Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the managed device
suspends all traffic from a source IP address that had an entry in the
Suspend list more than four times, even if the destination IP address,
source port, and destination ports were different for the previous
updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0
Configuring DefensePro Advanced Settings

The advanced settings comprise the following parameters:
Accept Weak SSL Ciphersavailable only in DefensePro 6.02 and later
Enable Overload Mechanism
SRP Management Host IP Address
The Overload Mechanismthat is, the overload-protection mechanismidentifies and reports

overload conditions, and acts to reduce operations with high resource consumption.
DefensePro device uses the overload-protection mechanism to prevent the following:
SME OverloadWhen the overload occurs in the string-matching engine (SME), the
accelerator reduces the number of new sessions sent to the SME. The existing sessions continue
to pass through the SME and are inspected. Features that require the SME, including some of
the attack signatures, will not be applied to some of the sessions.
Master OverloadWhen the overload occurs in the Master CPU, only a percentage of the
traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data,
ensuring the continuation of the feature, but Stateful inspection and SYN protection do not work.
Accelerator OverloadWhen the overload occurs in the Accelerator CPU, only a percentage of
the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is
passed to the Master and SME if they are not overloaded.
System Wide OverloadIf all offload operations have failed to prevent overloaded conditions,
then a full bypass is implemented. Every device application is bypassed, including Bandwidth
Management, Statistics, Security, and so on.
120

To configure advanced settings

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Advanced
Parameters.
2. Configure the overload mechanism and SRP parameters; and then, click
the changes.
(Submit) to submit
Table 47: Advanced Settings Parameters
Parameter
Description
Accept Weak SSL Ciphers
Specifies whether the device allows management connections over

secure protocols with ciphers shorter than 128 bits.

only in DefensePro 6.02 and Default: Enabled
later.)
Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which
identifies and reports overload conditions.
Radware recommends that the overload-protection mechanism
always be enabled.
SRP Management Host IP
Address
The IP address to which the device sends Statistics Reporting

Protocol (SRP) data. SRP is a private Radware protocol for efficient
transmission of statistical data from the device to the APSolute Vision
server.
Enter the APSolute Vision server IP address.
This parameter must be configured to view real-time reports and
attack details in APSolute Vision.
Configuring Tunneling Inspection

Carriers, service providers, and large organizations use various tunneling protocols to transmit data
from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS devices and load balancers cannot locate the relevant information because
their decisions are based on information located inside the IP packet in a known offset, and the
original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning
DefensePro in peering points and carrier network access points.
You can install DefensePro in different environments, which might include encapsulated traffic using
different tunneling protocols.In general, wireline operators deploy MPLS and L2TP for their
tunneling, and mobile operators deploy GRE and GTP.
DefensePro can inspect traffic that may use various encapsulation protocols. In some cases, the
external header (tunnel data) is the data that DefensePro needs to inspect. In other cases,
DefensePro needs to inspect the internal data (IP header and even the payload). You can configure
DefensePro to meet your specific inspection requirements.
Caution: Changing the configuration of this feature takes effect only after a device reset.
121

To configure tunneling inspection

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Tunneling
Inspection.
2.
General Device Setup

You can configure the following setup parameters for a selected AppDirector or DefensePro device:
Configuring Access Protocols, page 122
Configuring SNMP Supported Versions, page 124
Configuring RADIUS Authentication for Device Management, page 124
Configuring the Device Event Scheduler, page 126
Configuring Access Protocols

In addition to managing AppDirector and DefensePro devices using APSolute Vision, you can also
use Web Based Management (WBM) and Command Line Interface (CLI).
You can connect managed devices to the following:
WBM on the device through HTTP and HTTPS
CLI through Telnet and SSH
Web services
To configure access protocols for WBM and CLI

1.
In the Configuration perspective Setup tab navigation pane, select Access Protocols.
2.
Table 48: Access Protocol Parameters
Parameter
Description
Web Access
Enable Web Access
Enables access to the Web server.

Default: disabled
L4 Port
The port to which WBM is assigned.

Default: 80
Web Help URL
The location (path) of the Web help files.
Secured Web Access

Enable Secured Web Access Enables secured access to the Web server.
Default: disabled
122

Table 48: Access Protocol Parameters
Parameter
Description
L4 Port
The port through which HTTPS gets requests.

Default: 443
Certificate
The certificate file used by the secure Web server for encryption.
Telnet
Enable Telnet
Enables Telnet access to the device.

Default: disabled
L4 Port
The TCP port used by the Telnet.

Default: 23
Session Timeout
The period of time, in minutes, the device maintains a connection

during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout
can be up to 10 seconds longer than the configured time.
Authentication Timeout
The timeout, in seconds, required to complete the authentication

process.
Values: 1060
Default: 30
SSH
Enable SSH
Enables SSH access to the device.

Default: disabled
L4 Port
Source port for the SSH server connection.

Default: 22
Session Timeout
The period of time, in minutes, the device maintains a connection

during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore the actual timeout can
be up to 10 seconds longer than the configured time.
Authentication Timeout
The timeout, in seconds, required to complete the authentication

process.
Values: 1060
Default: 30
Web Services
This group box is not available in AppDirector 2.30 and later. In AppDirector 2.30 and later, Web
services are always enabled.
Enable Web Services
Enables access to Web services.

Default: Enabled
123

Configuring SNMP Supported Versions

APSolute Vision connects to managed devices using SNMP. For information about SNMP, and
configuring SNMP for the managed devices, see Configuring SNMP, page 136.
To configure SNMP supported versions

1.
In the Configuration perspective Setup tab navigation pane, select SNMP Versions.
2.
Table 49: SNMP Supported Version Parameters
Parameter
Description
Supported SNMP Versions
The currently supported SNMP versions.
Supported SNMP Versions

after Reset
The SNMP versions supported by the SNMP agent after resetting the
device. Select the SNMP version to support. Clear the versions that
are not supported.
Configuring RADIUS Authentication for Device Management

AppDirector and DefensePro provide additional security by authenticating the users who access a
device for management purposes. With RADIUS authentication, you can use RADIUS servers to
determine whether a user is allowed to access device management using CLI, Telnet, SSH or Web
Based Management. You can also select whether to use the device User Table when RADIUS servers
are not available.
Note: The managed devices must have access to the RADIUS server and must allow device
access.
To configure RADIUS authentication for device management in AppDirector 2.30 and

later
1.
In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.
2.
Configure RADIUS authentication parameters for the managed Radware device, and then,
click
Table 50: RADIUS Authentication Parameters in AppDirector 2.30 and Later
Parameter
Description
Main
L4 Port
The access port number of the primary RADIUS server.

Values: 1645, 1812
Default: 1645
124

Table 50: RADIUS Authentication Parameters in AppDirector 2.30 and Later
Parameter
Description
Secret
The authentication password for the primary RADIUS server.
Verify Secret
When defining the password, reenter for verification.
Server IP Address Type
Values: IPv4, IPv6
Server IP Address
The IP address of the primary RADIUS server.
Backup
L4 Port
The access port number of the backup RADIUS server.

Values: 1645, 1812
Default: 1645
Secret
The authentication password for the backup RADIUS server.
Verify Secret
Server IP Address Type
Values: IPv4, IPv6
Server IP Address
The IP address of the backup RADIUS server.
Basic Parameters
Timeout
The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1
Retries
The number of connection retries to the RADIUS server, after the

RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2
Client Lifetime
The time, in seconds, of the clients authentication. After the client

lifetime expires, the device re-authenticates the user.
Default: 30
To configure RADIUS authentication for device management in AppDirector versions

prior to 2.30 and DefensePro
1. In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.
2. Configure RADIUS authentication parameters for the managed Radware device, and then,
click
Table 51: RADIUS Authentication Parameters in AppDirector Versions Prior to 2.30 and
DefensePro
Parameter
Description
Main
Server IP Address
The IP address of the primary RADIUS server.
125

Table 51: RADIUS Authentication Parameters in AppDirector Versions Prior to 2.30 and
DefensePro
Parameter
Description
L4 Port
The access port number of the primary RADIUS server.

Values: 1645, 1812
Default: 1645
Secret
The authentication password for the primary RADIUS server.
Verify Secret
Backup
Server IP Address
The IP address of the backup RADIUS server.
L4 Port
The access port number of the backup RADIUS server.

Values: 1645, 1812
Default: 1645
Secret
The authentication password for the backup RADIUS server.
Verify Secret
Basic Parameters
Timeout
The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1
Retries
The number of connection retries to the RADIUS server, after the

RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2
Client Lifetime
The time, in seconds, of the clients authentication. After the client

lifetime expires, the device re-authenticates the user.
Default: 30
Configuring the Device Event Scheduler

Some network policy rules remain inactive during certain hours of the day, or are activated only
during others. For example, a school library may want to block instant messaging during school
hours, but allow it after school hours, or an enterprise may assign high priority to mail traffic
between 08:00 and 10:00.
You can schedule the activation and inactivation of specific policy rules on the device by using the
Event Scheduler, to create schedules, and then attach them to a policy rules configuration.
Schedules define a date and time for specific actions.
126

To configure the event scheduler

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Event
Scheduler.
To add a schedule, click the
(Add) button.
Table 52: Scheduled Event Parameters
Parameter
Description
Task Name
The name of the schedule.
Frequency
How often the event occurs.

Values: daily, once, weekly
Default: once
Time
The time on the designated day in the format hhmm.

When multiple days are selected, the value is the same for all the
configured days.
Date
If the event frequency is once, configure the date that the event occurs
in the DD/MM/YYYY format.
Days of Week
If the selected event frequency is weekly, select the day or days the
event occurs.
Upgrading a License for a Managed Device

You can upgrade the capabilities of a managed device using the licensing procedure.
The license provided to you, is a one-time license. To change licenses, you must use a new license
key, after which, the old license key cannot be reused. For example, in AppDirector, if a license that
includes BWM and IPS activation keys was given to you on a trial basis but not purchased, Radware
will provide you with another license, but without these activation keys. The old license cannot be
reused.
Each license is based on the devices MAC address and on a license ID that is changed every time a
new license is used. To obtain a license upgrade or downgrade, you must include the MAC address
and the current license ID of the device when you order the required license part number. This
information is displayed in the License Upgrade window.
You will receive the new license string by e-mail. After you enter the new license information in the
License Upgrade pane, the old license cannot be reused.
127

To upgrade a license after receiving new license keys

1.
In the Configuration perspective Setup tab navigation pane, select License Upgrade.
2.
Configure license upgrade parameters for the new license keys; and then, click
submit the changes.
(Submit) to
Table 53: AppDirector License Upgrade Parameters in AppDirector 2.14 and Later
Parameter
Description
Basic Information
Base MAC Address
The MAC address of the first port on the device. This is the MAC
address on which the license is based.
License Upgrade
License ID
Reports the device software license ID and must be provided to

Radware when requesting a new license.
New License Key
The device software license allows you to activate advanced software

functionality.
Throughput License ID
Manages the device throughput license ID and must be provided to

Radware when requesting a new throughput license.
Throughput License Key
Manages the device throughput level license.
Compression on Server
Side License ID1
The Compression on Server Side License ID, which must be provided to

Side License Key1
The Compression on Server Side License key.

Prefix values:
appdirector-compression-100
appdirector-compression-unlimited
128

Table 53: AppDirector License Upgrade Parameters in AppDirector 2.14 and Later
Parameter
Description
SSL CPS License Key1
The SSL CPS License key.

Prefix values:
appdirector-ssl-500
appdirector-ssl-2000
appdirector-ssl-unlimited
SSL CPS License ID1
SSL CPS License ID, which must be provided to Radware when

requesting a new throughput license.
1 Available when the acceleration engine is enabled.
Table 54: AppDirector License Upgrade Parameters in AppDirector 2.11
Parameter
Description
Basic Information
Base MAC Address
License Upgrade
License ID

New License Key

functionality.

SSL TPS License ID1
Displays AppDirectors SSL TPS license.

The SSL Transactions Per Second license options for the device are:
appdirector-ssl-500
appdirector-ssl-unlimited
129

Table 54: AppDirector License Upgrade Parameters in AppDirector 2.11
Parameter
Description
SSL TPS License Key1
Manages the device SSL TPS license ID and must be provided to

Side License ID1
Displays AppDirectors Compression on server side license.

The Compression on server side license options for the device are:
appdirector-compression-unlimited
Side License Key1
Manages the device Compression on server side license ID and must

be provided to Radware when requesting a new throughput license.
1 Available when the acceleration engine is enabled.
Table 55: AppDirector License Upgrade Parameters in AppDirector 1.07.12
Parameter
Description
Basic Information
Base MAC Address
License Upgrade
License ID

New License Key

functionality.

Table 56: DefensePro License Upgrade Parameters
Parameter
Description
Basic Information
Base MAC Address
License Upgrade
License ID

New License Key

functionality.
130

Table 56: DefensePro License Upgrade Parameters
Parameter
Description

Managing Certificates
This section describes certificates and how to manage them using APSolute Vision.
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It can also include information from a third-party
verifying identity. Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
A basic certificate includes the following:
The certificate holders identity
The certificates serial number
The certificate expiry date
A copy of the certificate holders public key
The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency
Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the
Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only
by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or
interpret the data. The recipient also uses the key to authenticate that the data comes from the
sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. AppDirector and
DefensePro support the following key size lengths: 512, 1024, or 2048 bytes.
Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an
HTTPS session, the managed device uses a certificate for identification. By default, the device has
self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
131

Modifying Certificate Information for a Selected Device
To view and modify certificate information for a selected device

In the Configuration perspective Setup tab navigation pane, select Certificates.
The Certificates table displays information for each certificate stored on the device. From here,
you can add, edit, and delete certificates. You can also import and export certificates, and show
certificate text.
Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management
(WBM).
You can also create certificate signing requests and keys for new certificates.
Note: In AppDirector 2.11 and later, you can create and modify certificates for SSL policies and
Client CA policies. Also, in AppDirector 2.11 and later, you can manage certificates only
if you are connected via SNMPv3.
To create or modify a certificate or key

1.
2.
3.
To add a certificate, click the
(Add) button.
To edit a certificate, double-click the certificate name.
Configure certificate parameters and click OK.
Table 57: Certificate Parameters
Parameter
Description
Name
The name of Key or Certificate.
Type
The type of certification.

Values:
Certificate
Certificate of Client CA1
Certificate Signing Request
Intermediate CA Certificate1
KeyWhen you select Key, only the Key Size and Passphrase fields
are available.
Default: Key
132

Table 57: Certificate Parameters
Parameter
Description
Key Size
The key size, in bytes.

Larger key sizes offer an increased level of security. Radware
recommends that certificates have a key size of 1024 or more. Using a
certificate of this size makes it extremely difficult to forge a digital
signature or decode an encrypted message.
Values: 512 Bytes, 1024 Bytes, 2048 Bytes
Default: 1024 Bytes
Common Name
The domain name of the organization (for example, www.radware.com)

or IP address.
Organization
The name of the organization.
Email Address
Any e-mail address that you want to include within the certificate.
Key Passphrase
The Key Passphrase encrypts the key in storage and is required to

export the key. Since Private Keys are the most sensitive parts of PKI
data, they must be protected by a passphrase. The passphrase should
be at least four characters and Radware recommends using stronger
passphrases than that based on letters, numbers and signs.
Verify Key Passphrase
After you define the key passphrase, re-enter it for verification.
Locality
The name of the city.
State / Province
The state or province.
Organization Unit
The department or unit within the organization.
Country Name
The organization country.
Certificate Expiration
The duration, in days, that a certificate remains valid.

Values: 1365
Default: 365
1 If you select this option when it is not allowed (according to the type of certificate you
are using), the device alerts you with an error message.
Configuring Default Certificate Attributes

Use certificate defaults to define your organizations default parameters to be used when creating
signing requests or self-signed certificates.
To configure default attributes, the connection between the APSolute Vision server and the relevant
device must use SNMPv3.
To configure the default certificate attributes

1. In the Configuration perspective Setup tab navigation pane, select Certificates > Default
Attributes.
133

Table 58: Default Certificate Parameters
Parameter
Description
Common Name
The domain name of the organization. For example, www.radware.com.
Locality
The name of the city.
State / Province
The state or province.
Organization
The name of the organization.
Organization Unit
The department or unit within the organization.
Country Name
The organization country.
Email Address
Any e-mail address to include in the certificate.
Importing Certificates
Depending on the product, you can import keys and certificates from another machine, and import a
certificate to an existing Signing Request to complete its process. You can also import intermediate
CA certificates for SSL policies, and Client CA Certificates for Client Authentication policies.
Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for
certificate, you must import them consecutively with the same entry name.
To import a certificate or key

1.
2.
Click the Import button below the table.
3.
Configure import certificate parameters, and click OK to start the import.
Table 59: Import Certificate Parameters in AppDirector
Parameter
Description
Entry Name
A new entry name to create by import, or an existing entry name to

overwrite or complete a Key or CSR.
Entry Type
Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Intermediate CA CertificateImports a certificate to be used in
the SSL policy.
Client CA CertificateImports a Client CA certificate.
Root TSL Certificate
Default: Key
134

Parameter
Description
Passphrase
Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.

only when the Entry Type is
Key.)
Verify Passphrase
Key.)
File Name
The certificate file to import.
Table 60: Import Certificate Parameters in DefensePro
Parameter
Description
Entry Name
A new entry name to create by import, or an existing entry name to

overwrite or complete a Key or CSR.
Entry Type
Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Certificate of Client CAImports a Client CA certificate.
Default: Key
Note: In Web Based Management, DefensePro supports the
following three additional options: Intermediate CA
Certificate, Certificate and Key, SSH Public Key.
Passphrase
Key.)
Verify Passphrase

Key.)
File Name
The certificate file to import.
Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing
configurations to another system or for completion of Signing Request processes. You can export
certificates from a device by copying and pasting a key or by downloading a file. Keys and
certificates are exported to PEM format.
Note: The Radware key is created without a Radware password at system startup, thus it can
be exported without a Radware password.
135

To export a certificate or key

1.
2.
Click the Export button below the table.
3.
Configure export certificate parameters, and click OK to start the export.
Table 61: Export Certificate Parameters
Parameter
Description
Entry Name
Select the name of the entry to export. By default, the name of the
selected certificate in the Certificates table is displayed.
Entry Type
According to the selected entry name, you can export Certificate,

Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request.
Passphrase
Required when exporting Keys. Use the passphrase entered when the key
was created or imported. You must enter the key passphrase to validate
that you are authorized to export the key.
Showing Certificate Content

You can display the content of keys, certificates, or signing requests listed in the Certificates table.
The content is displayed in encrypted text format for copy-paste purposes, for example sending
signing requests to a certificate signing authority.
To display certificate content

1.
2.
Click the Show button below the table.
3.
Select the entry name to show. By default, the name of the selected certificate in the
Certificates table is displayed.
4.
Select the entry type, and password for the key, if required.
5.
Click Show to display the content in the Certificate field.
Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between APSolute Vision and network devices.
Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.
136

The default Radware user is configured in SNMPv1.
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the
APSolute Vision are discarded.
Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and
authentication details must match one of the users configured on the device.
The following topics describe the procedures to configure SNMP on a selected device:
Configuring SNMP Users, page 137
Configuring SNMP Community Settings, page 138
Configuring the SNMP Group Table, page 139
Configuring SNMP Access Settings, page 140
Configuring SNMP Notify Settings, page 141
Configuring SNMP View Settings, page 142
Configuring the SNMP Target Parameters Table, page 142
Configuring SNMP Target Addresses, page 144
Configuring SNMP Users

With SNMPv3 user-based management, each user can have different permissions based on the user
name and authentication method. You define the users who can connect to the device, and store the
access parameters for each SNMP user.
Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
>> In the SNMP configuration, a user name is also known as a security name.
To configure an SNMP users for a device connected with SNMPv3 with Authentication
and Privacy
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP
User Table.
To add a user, click the
(Add) button.
3. Configure SNMP user parameters and click OK.
137

Table 62: SNMP User Parameters
Parameter
Description
User Name
The user name, also known as a security name. The name can be up
to 18 characters.
Authentication Protocol
Protocol used during authentication process.

Values:
None
MD5
SHA
Default: None
Authentication Password
If an authentication protocol is specified, enter an authentication

password.
Privacy Protocol
Algorithm to be used for encryption.

Values:
NoneThe data is not encrypted.
DESThe device uses Data Encryption Standard.
Default: None
Privacy Password
If a privacy protocol is specified, enter a user privacy password.
Configuring SNMP Community Settings

The SNMP Community Table is used only for SNMP versions 1 and 2 to associate community strings
to users. When a user is connected to a device with SNMPv1 or SNMPv2, the device checks the
community string sent in the SNMP packet. Based on a specific community string, the device maps
the community string to a predefined user, which belongs to a group with certain access rights.
Therefore, when working with SNMPv1 or SNMPv2, users, groups, and access must be defined.
Use the Community Table to associate community strings with user names and vice versa, and to
restrict the range of addresses from which SNMP requests are accepted and to which traps can be
sent.
Note: You cannot change the community string associated with the user name that you are
currently using.
To configure SNMP community settings

1.
In the Configuration perspective Device Security tab navigation pane, select SNMP >
Community.
2.
3.
To add an SNMP community entry, click the
(Add) button.
Configure SNMP community parameters and click OK.
138

Table 63: SNMP Community Parameters
Parameter
Description
Index
A descriptive name for this entry. This name cannot be modified after
creation.
Default: public
Community Name
The community string.

Default: public
Security Name
The security name identifies the SNMP community used when the
notification is generated.
Default: public
Transport Tag
Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. The target addresses identified by
this tag are defined in the SNMP Target Addresses table. At least one entry
in the SNMP Target Addresses table must include the specified transport tag.
If no tag is specified, addresses are not checked when an SNMP request is
received or when a trap is sent.
Configuring the SNMP Group Table

SNMPv3 permissions are defined for groups of users. If, based on the connection method, there is a
need to grant different permissions to the same user, you can associate a user to more than one
group. You can create multiple entries with the same group name for different users and security
models.
Access rights are defined for groups of users in the SNMP Access table.
To configure SNMP group settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Group
Table.
To add a group entry, click the
(Add) button.
139

Table 64: SNMP Group Parameters
Parameter
Description
Group Name
The name of the SNMP group.
Security Model
The SNMP version that represents the required security model. Security models
are predefined sets of permissions that can be used by the groups. These sets
are defined according to the SNMP versions. By selecting the SNMP version for
this parameter, you determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based (SNMPv3)
Default: SNMPv1
Security Name
If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.
Configuring SNMP Access Settings

The SNMP Access table binds groups and security models with SNMP views, which define subsets of
MIB objects. You can define which MIB objects can be accessed for each group and security model.
MIB objects can be accessed for a read, write, or notify action based on the Read View Name, Write
View Name, and Notify View Name parameters.
Views are defined in the SNMP Views table.
To configure SNMP access settings

1.
In the Configuration perspective Device Security tab navigation pane, select SNMP > Access.
2.
3.
To add an access entry, click the
(Add) button.
Configure SNMP access parameters and click OK.
140

Table 65: SNMP Access Parameters

Parameter
Description
Group Name
The name of the group.
Security Model
Security models are predefined sets of permissions that can be used by

the groups. These sets are defined according to the SNMP versions.
Select the SNMP version that represents the required Security Model to
determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User BasedThat is, SNMPv3
Default: SNMPv1
Security Level
The security level required for access.

Values:
No AuthenticationNo authentication or privacy are required.
Authentication & No PrivacyAuthentication is required, but privacy
is not required.
Authentication & PrivacyBoth authentication and privacy are
required.
Default: No Authentication
Read View Name
The name of the View that specifies which objects in the MIB tree are
readable by this group.
Write View Name
The name of the View that specifies which objects in the MIB tree are
writable by this group.
Notify View Name
The name of the View that specifies which objects in the MIB tree can be
accessed in notifications (traps) by this group.
Configuring SNMP Notify Settings

You can select management targets that receive notifications and the type of notification to be sent
to each selected management target. The Tag parameter identifies a set of target addresses. An
entry in the Target Address table that contains a tag specified in the Notify table receives
notifications.
To configure SNMP notification settings

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Notify.
To add an SNMP notify entry, click the
(Add) button.
3. Configure SNMP notify parameters and click OK.
141

Table 66: SNMP Notify Parameters
Parameter
Description
Name
A descriptive name for this entry, for example, the type of notification.
Tag
A string that defines the target addresses that are sent this notification. All
the target addresses that have this tag in their tag list are sent this
notification.
Configuring SNMP View Settings

You can define subsets of the MIB tree for use in the Access Table. Different entries may have the
same name. The union of all entries with the same name defines the subset of the MIB tree and can
be referenced in the Access Table through its name.
To configure SNMP view settings

1.
In the Configuration perspective Device Security tab navigation pane, select SNMP > View.
2.
3.
To add an SNMP view entry, click the
(Add) button.
Configure SNMP view parameters and click OK.
Table 67: SNMP View Parameters
Parameter
Description
View Name
Name of this entry.
Sub-Tree
Object ID of a subtree of the MIB.

Note: Very occasionally, you might need to define a view mask for
AppDirector. To do this, use the AppDirector WBM application.
Type
Specifies whether the object defined in the entry is included or excluded in the
MIB view.
Values: Included, Excluded
Default: Included
Configuring the SNMP Target Parameters Table

The Target Parameters table defines message-processing and security parameters that are used in
sending notifications to a particular management target. Entries in the Target Parameters table are
referenced in the Target Address table.
142

To configure SNMP target parameters

1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Parameters Table.
To add a target parameters entry, click the
(Add) button.
3. Configure target parameter settings and click OK.
Table 68: SNMP Target Parameters
Parameter
Description
Name
The name of the target parameters entry.

Message Processing
Model
The SNMP version to use when generating SNMP notifications.

Values: SNMPv1, SNMPv2c, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.
Security Model
The SNMP version that represents the required Security Model.

Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to
be used.
Values:
SNMPv1
SNMPv2c
User BasedThat is, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.
Security Name
If the User Based security model is used, the security name identifies the
user that is used when the notification is generated. For other security
models, the security name identifies the SNMP community used when the
notification is generated.
Security Level
Specifies whether the trap is authenticated and encrypted before it is sent.

Values:
No AuthenticationNo authentication or privacy are required.
Authentication and No PrivacyAuthentication is required, but privacy
is not required.
Authentication and PrivacyBoth authentication and privacy are
required.
143

Configuring SNMP Target Addresses

In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of
traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for
reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of
addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the
Transport Tag of an entry in the community table is not empty it must be included in one or more
entries in the Target Address Table.
To configure SNMP target addresses

1.
In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Address.
2.
3.
To add a target address, click the
(Add) button.
Configure target address parameters and click OK.
Table 69: SNMP Target Address Parameters
Parameter
Description
Name
Name of the target address entry.
IP Address and L4 Port

[IP-port number]
The IP address of the management station (APSolute Vision server)

and TCP port to be used as the target of SNMP traps. The format of the
values is <IP address >-<TCP port>, where <TCP port> must be
162. For example, if the value for IP Address and L4 Port is 1.2.3.4162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is
the port number for SNMP traps.
Note: APSolute Vision listens for traps only on port 162.
Mask
A subnet mask of the management station.
Tag List
Specifies sets of target addresses. Tags are separated by spaces. The

tags contained in the list may be either tags from the Notify table or
Transport tags from the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network device, the tag list identifies the targets to which
a notification is sent.
Default: v3Traps
Target Parameters Name
The set of target parameters to be used when sending SNMP Traps.

Target parameters are defined in the Target Parameters table.
Configuring Device Users

For each managed device, you can create a list of users who are authorized to access that device
through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is
enabled, users can receive e-mail notifications of changes made to the device.
144

To configure device users for a selected device

1. In the Configuration perspective Device Security tab navigation pane, select Users Table.
To add a user, click the
(Add) button.
Table 70: Device User Parameters
Parameter
Description
Device Users Table
User Name
The name of the user.
Password
Enter the password of the user, then repeat to verify.
Email Address
The e-mail address of the user to which notifications will be sent.
Minimal Severity for

Sending Traps
The minimum severity level of traps sent to this user.

Values:
NoneThe user receives no traps.
InfoThe user receives traps with severity info or higher.
WarningThe user receives Warning, Error, and Fatal traps.
ErrorThe user receives Error and Fatal traps.
FatalThe user receives Fatal traps only.
Default: None
Enable Configuration Tracing When selected, the specified user receives notifications of
configuration changes made in the device.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The device gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
Name of the MIB variable that was changed.
New value of the variable.
Time of configuration change.
Configuration tool that was used (APSolute Vision, Telnet, SSH,
WBM).
User name, when applicable.
Access Level
The users level of access to the WBM and CLI.
145

Table 70: Device User Parameters
Parameter
Description
Advanced Parameters
Authentication Mode
The method for of authenticating a users access to the device.

Values:
Local User TableThe device uses the User Table to authenticate
access.
RadiusThe device uses the RADIUS servers to authenticate
access.
Radius and Local User TableThe device uses the RADIUS
servers to authenticate access. If the request to the RADIUS
server times out, the device uses the User Table to authenticate
access.
Default: Local User Table
Exclude SNMP Engine ID

Specifies whether to exclude the SNMP engine ID and user
and User Information from information from exported configuration files.
Exported Configuration Files Default: Disabled
(This parameter is displayed
only in certain AppDirector
versions.)
Configuring Access Permissions on Physical Ports

Access to devices can be limited to specified physical interfaces. Interfaces connected to insecure
network segments can be configured to discard some or all management traffic directed at the
device itself. Administrators can allow certain types of management traffic to a device (for example,
SSH), while denying others such as SNMP. If an intruder attempts to access the device through a
disabled port, the device denies access, and generates syslog and CLI traps as notification.
To configure access permissions for a selected device

1.
In the Configuration perspective Device Security tab navigation pane, select Advanced.
2.
To edit permissions for a port, double-click the relevant row.
3.
Select or clear the checkboxes to allow or deny access; and then, click OK.
Table 71: Port Permission Parameters
Parameter
Description
Port
(Read-only) The name of the physical port.
SNMP Access
When selected, allows access to the port using SNMP.
Telnet Access
When selected, allows access to the port using Telnet.
SSH Access
When selected, allows access to the port using SSH.
Web Access
When selected, allows access to the port using WBM.
SSL Access
When selected, allows access to the port using SSL.
146

Configuring Port Pinging

You can define which physical interfaces can be pinged. When a ping is sent to an interface for which
ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.
To define the ports to be pinged

1. In the Configuration perspective Device Security tab navigation pane, select Advanced > Ping
Ports.
2. To edit port ping settings, double-click the relevant row.
3. Select or clear the checkbox to allow or not allow pinging, then click OK.
Configuring Tuning Parameters

You can adjusting tuning parameters to use memory resources more efficiently, to conserve memory
resources.
Caution: Radware strongly recommends that you perform any device tuning only after
consulting with Radware Technical Support.
This section contains the following:
Configuring Tuning Parameters for AppDirector, page 147
Configuring Tuning Parameters for DefensePro, page 150
Configuring Tuning Parameters for AppDirector
To configure tuning parameters

1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.
2. To change the current setting, enter the new value in the After Reset column.
3. Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.
Note: Radware recommends performing a memory check before rebooting the device.
For information about tuning parameters for AppDirector 1.07.12, see Tuning Parameters in
AppDirector 1.07.12, page 149.
147

Table 72: Tuning Parameters in AppDirector 2.11 and Later
Parameter
Description
Device Tuning
For more information, see the tuning document, which is available from the Radware Web site.
Bridge Forwarding Table
The maximum number of entries currently available in the Bridge

Forwarding Table (bridging ports per destination MAC address).
IP Forwarding Table
The maximum number of entries currently available in the IP

Forwarding Table.
ARP Forwarding Table
The maximum number of entries allowed in the ARP Table.

The ARP table contains the IP address and corresponding MAC
address (physical address) of each network element connected to
the device. If an element is disconnected from the device, the
elements ARP record will be maintained until the timeout value is
exceeded.
Routing Table
The maximum number of entries in the Routing Table.
Host Name Table
The maximum number of entries in the Host Names Table.
Requests Table
The maximum number of entries in the Requests Table as used by

all delayed binding based mechanisms, for example, SSL ID
tracking, Layer 4 Policies, and so on.
Session IDs
The maximum number of entries in the Session ID Table.

Default table size: 16,384
Maximum: 256,000
Network Segments
The maximum number of network segments that can be configured

(network segments supported when the device uses the
Segmentation feature).
L4 Policies
Maximum number of Layer 4 policies that can be defined on the

device.
Acceleration Engine RAM

Percentage for Cache
Percentage of Acceleration-engine RAM allocated for cache when

application acceleration is enabled.
Default: 20
Application Delivery
Client Table
Maximum number of entries in the Client Table.
L3 Client Table
Size of the Layer 3 Client Table, as a percentage of the Client Table

size.
Default: 20
RADIUS Attributes Table
Maximum number of entries in the RADIUS Attributes Table.

available in AppDirector 2.14
and later.)
Static DNS Persistency Table
Maximum number of entries in the Static DNS Persistency Table.
Dynamic DNS Persistency

Entries
Maximum number of entries in the Dynamic DNS Persistency Table.
Session Table
Maximum number of session entries in table.
Session Passive Protocols

Table
Maximum number of session passive protocols entries in the table.
148

Table 72: Tuning Parameters in AppDirector 2.11 and Later
Parameter
Description
Session Resets Entries
Maximum number of sessions that the device tracks to send RESET

in case Send Reset To Server is enabled in the Session Table.
Proximity Subnets
Maximum number of entries in the Dynamic Proximity Table.
Table 73: Tuning Parameters in AppDirector 1.07.12
Parameter
Description
Device Tuning
Bridge Forwarding Table
The maximum number of entries currently available in the Bridge

Forwarding Table (bridging ports per destination MAC address).
IP Forwarding Table
The maximum number of entries currently available in the IP

Forwarding Table.
ARP Forwarding Table
The maximum number of entries allowed in the ARP Table.

The ARP table contains the IP address and corresponding MAC
address (physical address) of each network element connected to
the device. If an element is disconnected from the device, the
elements ARP record will be maintained until the timeout value is
exceeded.
Routing Table
Maximum number of entries in the Routing Table.
Host Name Table
Maximum number of entries in the Host Names Table.
Requests Table
Maximum number of entries in the Requests Table as used by all

delayed binding based mechanisms, for example, SSL ID tracking,
Layer 4 Policies, and so on.
Session IDs
Maximum number of entries in the Session ID Table.

Default table size:16,384
Maximum: 256,000
Network Segments
Maximum number of network segments that can be configured

(network segments supported when the device uses the
Segmentation feature).
L4 Policies
Maximum number of Layer 4 policies that can be defined on the

device.
Application Delivery
Client Table
Maximum number of entries in the Client Table.
L3 Client Table
Size of the Layer 3 Client Table, as a percentage of the Client Table

size.
Default: 20
RADIUS Attributes Table
Maximum number of entries in the RADIUS Attributes Table.
Static DNS Persistency Table
Maximum number of entries in the Static DNS Persistency Table.
Dynamic DNS Persistency

Entries
Maximum number of entries in the Dynamic DNS Persistency Table.
Session Table
Maximum number of session entries in table.
149

Table 73: Tuning Parameters in AppDirector 1.07.12
Parameter
Description
Session Passive Protocols

Table
Maximum number of session passive protocols entries in the table.
Maximum number of sessions that the device tracks to send RESET

in case Send Reset To Server is enabled in the Session Table.
Configuring Tuning Parameters for DefensePro
To configure device tuning parameters

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.
2.
To change the current setting, enter the new value in the After Reset column.
3.
Click
Table 74: Device Tuning Parameters
Parameter
IP Fragmentation Table
Description
The maximum number of IP fragments that the device stores.
Values: 1256,000
Default: 1240
Session Table
The maximum number of sessions that the device can track.

Values: 204,000,000
Default per model:
x06 and x0162,000,000
x412-NL-O3,000,000
x412-NL-Q3,100,000
x412-BP-O3,000,000
x412-BP-Q2,900,000
The maximum number of sessions that the device tracks to

send RESET when Send Reset To Server is enabled in the
Session table.
Values: 110,000
Default: 1000
Routing Table
The maximum number of entries in the Routing table.

Values: 2032,767
Default: 64
150

Table 74: Device Tuning Parameters
Parameter
Description
Pending Table
The maximum number of new simultaneous dynamic sessions

the device can open.
Values: 1616,000
Default: 1024
SIP Call Table
The maximum number of SIP calls the device can track.

Values: 16256,000
Default: 1024
TCP Segmentation Table
The maximum number of TCP Segments. This parameter is

used when SIP Protocol is enabled and SIP is running over TCP.
Values: 132,768
Default: 256
Configuring Security Tuning

APSolute Vision supports the Security module in AppDirector 2.30 and later and DefensePro.
The security tables store information about sessions passing through the device and their sizes,
correlating them to the number of sessions. Some tables store Layer 3 information for every sourcedestination address pair of traffic going through the device requiring an entry for each combination.
Some tables keep information about Layer 4 sessions. Every combination of source address, source
port, destination address and destination port requires its own entry in the table.
Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several
TCP sessions to one destination address.
Each security table is responsible for clearing tables of old entries that are no longer required, and
ensuring that traffic is properly classified and inspected.
To configure security tuning

Parameters > Security.
2. Configure the tuning parameters.
Table 75: Application Security Tuning Parameters for AppDirector
Parameter
Description
Max. Number of Service

Protection Service
The maximum number of entries in the Service Protection policy.
Max. Number of BDoS Policies
The maximum number of configurable Behavioral DoS policies.
151

Table 75: Application Security Tuning Parameters for AppDirector
Parameter
Description
Max. Number of Entries in

Counter Target Table
The maximum number of sessions in which a Destination address

is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.

Counter Source Table
The maximum number of sessions in which a source address is

tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.

The maximum number of sessions in which Source and
Counter Source and Target Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Max. Number of Concurrent
Active DoS Shield Protections
The maximum number of filters tracked.

Counters Report
The maximum number of entries for reports on active concurrent

Tracking Signatures attacks.

Counters Service Cracking
Protection
The maximum number of entries for concurrent active Service

Cracking protections.
DoS Shield filters use thresholds for activation. This table counts
the number of times traffic matches a DoS Shield signature per
policy. When the number of packets exceeds the predefined limit,
it is identified as an attack.
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
Generic Signature Table
The maximum number of entries for concurrent active scanning

protections.
Max. Number of Signatures

Configured by User
The maximum number of user-configurable IPS signatures.
Max. Number of Source IPs in

Suspend Table
The maximum number of hosts that the Suspend table is able to

block simultaneously.
This value affects the abilities of other defenses, such as, AntiScanning, Service Cracking, and SYN protection.
152

Table 76: Security Tuning Parameters for DefensePro
Parameter
Description
Max. Number of HTTP Mitigator

Suspect Sources
The maximum number of suspect sources in HTTP Mitigation

policies.
Values: 1000500,000
Default: 100,000
Max. Number of Server

Protection Servers
The maximum number of entries in the Server Protection policy.

Values: 10010,000
Default: 350
Max. Number of BDoS Policies
The maximum number of configurable Behavioral DoS policies.

Values: 1100
Default: 10
Max. Number of DNS Policies
The maximum number of configurable DNS Flood Protection

policies.
Values: 1100
Default: 10
Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device
Pairs
stores for anti-scanning purposes.
Values: 10,0001,000,000
Default: 100,000
Counter Target Table
The maximum number of sessions in which a Destination address

is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536

Counter Source Table
The maximum number of sessions in which a source address is

tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
Values: 10065,536
Default: 65,536
153

Parameter
Description

The maximum number of sessions in which Source and
Counter Source and Target Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Active DoS Shield Protections
The maximum number of filters tracked.

DoS Shield filters use thresholds for activation. This table counts
the number of times traffic matches a DoS Shield signature per
policy. When the number of packets exceeds the predefined limit,
it is identified as an attack.
Values: 10016,000
Default: 10,000

Counters Report
The maximum number of entries for reports on active concurrent

Tracking Signatures attacks.
Values: 10064,000
Default: 20,000

Counters Server Cracking
Protection
The maximum number of entries for concurrent active Server

Cracking protections.
When the Server Cracking protection feature is enabled,
DefensePro uses one entry in this table whenever DefensePro
receives a response from the server that can indicate a potential
Server Cracking attack. The entry includes the IP address of the
potential attacker, the protected server, and the protocol. The
entry remains in use as long as DefensePro receives such server
responses.
Values: 10065,536
Default: 100
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
Values: 10064,000
Default: 100
Generic Signature Table
The maximum number of entries for concurrent active scanning

protections.
Values: 100100,000
Default: 10,000
154

Parameter
Description
Max. Number of Signatures

Configured by User
The maximum number of user-configurable IPS signatures and

RSA signatures. DefensePro can store up to 500 concurrent RSA
signatures.
Values: 1010,000
Default with fraud protection not enabled: 100
Default with fraud protection not enabled: 3,000
Note: RSA signatures on the device accumulate until the
device ages them. The device ages RSA signatures
according to the specified aging times, Phishing
Signatures Aging, Drop Points Aging, and Malicious
Download Aging. If the Max. Number of Signatures
Configured by User is greater than 500, and number of
RSA signatures reaches 500, you cannot add any new
RSA signature. If you must add new RSA signatures
immediately, you can reduce the aging time, add the
RSA signature, and increase the aging time as
appropriate.
Max. Number of Source IPs in

Suspend Table
The maximum number of hosts that the Suspend table is able to

block simultaneously.
This value affects the abilities of other defenses, such as, AntiScanning, Server Cracking, and SYN protection.
Values: 1000100,000
Default: 10,000

Attacks
The maximum number of concurrent Connection Packet Rate

Limit attacks that the device can handle.
Values: 51000
Default: 50
Configuring SYN Protection Tuning for Defense Pro

SYN Flood Protection tuning is relevant for DefensePro only.
SYN tables are used to define SYN Flood protection.
To configure SYN Protection tuning

Parameters > SYN Protection.
2. Configure the tuning parameters.
155

Table 77: SYN Protection Tuning Parameters
Parameter
Description
SYN Protection Table
The number of entries in the table that stores data regarding the
delayed binding process. An entry exists in the table from the
time a client starts the three-way handshake until the handshake
is complete.
Values: 10500,000
Default: 200,000
SYN Protection Requests Table
The number of entries in the table that stores the ACK, or data
packet, the client sends, until the handshake with the server is
complete and the packet is sent to the server.
The Request table and the SYN Protection table are
approximately the same size while the Triggers table is much
smaller.
Values: 10500,000
Default: 200,000
SYN Protection Signature

Detection Entries
The number of entries in the table that stores active triggers

that is, the destination IP addresses/ports from which the device
identifies an ongoing attack.
Values: 100020,000
Default: 1000
SYN Statistics Entries
The number of entries in the SYN Flood Statistics table.

Values: 100020,000
Default: 1000
Configuring Authentication Table Tuning

Authentication Table tuning is available only in DefensePro 6.00 and later.
To configure Authentication Table tuning

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Authentication Tables.
2.
Configure the tuning parameters.
Table 78: Authentication Table Tuning Parameters
Parameter
Description
Authentication Table Tuning
HTTP Authentication Table Size
The number of sources in the HTTP Authentication table.

DefensePro uses the HTTP Authentication table in HTTP Flood
profiles and the HTTP Authentication feature in a SYN Protection
profile.
Values: 500,0002,000,000
Default: 2,000,000
156

Table 78: Authentication Table Tuning Parameters
Parameter
Description
TCP Authentication Table Size
The number of sources in the TCP Authentication table.

DefensePro uses the TCP Authentication table for the Safe Reset
Authentication Method feature in SYN Protection profiles.
Values: 500,0002,000,000
Default: 2,000,000
Note: For x412 platforms, the value is fixed at the default
2,000,000, and cannot be tuned.
Authentication Tables Aging

This group box and the parameters in it are available only in DefensePro 6.05 and later.
HTTP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the
HTTP Authentication table.
Values: 603600
Default: 1200
TCP Authentication Table Aging
The time, in seconds, that the device keeps idle sources in the
TCP Authentication table.
Values: 603600
Default: 1200
DNS Authentication Table Aging
The time, in minutes, that the device keeps idle sources in the
DNS Authentication table.
Values: 160
Default: 20
Note: The DNS Authentication Table Aging text box is
empty if DNS Flood Protection has not been enabled on
the device (Configuration perspective > Security
Settings > DNS Flood Protection > Enable DNS
Flood Protection). You can, however, enter a value
even if DNS Flood Protection is not enabled, and the
value will persist.
Configuring Classifier Tuning

APSolute Vision supports the classifier (that is, Classes) module in AppDirector 2.30 and later and
DefensePro 5.10 and later.
A Classifier packet first flows into the system through the classifier. The classifier handles the packet
according to the Bandwidth Management policy that best matches the packet and by these tuning
parameters. You can view and edit the Classifier tuning parameters. The changes take effect after a
device reset.
To configure classifier tuning

Parameters > Classifier.
157

3.
Click
Table 79: Classifier Tuning Parameters
Parameter
Description
Max. Number of Networks
The maximum number of entries in the table for ranges.

Values: 3210,000
Default: 256
Max. Number of Discrete IP

Addresses per Network
The maximum number of entries in the table for IP addresses

that are allocated to a network.
Values: 161024
Default: 64
Max. Number of Subnets per

Network
The maximum number of entries in the table for network

subnets.
Values: 16256
Default: 64
Max. Number of MAC Groups
The maximum number of entries in the table for MAC groups.

Values:162048
Default: 128
Max. Number of Filter Entries
The maximum number of entries in the table for basic filters.

Values:5122048
Default: 512
Max. Number of AND Groups
The maximum number of entries in the advanced filters table for

AND groups.
Values: 2562048
Default: 256
Max. Number of OR Groups
The maximum number of entries in the advanced filters table for

OR groups.
Values: 2562048
Default: 256
Max. Number of Application

Ports Groups
The maximum number of entries in the table for application port

groups.
Values: 322000
Default: 512
Max. Number of Content Entries The maximum number of content entries in the table.
Values: 164096
Default: 256
158

Configuring BWM Tuning

APSolute Vision supports the Bandwidth Management module in AppDirector 2.30 and later and
DefensePro 5.10 and later.
You can view and edit the bandwidth-management (BWM) tuning parameters. The changes take
effect after a device reset.
To configure BWM tuning

Parameters > BWM.
3. Click
Table 80: BWM Tuning Parameters
Parameter
Description
Policy Table
The number of policy entries in the table.

Values for AppDirector: 210,000
Values for DefensePro: 256150,000
Default: 1024
Policy Leaves
The percentage of hierarchical BWM leaves (that is, hierarchical

BWM policies without a child policy) out of the total number of
policies that the device supports.
Values: 50100
Default: 100
BW per Traffic Flow sessions

tracking
The number of traffic flows for which the device can provide
bandwidth or limit the number of sessions.
Values: 16400,000
Default: 2048
Destination Table
Displays the number of destination address entries in the table.

Values: 64128,000
Default: 256
Configuring SDM Tuning

SDM tuning is available only in DefensePro 6.00 and later.
159

To configure SDM tuning

1.
In the Configuration perspective Advanced Parameters tab navigation pane, select

Tuning Parameters > SDM.
2.
Configure the tuning parameter.
Table 81: SDM Tuning Parameter
Parameter
Description
SDM Table Size
The size of the SDM table.

Values: Small, Medium, Large
Default: Medium
160
Chapter 6 Device Network Configuration

You can perform the following networking configuration tasks for managed devices:
Configuring Device IP Interfaces, page 161
Managing IP Routing, page 164
Configuring Ports, page 180
Configuring AppDirector Redundancy, page 190
Configuring AppDirector VLANs, page 214
Configuring Segmentation for AppDirector, page 218
Configuring AppDirector Advanced Networking Parameters, page 223
Configuring DefensePro Redundancy, page 225
Configuring Basic Networking Parameters in DefensePro, page 226
Configuring Port Pairs for DefensePro, page 230
Configuring SSL Inspection for DefensePro, page 232
Configuring Device IP Interfaces

AppDirector and DefensePro perform routing between all IP interfaces defined on its Layer 2
interfaces (ports, trunks, and VLANs). They also perform routing based on other network layers,
such as Layer 4 and Layer 7.
To configure IP interfaces
1.
2.
3.
In the Configuration perspective Networking tab navigation pane:
(AppDirector) Select IP Interfaces.
(DefensePro) Select IP Management.
To add an IP interface, click the
(Add) button.
To edit an IP interface, double-click the row.
161

Device Network Configuration
Table 82: IP Interface Parameters
Parameter
Description
IP Address
IP address of the interface.
Prefix Length
The prefix length that defines the subnet attached to this IP

interface.
(This parameter is available only

in AppDirector 2.30 and later.)
For IPv4, the prefix length varies between subnets to subnets,

and renumbering subnets can be expensive. With IPv4, the
allocation varies according to the size of the site, which can be a
problem when you migrate from one ISP to another.
IPv4 values: 032
For IPv6, the prefix length is a decimal value that indicates the
number of contiguous, higher-order bits of the address that
comprise the network portion of the address. For example,
10FA:6604:8136:6502::/64 is a possible IPv6 prefix. The prefix
length for an IPv6 subnet will always be less than 64. It allows
you to place as many IPv6 devices as the underlying network
medium allows.
IPv6 values: 064
Mask
The associated subnet mask.

in DefensePro and AppDirector
versions prior to 2.30.)
Interface Index
Port
in DefensePro and AppDirector
versions prior to 2.30.)
Forward Broadcast
for IPv4 interfaces.)
The interface identifier, for example, G-1. The configured trunk

and VLAN interfaces are included in the list.
The interface identifier, for example, G-1. In AppDirector, the
configured trunk and VLAN interfaces are included in the list.
Specifies whether the device forwards incoming broadcasts to

this interface.
Default: Enabled
Broadcast Address
Specifies whether to fill the host ID in the broadcast address

(This parameter is displayed only with ones or zeros.
for IPv4 interfaces.)
Values:
Fill 1Fill the host ID in the broadcast address with ones.
Fill 0Fill the host ID in the broadcast address with zeros.
Default: Fill 1
VLAN Tag
The VLAN tag to be associated with this IP Interface. When

multiple VLANs are associated with the same switch port, the
switch must identify to which VLAN to direct incoming traffic
from that specific port. VLAN tagging provides an indication in
the Layer 2 header that enables the switch to make the correct
decision.
Peer IP Address
The IP address of the interface on the peer device, which is

required in a redundant configurationthat is, a cluster for high
availability.
Default: 0.0.0.0
162

Parameter
Description
Prefix Onlink
Specifies whether the addresses with that prefix can be reached

(This parameter is displayed only directly without going through a router. The prefix list in the
for IPv6 interfaces in AppDirector Neighbor Discovery cache table defines a set of IP address
ranges that the host can reach. The prefix flags are L for on-link,
2.30 and later.)
and A for autonomous.
Default: Enabled
Prefix Autonomous
Specifies whether the prefix came from stateless

(This parameter is displayed only autoconfiguration. The prefix list in the Neighbor Discovery
for IPv6 interfaces in AppDirector cache table defines a set of IP address ranges that the host can
reach. The prefix flags are L for on-link, and A for autonomous.
2.30 and later.)
Default: Disabled
Preferred Lifetime
The router advertisement preferred life time, in seconds.
(This parameter is displayed only Values: 1Infinite

for IPv6 interfaces in AppDirector Default: Infinite
2.30 and later.)
Valid Lifetime
The router advertisement valid life time, in seconds.
(This parameter is displayed only Values: 1Infinite

for IPv6 interfaces in AppDirector Default: Infinite
2.30 and later.)
Address Origin
(Read-only) The origin of the address.
(This parameter is displayed only Values:

otherThe address may include a random chosen address
or well-known value for example, an IANA assigned anycast
address.
manualThe address was manually configured.
dhcpThe address was assigned to this system by a DHCP
server.
linklayerThe address was created by IPv6 stateless
autoconfiguration.
163

Parameter
Description
Status
(Read-only) The current status of the IP interface.
(This parameter is displayed only Values:

PreferredThis is a valid address that can appear as the
destination or source address of the packet.
DeprecatedThis is a valid but deprecated address that
should no longer be used as a source address in new
communications, but packets addressed to such an address
are processed as expected.
InvalidThis is not valid address which should not appear
as the destination or source address of a packet.
InaccessibleThe address is not accessible because the
interface to which this address is assigned is not
operational.
UnknownThis address is unknown.
TentativeThe uniqueness of the address on the link is
being verified.
DuplicateThe address has been determined to be nonunique on the link and so must not be used.
OptimisticThe address is available for use, subject to
restrictions, while its uniqueness on a link is being verified.
This value is designed to minimize address configuration
delays and to reduce disruption.
Managing IP Routing
Radware devices forward IP packets to their destination using an IP routing table. This table stores
information about the destinations and how they can be reached. By default, all networks directly
attached to the device are registered in the IP routing table. Other entries can either be statically
configured or dynamically created through the routing protocol.
The following topics describe how to configure IP routing:
Configuring IP Routing in AppDirector, page 164
Configuring IP Routing in DefensePro, page 166
Configuring IP Routing in AppDirector

When an AppDirector device forwards an IP packet, the IP Routing table is used to determine the
next-hop IP address and the next-hop interface as follows:
For a direct delivery (the destination is a neighboring node), the next-hop MAC address is the
destination MAC address for the IP packet.
For indirect delivery (the destination is not a neighboring node), the next-hop MAC address is
the IP router address according to the IP Routing table.
The destination IP address does not change from source to destination. The destination MAC
(Layer 2 information) is manipulated to move a packet across networks.
The MAC of the destination host is applied once the packet arrives on the destination network.
164

Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency
is maintained. The IP router supports RIP 1, RIP 2, and OSPF routing protocols OSPF and its MIB are
supported as specified in RFC 1583 and RFC 1850, with some limitations. You can configure static
routing and define the default gateway.
To configure static routes

1. In the Configuration perspective Networking tab navigation pane, select IP Routing.
To add an entry in AppDirector 2.30 and later, click the

the option for the IP version that you require.
(Add) button; and then, choose
To add an entry in AppDirector versions prior to 2.30, click the
(Add) button.

4. Configure the static route settings and click OK.
5. Configure global advanced parameters, if required.
Notes:
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.
Table 83: Static Route Parameters
Parameter
Description
Destination Network
The destination network to which the route is defined.
Prefix Length
The prefix length that defines the subnet attached to this IP interface.
(This parameter is
available only in
AppDirector 2.30 and
later.)
For IPv4, the prefix length varies between subnets to subnets, and
renumbering subnets can be expensive. With IPv4, the allocation varies by
the size of the site, which can be a problem when you migrate from one
ISP to another.
For IPv6, the prefix length is a decimal value that indicates the number of
contiguous, higher-order bits of the address that make up the network
portion of the address. For example, 10FA:6604:8136:6502::/64 is a
possible IPv6 prefix. The prefix length for an IPv6 subnet will always be
less than 64. It allows you to place as many IPv6 devices as the
underlying network medium allows.
IPv4 values: 032
IPv6 values: 064
Netmask
Network mask of the destination subnet.

available in
AppDirector 2.30 and
later.)
165

Table 83: Static Route Parameters
Parameter
Description
Next Hop
IP address of the next hop toward the Destination subnet. (The next hop
always resides on the subnet local to the device.)
Via Interface
The local interface or VLAN through which the next hop of this route is
reached. This can be the port name, trunk name, or VLAN ID.
Type
(Read-only) This field is displayed in the Static Routes table.

Values:
LocalThe subnet is directly reachable from the device.
RemoteThe subnet is not directly reachable from the device.
Metric
The metric value defined or calculated for this route.
Table 84: IP Routing Global Advanced Parameters
Parameter
Description
Enable Proxy ARP
When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
When this option is enabled, a trap is sent when there is an ICMP error
message.
Default: Enabled
Default Network
(This parameter is
available only in
AppDirector 1.07.12.)
The network from whose announcements the device will discover its
default gateway.
AppDirector selects as default gateway the router that was announced as
next hop router for the default network with the best metric (lowest
metric).
When a default network is configured, but the device also receives default
route announcements, the default gateway is selected according to default
route announcements.
Configuring IP Routing in DefensePro

IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP
interface that contains an IP address associated with a VLAN.
166

To configure IP routing
1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing.
To add a static route, click the
(Add) button.
To edit a static route, double-click the row.
3. Configure the static route settings and click OK.

4. Configure global advanced parameters, if required.
Notes:
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.
Parameter
Description
Enable Proxy ARP
When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
Default: Enabled
Note: When this option is enabled, a trap is sent when there is an ICMP
error message.
Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite
and is used by networked computers operating systems to send error messagesindicating, for
instance, that a requested service is not available or that a host or router could not be reached.
To modify ICMP interface parameters

1. In the Configuration perspective Networking tab navigation pane:
(AppDirector) Select IP Routing > ICMP.
(DefensePro) Select IP Management > IP Routing > ICMP.
167

2.
Double-click the row.
3.
Configure the ICMP settings and click OK.
Table 85: ICMP Interface Settings
Parameter
Description
IP Address
IP address of the interface.
Destination Address
IP destination address for multicast Router Advertisements sent from the

interface.
Values:
224.0.0.1The All Hosts multicast group that contains all systems on
the same network segment
255.255.255.255The limited-broadcast address
Advertise Interval
Minimum
The minimum time, in seconds, between sending unsolicited multicast

Router Advertisements from the interface.
Values: 3maximum specified interval
Default: 75% of the maximum specified interval
Maximum
The maximum time, in seconds, between multicast Router

Advertisements from the interface.
Values: minimum specified interval1800
Lifetime
The maximum time, in seconds, that the advertised addresses are

considered valid.
Values: Maximum specified interval9000
Default: Three times (3) the maximum interval
Advertise this Interface
Enables you to advertise the device IP using ICMP Router Advertise.
Preference Level
The preference level of the address as the default router address, relative
to other router addresses on same subnet.
Reset all Parameters to

Default
Resets ICMP interface parameters to default values.
Configuring the ARP Table

When Proxy ARP is enabled, a network host answers ARP queries for the network address that is not
configured on the receiving interface. Proxying ARP requests on behalf of another host effectively
directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed
to the destination host via another interface.
You can configure and manage the static ARP entries on the local router.
To configure the ARP table

1.
In the Configuration perspective Networking tab navigation pane:
(AppDirector) Select ARP Table.
(DefensePro) Select IP Management > ARP Table.
168

To add a new entry, click the
(Add) button.
3. Configure the ARP parameters and click OK.

4. Modify advanced parameters, if required; and then click
Table 86: ARP Parameters
Parameter
Description
Port
The interface number where the station resides.
IP Address
The stations IP address.
MAC Address
The stations MAC address.
Type
Entry type.
Values:
OtherNot Dynamic or Static.
InvalidInvalidates ARP entry and effectively deletes it.
DynamicEntry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
StaticEntry has been configured by the network management
station and is permanent.
Table 87: Advanced Parameters
Parameter
Description
Inactive ARP Timeout
The time, in seconds, that inactive ARP cache entries can remain in the
ARP table before the device deletes them. If an ARP cache entry is not
refreshed within a specified period, it is assumed that there is a problem
with that address.
Values: 19999999
Default: 60000
Configuring Spanning Tree Protocol in AppDirector

Spanning Tree Protocol (STP) prevents loops in networks and environments where there is more
than one path through which the traffic may pass. If a packet has numerous links, it can choose
which path to use, which may cause loops in the network. The STP algorithm makes a calculation
based on various parameters including the preferred path and logically blocks all other paths.
AppDirector supports the Rapid Spanning Tree Protocol (backwards compatible with STP), allowing
you to configure Spanning Tree on each VLAN of the device. Different VLANs may have different STP
settings.
169

Notes:
>> STP is not supported on OnDemand Switch 1 platforms.
>> Spanning Tree is supported only for IP-Regular and IP-Switch VLANs.
>> When working with STP in a redundant configuration, the VRRP redundancy mechanism
must be used, and the primary device must have the lowest Bridge ID.
Configuring STP Global Parameters and Defaults
To configure the STP basic parameters and defaults

1.
In the Configuration perspective Networking tab navigation pane, select STP.
2.
Table 88: STP Basic Parameters and Defaults
Parameter
Enable Spanning Tree
Description
Specifies whether the device enables STP.
Default: Disabled
Defaults
Bridge Priority
The default priority of bridge. The lower the value, the higher the priority.
Values: 061440The values are in multiples of 4096.
Default: 32768
Hello Time Interval
The interval, in seconds, between two BPDU packets sent by device.

Values: 110
Default: 2
Bridge Max. Aging
The maximum time, in seconds, the device waits for a BPDU packet before
it tries to re-configure.
Values: 640
Default: 20
Forward Delay
The time, in seconds, that the device waits before changing the state of
the port.
Values: 430
Default: 15
Port Priority
The port priority. When two (or more) ports have the same value, the
device uses the port with the lowest MAC address.
Values: 0240
Default: 128
170

Configuring Spanning Tree Instances

When there is more than one VLAN on the device, each VLAN can run its own instance of a Spanning
Tree with different parameters for each VLAN. When there are multiple VLANs on the device, you can
enable and disable the Spanning Tree for each VLAN.
Note: Spanning Tree per VLAN is supported only when the VLANs do not share any physical
ports (each VLAN has its own physical ports).
To configure Spanning Tree Instances

1. In the Configuration perspective Networking tab navigation pane, select STP > Instances.
2. Double-click the VLAN ID to edit.
Table 89: STP Instance Parameters
Parameter
Description
VLAN ID
The VLAN to apply these settings to. Alternatively, you may apply the
settings to multiple VLANs.
Enable STP
Specifies whether STP is enabled on the VLAN.
Bridge Priority
The default priority of the bridge.

Default: 32768
Hello Time Interval
The interval, in seconds, between two BPDU packets sent by device.

Values: 110
Default: 2
Aging Time
The maximum time, in seconds, that the device waits for a BPDU packet
before it tries to re-configure.
Values: 640
Default: 20
Forward Delay Time
The time, in seconds, the device waits before changing the state of the
port.
Values: 430
Default: 15
Configuring STP Ports

Within each VLAN, you can configure the behavior or individual physical ports. For example, ports
connected directly to servers do not need to wait for the forward delay timer to expire before they
start forwarding traffic. You can enable Mode Fast, which enables the device to forward traffic as
quickly as possible. You can also exclude any physical port from participating in the STP algorithm.
171

To configure Spanning Tree ports

1.
In the Configuration perspective Networking tab navigation pane, select STP > Ports.
2.
Double-click the port to edit.
3.
Table 90: STP Instance Parameters
Parameter
Description
Port ID
(Read-only) The identifier of the selected port.
VLAN ID
(Read-only) The VLAN to which the physical port belongs.
Enable STP
Specifies whether STP is supported on the port. When disabled, the

physical port does not participate in STP.
Default: Enabled
Priority
The port priority. When two (or more) ports have the same value, the
device uses the port with the lowest MAC address.
Default: 128
Path Cost
The spanning tree path cost for this port. The values are defined according
to port speed, but you can also change the value.
Port speed versus path cost:
10Mbps100
1Gbps 4
100Mbps19
10Gbps2
Values: 165,535
Enable Fast Mode
Specifies whether the port changes its status to the forwarding state.
Default: Disabled
Configuring NHRs in AppDirector

Each host or router handling a packet examines the destination address in the IP header, computes
the next hop that will bring the packet one step closer to its destination, and delivers the packet to
the next hop, where the process is repeated. A next-hop router (NHR) is a network element used for
outbound traffic in AppDirector multi-homing configurations. NAT addresses can be associated with
NHRs, similar to the way VIPs are associated with NHRs. The devices next-hop routers are listed in
the NHR table.
All next-hop routers connected to the AppDirector are defined in the NHR table. NHRs are associated
with the Virtual IP addresses of the device using the VIP NHR table.
172

To configure NHRs
1. In the Configuration perspective Networking tab navigation pane, select IP Routing > NHRs.
To add an NHR entry, click the
(Add) button.
To edit an NHR entry, double-click the row.
3. Configure NHR parameters and click OK.
Table 91: NHR Parameters
Parameter
Description
NHR IP Address
IP address of required NHR (next-hop router).
Enabled
The status of the NHR, enabled or disabled.
Physical Port
(View-only in NHR table) The number of the selected management

port.
Health Check
Method
Method that device uses to verify the NHRs health via the Path Health
Check IP, Ping or Disable.
Path Health Check IP
IP address of network element to be checked via this NHR to establish

the health status of this router.
Interval (sec.)
Interval, in seconds, between checks.
Number of Retries
Amount of checks that the device should perform without reply before
it acknowledges that the router is offline.
Configuring VIP-NHR Interfaces in AppDirector

You can associate a next hop router, configured in the NHR Table, to a virtual IP address configured
on the device.
The VIP NHR table is enabled only when the packet is destined for the default gateway of the box.
Due to the static route, the packet was not destined for the default gateway so in these instances
the VIP NHR table is not enabled. The NHR per VIP feature works only for traffic that matches the
devices default gateway.
Before defining the VIP NHR table, add a new NHR to the network and set up the general NHR
parameters.
To configure VIP-NHR interfaces

1. In the Configuration perspective Networking tab navigation pane, select IP Routing > VIPNHR.
To add a VIP-NHR entry, click the
To edit a VIP-NHR entry, double-click the row.
(Add) button.
173

3.
Table 92: VIP-NHR Parameters
Parameter
Description
Health Check
VIP Address
The required Virtual IP address.
Load Sharing
Enable/disable load sharing between primary and backup next hop routers,
based on relative weights.
Values:
Layer 3 HashingTraffic sent through both configured and backup NHR.
Load sharing is based on Layer 3 information (IP address).
Layer 4 HashingTraffic sent through both configured and backup NHR.
Load sharing is based on Layer 4 information (IP address and port).
DisabledTraffic sent via configured NHR only.
Default: Disabled
No Route Action
Determines action if both primary and backup next hop routers are offline.
Values:
DiscardThe packets are discarded.
Use Regular RoutingPackets are forwarded using Routing Table.
Main NHR
IP Address
The IP address of the required next hop router.
Weight
The relative amount of total traffic forwarded to the primary router when
Load Sharing is enabled.
Backup NHR
IP Address
The IP address of the backup next hop router.
Weight
The relative amount of total traffic forwarded to the backup router when Load
Sharing is enabled.
Configuring RIP in AppDirector

This feature is available only in AppDirector 1.07.12.
Routing Information Protocol (RIP) is a commonly used protocol for managing router information
within a self-contained network, such as a corporate Local Area Network (LAN) or an interconnected
group of such LANs. RIP is classified by the Internet Engineering Task Force (IETF) as one of several
internal gateway protocols (Interior Gateway Protocol). RIP is intended for small homogeneous
networks.
Using RIP, a gateway host (with a router) sends its entire Routing Table, which lists all the other
hosts that it recognizes, to its closest neighbor host every 30 seconds. The neighbor host then
passes the information on to its next available neighbor until all hosts within the network have the
same knowledge of the routing paths. This is known as Network Convergence. RIP uses a hop count
as a means to determine network distance. Each host with a router in the network uses the Routing
Table information to determine the next host to route a packet to a specified destination.
AppDirector supports RIP version 1 and RIP version 2.
VIP Advertising via Dynamic Routing enables you to achieve a redundant solution by using a single
AppDirector on each site, or by using a single AppDirector and a remote backup server within the
RIP or OSPF environment.
174

To configure RIP
1. In the Configuration perspective Networking tab navigation pane, select IP Routing > RIP.
2. Enable RIP and configure routes distribution.
3. To add or edit RIP interfaces, do one of the following:
To add a RIP interface, click the
(Add) button.
4. Configure the RIP interface settings and click OK.
Table 93: RIP Parameters
Parameter
Description
Enable RIP
Select to enable RIP in the router. When disabled, the process is not
active on any interface.
Routes Redistribution
Redistribute Static Routes
When enabled, all static routes learned via static are advertised into
RIP.
Redistribute RIP Routes
When enabled, all routes learned via OSPF are advertised into RIP.
Advertisement Interval
The RIP Advertisement interval, in seconds, where AppDirector sends

static routes advertisements via RIP.
Values: 165,535
Default: 30
Table 94: RIP Interface Parameters
Parameter
Description
IP Address
The IP address of the RIP interface.
Enabled
When enabled, the RIP process is active on the interface.
Outgoing RIP
The type of RIP to send.

Values:
RIP version 1Sending RIP updates compliant with RFC 1058.
RIP version 2Multicasting RIP-2 updates.
Do Not SendNo RIP updates are sent.
Incoming RIP
The type of RIP to receive.

Values:
RIP 1Accepting RIP 1.
RIP 2Accepting RIP 2.
Do Not ReceiveNo RIP updates are accepted.
Default Metric
Metric for default route entry in RIP updates originated on this

interface. 0 (Zero) indicates that no default route must be originated;
here, a default route through another router is propagated.
175

Table 94: RIP Interface Parameters
Parameter
Description
Virtual Distance
Virtual number of hops assigned to the interface. This enables finetuning of the RIP routing algorithm.
Auto Send
Enable this option to minimize network traffic when AppDirector is the

only router on the network.
Note: When enabled, the device advertises RIP messages with the
default metric only. This allows some stations to learn the
default router address. If the device detects another RIP
message, Auto Send is disabled.
Configuring OSPF in AppDirector

Open Shortest Path First (OSPF) is an interior gateway routing protocol developed for IP networks
and based on the shortest path first or link-state algorithm. Routers use link-state algorithms to
send routing information to all nodes in a network by calculating the shortest path to each node
based on a topography of the Internet constructed by each node. After sending the routing
information, each router sends the portion of the routing table (keeping track of routers to particular
network destinations) that describes the state of its own links, and sending the complete routing
structure (topography). Shortest path first algorithms allow you to perform more frequent updates.
With OSPF you can build a more stable network, as fast convergence prevents routing loops and
Count-to-Infinity (when routers continuously increment the hop count to a particular network).
An OSPF network is divided into areas, which have 32-bit area identifiers commonly, but not always,
written in the dotted decimal format of an IP address. Area identifiers are not IP addresses and may
duplicate, without conflict, any IP address.
To configure OSPF
1.
In the Configuration perspective Networking tab navigation pane, select IP Routing > OSPF.
2.
Configure OSPF parameters.
3.
To configure OSPF interfaces, select IP Routing > OSPF > OSPF Interfaces.
Table 95: OSPF Parameters
Parameter
Description
Enable OSPF
Select to enable OSPF in the router. When disabled, the process is not
active on any interface.
Router ID
ID number of router. To ensure uniqueness the router ID should be

defined as one of the router IP addresses.
Area ID
IP address of the area.
Import External Links into

AS
When selected, imports Autonomous System external link

advertisements.
Route Redistribution
Redistribute RIP Routes
176
Controls the redistribution of routes from RIP into OSPF. When

enabled, all routes inserted into the IP routing table via SNMP are
advertised into OSPF as external routes.

Table 95: OSPF Parameters
Parameter
Description
Redistribute Static Routes
When enabled, all static routes learned via static are advertised into
RIP.
Redistribute External
Direct Routes
Controls redistribution of direct routes external to OSPF into OSPF.

When enabled, all external routes are advertised into OSPF as
external.
Configuring OSPF Interfaces for AppDirector

You can add and update OSPF interface parameters and interface metrics.
To configure OSPF interfaces

1. In the Configuration perspective Networking tab navigation pane, select IP Routing > OSPF >
OSPF Interfaces.
2. To add or edit OSPF interfaces, do one of the following:
To add an OSPF interface, click the
(Add) button.
3. Configure the OSPF interface parameters and click OK.
Table 96: OSPF Interface Parameters
Parameter
Description
Enabled
When selected, the OSPF process is active on at least one interface.

When disabled, the process is not active on any interface.
IP Address
IP address of the OSPF interface.
Priority
Priority of the interface. Value 0 means that this router is not eligible to
become the designated router on the current network. If more than
one router has the same priority, then router ID is used.
Hello Interval
Number of seconds between Hello packets. All routers attached to a

common network must have the same Hello Interval.
Dead Router Period
Number of seconds routers Hello packets have not been seen before
routers neighbors declare the router down. The Time Before Declare
Router Dead value must be a multiple of the Hello Interval. All routers
attached to a common network must have a Time Before Declare
Router Dead value.
Authentication Type
Type of authentication key for the interface.

Values:
No authentication
Simple password
Authentication Key
Authentication key for the interface, if Simple Password is selected.
Metric
The metric of using this type of service on this interface. The default
value of the TOS 0 Metric is 10.
177

Configuring Border Gateway Protocol in AppDirector

Dynamic routing protocols, such as Border Gateway Protocol (BGP), announce and distribute routing
information between routers. AppDirector provides a redundant solution by using AppDirector and a
remote backup server that participate in the BGP environment. AppDirector works as a BGP peer,
supporting a single BGP instance (local AS), and does not route traffic based on BGP information.
To configure BGP
1.
In the Configuration perspective Networking tab navigation pane, select IP Routing > BGP.
2.
Configure the basic BGP basic parameters.
3.
Add or edit BGP peers as follows:

a.
b.
To add a BGP peer, click the

(Add) button; or to edit an entry, double-click the row.
Configure the BGP peer settings in the BGP Peer Table and click OK.
Table 97: BGP Basic Parameters
Parameter
Enable BGP
Description
Enables or disables BGP.
Default: Disabled
AppDirector AS
The AppDirectors Autonomous System number.

Default: 65,535
Initial Connection Delay

(This parameter is
available only in
AppDirector 2.14.03 and
later.)
The time, in seconds, to wait at device startup before establishing BGP

connections.
Values: 15120
Default: 15
Table 98: BGP Peer Table Parameters
Parameter
Description
Enabled
Enables or disables the BGP peer.

Default: Enabled
Peer IP Address
The IP address of the remote peer.
Connect Retry Time
The interval, in seconds, at which AppDirector will try to re-establish a

BGP connection with remote peer after TCP failure event.
178

Table 98: BGP Peer Table Parameters
Parameter
Description
Hold Time
The hold time, in seconds, offered by AppDirector during BGP

connection establishment.
During the hold time, a peer must receive a keepalive or an update
message from the remote peer to consider the BGP connection active.
Values:
0Keepalive will not be sent by AppDirector, and AppDirector will
not expect keepalive messages from remote peer.
1 65,535
Default: 90
Keep Alive Interval
The interval, in seconds, used by AppDirector for sending keepalive

messages to the remote peer.
Values:
0Keepalive messages are not sent.
1 65,535
Default: 30
Configuring the Neighbor Cache in AppDirector

This feature is available only in AppDirector 2.30 and later.
The neighbor cache keeps track of the neighbors on the local links with which AppDirector is in
contact. The neighbor cache is the IPv6 parallel of the ARP table. The neighbors are either
dynamically discovered using neighbor discovery protocol or statically configured.
To configure the neighbor cache

1. In the Configuration perspective Networking tab navigation pane, select IP Routing >
Neighbor Cache.

Add New IPv6 Neighbor Cache Entry.
(Add) button; and then, select
Table 99: Neighbor Cache Parameters
Parameter
Description
Port
Interface identifier for neighbor cache entry.
IP Address
Neighboring nodes IPv6 address.
MAC Address
MAC address corresponding to neighboring nodes IPv6 address.
179

Table 99: Neighbor Cache Parameters
Parameter
Description
Type
The type of the neighbor-cache entry.

Values:
Dynamic
Invalid
Other
Static
Default: Static
State
The number of times this neighbor relationship has changed state, or

(This parameter is exposed an error has occurred.
only for existing entries)
Values:
Reachable
Stale
Delay
Probe
Invalid
Unknown
Incomplete
Configuring Ports
You can change the physical attributes of each port on the managed devicefor example, speed
and duplex mode.
You can also configure port trunking to combine physical network links into a single logical link for
increased bandwidth.
To configure ports
1.
In the Configuration perspective Networking tab navigation pane, select Port Configuration.
2.
To change a ports configuration, double-click the row.
3.
Configure the port settings and click OK.
Table 100: Port Configuration Parameters
Parameter
Description
Port
The index number of the port.
Speed
The traffic speed of the port.

Values: Ethernet, Fast Ethernet, Giga Ethernet, XG Ethernet
Note: According to standards, this parameter can be changed only for
copper ports. After this parameter is changed, auto-negotiation is
disabled.
180

Table 100: Port Configuration Parameters
Parameter
Description
Duplex Mode
Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Note: According to standards, this parameter can be changed only for
copper ports with a speed lower than Gigabit Ethernet. After this
parameter is changed, auto-negotiation is disabled.
Auto Negotiation
Specifies whether the port automatically detects and configures the speed
and duplex mode for the interface.
Configuring Link Aggregation

Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth.
Notes:
>> The same algorithm must be applied on the other switch in the trunk.
>> OnDemand Switch 1 and VL implement link aggregation via software and not at the
switch level, (these platforms do not include a Layer 2 switch hardware component).
Therefore, on these platforms, you cannot define trunks as port mirroring participants.
About Link Aggregation

Link aggregation, or port trunking, is a method of combining physical network links into a single
logical link for increased bandwidth. With link aggregation you can increase the capacity and
availability of the communications channel between devices (both switches and end stations) using
existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of multiple
parallel physical links between two devices grouped together to form a single logical link.
Link aggregation also provides load balancing where the processing and communications activity is
distributed across several links in a trunk, ensuring that no single link is overwhelmed. By taking
multiple LAN connections and treating them as a unified, aggregated link, you can achieve higher
link availability and increased link capacity.
Port trunking is supported according to the IEEE 802.3ad standard for link aggregation as follows:
Link aggregation is supported only on links using the IEEE 802.3 MAC.
Link aggregation is supported only on point-to-point links.
Link aggregation is supported only on links operating in Full Duplex mode.
Link aggregation is permitted only among links with the same speed and direction. On the
device bandwidth, increments are provided in units of 100Mbps and 1Gbps respectively.
The failure or replacement of a single link within a Link Aggregation Group will not cause failure
from the perspective of a MAC client.
MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one conversation must be transmitted
through the same physical link. The algorithm for assigning frames to a conversation depends on the
application environment. Radware devices can define conversations on Layer 2, 3, or 4 information,
or on combined layers.
Using link aggregation, depending on the platform, you can define up to seven trunks. Up to eight
physical links can be aggregated into one trunk. AppDirector supports both static and dynamic
(LACP) trunks. In DefensePro, all trunk configurations are static. To provide optimal distribution for
181

different scenarios, the load sharing algorithm allows decisions based on source or destination (or
both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4 address (TCP/UDP port numbers).
These parameters are used as input for a hashing function.
Notes:
>> Only connected ports (Link Up) operating in Full Duplex mode can be attached to a
trunk.
>> You can define a management trunk (T-MNG) that includes only the management ports
(MNG-1 and MNG-2). The management ports cannot be a part of any other trunk. Using
the management trunk provides redundancy at the physical level for connectivity to the
management network. One link is active while the other is in backup mode. Failure of
the active link seamlessly activates the backup.
>> A port belonging to a trunk cannot be copied to another port (copy port).
>> In DefensePro, management ports that have preconfigured IP addresses cannot be
assigned to a trunk. Before attaching a physical port to a trunk, make sure that the port
is not used in any configuration (port mirroring, static forwarding).
>> In DefensePro, When a trunk is part of a protected segment definition, Port Operation in
the Port Pairs table must be set to Process mode for both directions of this segment.
>> In DefensePro, A trunk cannot be assigned with an IP address for management.
>> In DefensePro, Ports with internal bypass cannot be assigned into a trunk.
>> In DefensePro, It is not possible to set a port within a trunk as the Source or Destination
of SSL inspection.
Configuring Link Aggregation in AppDirector 2.30 and Later

Configuring link aggregation in AppDirector 2.30 and later involves the following:
Configuring the link-distribution hash parameters
Configuring the LACP parameters
Configuring the trunk parameters
You can also view the port-aggregation status of each physical port.
To configure link-distribution hash parameters and LACP parameters and view trunk
details
1.
In the Configuration perspective Networking tab navigation pane, select Link Aggregation. To
change a port assignment, double-click the corresponding row.
2.
182

Table 101: Link-distribution Hash Parameters and LACP Parameters
Parameter
Description
Link Distribution Hash
Layer 2 Parameters
Specifies how the MAC address is used in the traffic distribution

algorithm.
Values:
No HashDo not use the MAC address.
Source MAC AddressUse the source MAC address.
Destination MAC AddressUse the destination MAC address.
Both MAC AddressesUse both the source and destination MAC
addresses.
Default: Both MAC Addresses
Layer 3 Parameters
Specifies if the IP address is to be used in the traffic distribution

algorithm.
Values:
No HashDo not use the IP address.
Source IP AddressUse the source IP address.
Destination IP AddressUse the destination IP address.
Both IP AddressesUse both the source and destination IP
addresses.
Default: Both IP Addresses
Layer 4 Parameters
Specifies if the application port is to be used in the traffic distribution

algorithm.
Values:
No HashDo not use the application port.
Source L4 PortUse the source application port.
Destination L4 PortUse the destination application port.
Both L4 PortsUse both the source and destination application
ports.
Default: Both L4 Ports
LACP
System ID
(Read-only) A six-octet MAC address value used as a unique identifier

for the system that contains this trunk (Aggregator).
System Priority
(Read-only) A two-octet value indicating the priority value associated

with the system.
Values: 0256
Default: 256
183

Editing Trunks in AppDirector 2.30 and Later
To edit a trunk in AppDirector 2.30 and later

1.
In the Configuration perspective Networking tab navigation pane, select Link Aggregation. To
change a port assignment, double-click the corresponding row.
Note: The Trunks table can display a column for each of the trunk parameters. However,
by default, the Trunks table displays only some of the parameters. To display or hide
columns, right-click in the table heading row and select or clear the check mark next
to the relevant parameters.
2.
Double-click the required row.
3.
Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.
Table 102: Trunk Parameters
Parameter
Description
Trunk Name
(Read-only) The name of the trunk.
LACP Mode
The Link Aggregation Control Protocol mode.

Values:
ManualLACP is disabled and manual aggregation is performed.
PassiveLACP acts as speak when spoken to, and therefore can
be used as a way of controlling accidental loops (as long as the
other device is in active mode).
ActiveLACP always sends frames along the configured links.
Default: Manual
Note: Regardless of the specified LACP Mode, the actor (the
AppDirector device) acts in Manual mode when LACP is not
active or not supported on the partner device (that is, switch,
router, and so on).
Available Ports
Lists the physical, device ports that you can select for the trunk.
Selected Ports
Lists the physical, device ports selected for the trunk.
Trunk Status
(Read-only)
Values:
IndividualNo port is attached to this trunk.
AggregateAt least one port is attached to this trunk.
Trunk MAC Address
184
(Read-only)

Table 102: Trunk Parameters
Parameter
Description
LACP
Timeout
The time that the device waits between LACP control messages
(LACPDUs). If three times the selected timeout elapses without any
new control message, the link-state changes.
Values:
Fast1 second
Slow30 seconds
Default: Fast
Wait Time
The time to wait after link negotiation before starting to send control
messages.
Values: 110
Default: 3
Actor Priority
The priority assigned to this trunk by the Actor (that is, the system
sending the data unit, assigned by management or administration
policy), encoded as an unsigned integer.
Values: 065,535
Default: 32767
System ID
(Read-only) The System Identifier, in MAC address format, which is

used together with the LACP System Priority to uniquely identify the
system (that is, the AppDirector device).
Default: The device MAC address
System Priority
(Read-only) The LACP System Priority together with the LACP System
ID uniquely identify the system.
Values: 1256
Default: 256
Viewing the Port Aggregation Status

You can view the link-aggregation status of each physical, traffic port on the device.
Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.
To view the port aggregation status

In the Configuration perspective Networking tab navigation pane, select Link Aggregation >
Ports Aggregation Status.
Note: To select the columns that the Ports Aggregation Status table displays, right-click in
the table heading row and select or clear the check mark next to the relevant
parameters.
185

Table 103: Ports Aggregation Status Parameters
Parameter
Description
Port
The physical port index.
Port MAC Address
The MAC address assigned to the port.
Trunk Name
The trunk to which the port is attached.
Operational Status
Values:
Default, Not-In-BundleThe LACP control is off (manual
aggregation), and this port is not bundled in a trunk.
Default, BundledThe LACP control is off (manual aggregation),
and this port is bundled in the specified trunk.
LACP Control, Not-In-BundleThe LACP control is on, but this
port is not bundled in a trunk.
LACP Control, BundledThe LACP control is off (manual
aggregation), and this port is bundled in the specified trunk.
Port Status
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.
Configuring Link Aggregation in AppDirector Versions Prior to 2.30 and Defense Pro
To configure link aggregation

1.
In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation.
You can view the MAC address of each trunk and the ports bound to it in the Link Aggregation
Ports table.
2.
To change a port assignment, double-click the corresponding row.
3.
Configure the port assignment; and then, click OK. When a port is added into a trunk, it receives
the trunk operation status. When a port is removed from a trunk, it maintains its operational
status. When a trunk operational status is set to down, a port removed from the trunk keeps its
down status.
Table 104: Link Aggregation Port Parameters
Parameter
Description
Port
(Read-only) The physical port index.
Port MAC Address
(Read-only) The MAC address assigned to the port.
186

Table 104: Link Aggregation Port Parameters
Parameter
Description
Trunk Name
The trunk to which the port is attached.

The values depend on the platform.
Values:
0Specifies unattached.
T1T7The range of values depends on the platform. That is, the
number of trunks that you can configure depends on the device
platform.
T-MNG
Default: 0
Port Status
(Read-only)
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.
Configuring Link Aggregation Hashing for AppDirector Versions Prior to 2.30

This section is relevant only for AppDirector versions prior to 2.30. For AppDirector 2.30 and later,
the parameters are exposed elsewhere. DefensePro does not support this feature.
To provide optimal distribution for different scenarios the load-sharing algorithm allows decisions
based on source or destination (or both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4
address (TCP/UDP port numbers). You can configure these parameters, which are then used as input
for a link aggregation hashing function.
To configure link aggregation hashing

1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation > Link Aggregation Hashing.
187

Table 105: Link Aggregation Hashing Parameters
Parameter
Description
Layer 2 Hash
Specifies if the MAC address is to be used in the traffic distribution

algorithm.
Values:
No HashDo not use the MAC address.
Source MAC AddressUse the source MAC address.
Destination MAC AddressUse the destination MAC address.
Both MAC AddressesUse both the source and destination MAC
addresses.
Default: Both MAC Addresses
Layer 3 Hash
Specifies if the IP address is to be used in the traffic distribution

algorithm.
Values:
No HashDo not the use IP address.
Source IP AddressUse the source IP address.
Destination IP AddressUse the destination IP address.
Both IP AddressesUse both the source and destination IP
addresses.
Default: Both IP Addresses
Layer 4 Hash
Specifies if the application port is to be used in the traffic distribution

algorithm.
Values:
No HashDo not use the application port.
Source L4 PortUse the source application port.
Destination L4 PortUse the destination application port.
Both L4 PortsUse both the source and destination application ports.
Default: Both L4 Ports
Configuring Port Mirroring

Port Mirroring enables the device to duplicate traffic from one physical port on the device to another
physical port on the device. This is useful when an intrusion detection system (IDS) device is
connected to one of the ports on the device. You can choose to mirror either received and
transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether to
duplicate the received broadcast packets.
Notes:
>> Port mirroring is not supported on devices that run on the OnDemand Switch VL
platform, for example DefensePro x06 models.
>> Port mirroring requires that the input port be configured to Static-Forwarding Process
mode. When the input port is configured to Static-Forwarding Forward mode, traffic is
not mirrored.
>> In Static Forwarding mode, traffic with the same destination MAC address as the device
is not mirrored (rare).
188

To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the
managed device) to a dedicated sniffer port. This allows collecting packet data during an attack and
sending the data to Radwares Security Operation Center (SOC) to develop an attack signature.
DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate
port mirroring when the device is under attack. Traffic-rate port mirroring is based on a specified
traffic threshold. When the threshold value is reached, the DefensePro device starts copying traffic
from the interface to its mirroring output port. The process continues for the specified time, and
then the copying process stops. For example, if you have a single network segment connected
between interfaces 1 and 2, whenever traffic reaches the configured threshold, DefensePro device
copies the traffic arriving on interface #1 to interface #3.
To configure port mirroring in AppDirector

Port Mirroring.
To add a pair of ports to mirror traffic, click the
(Add) button.

4. Click
Table 106: AppDirector Port Mirroring Parameters
Parameter
Description
Input Interface
The traffic port.
Output Port
The port for the mirrored traffic.
Traffic to Mirror
The direction of the traffic that the device mirrors.

Values: Transmit and Receive, Receive Only, Transmit Only
Enable Promiscuous
Mode
Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled
To configure port mirroring in DefensePro

Port Mirroring.
To add a pair of ports to mirror traffic, click the
(Add) button.
3. Configure the port mirroring settings; and then, click OK.

4. To configure advanced parameters for port mirroring, in the navigation pane, select
Port Mirroring > Advanced Parameters.
189

5.
Configure the advanced parameters; and then, click
Table 107: DefensePro Port Mirroring Parameters
Parameter
Description
Input Interface
The traffic port.
Output Port
The port for the mirrored traffic.
Traffic to Mirror
The direction of the traffic that the device mirrors.

Values: Transmit and Receive, Receive Only, Transmit Only
Enable Promiscuous
Mode
Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled
Backup Port
The backup port for the mirrored traffic.
Mode
The mode of port mirroring.

Values: Enabled, Traffic Rate
Threshold
The number of threshold units (PPS/Kbps) that can pass through the
specified input port (Input Interface) before the mirroring process starts.
Note: The Threshold Units parameter and the Threshold Interval parameter are defined
globally for each device and not for each pair of ports.
Table 108: DefensePro Port Mirroring Advanced Parameters
Parameter
Description
Traffic Threshold Units The units in which the threshold is measured.

Values:
PPSPackets per second
KbpsKilobits per second
Threshold Interval
How long, in seconds, mirroring continues after the traffic rate falls below
the specified threshold.
Default: 30
Reset Traffic Rate
Click to set the device to record the traffic that exceeds the predefined limit
within a new Threshold Interval.
Configuring AppDirector Redundancy

Radware recommends installing AppDirector devices in pairs to provide fault tolerance in the case of
a single device failure. Each pair of AppDirector devices can function in an active-backup setup or
active-active setup.
190

To achieve redundancy between pairs of AppDirector devices, the following methods are supported:
VRRPWorking with Virtual Router Redundancy Protocol enables dynamic redundancy to be

maintained using a logical entity called a virtual router. (VRRP was initially developed to provide
high availability for routers, hence the name virtual router. However, this protocol can be
supported by a wide range of devices that are not routers. As it is not a routing protocol, it does
not advertise IP routes or affect the routing table in any way). With VRRP, IP addresses are
associated with the Virtual MAC addresses that are owned by the main device, and are taken
over by the backup device at fail-over time.
Proprietary ARP (available only in AppDirector versions prior to 2.30)Working with Address
Resolution Protocol enables monitoring of the other device in a pair and checking its availability.
Using Proprietary ARP redundancy, at the failover time, the IP addresses of the main device are
managed by the backup device and are associated with the backup devices MAC address.
Notes:
>> Before starting a redundancy configuration, the role of each AppDirector must be set via
the relevant CLI command. For more information, see the AppDirector CLI Reference
Guide.
>> When managing an AppDirector cluster with APSolute Vision, if both devices are
connected using SNMPv3, you must ensure that their SNMP engine IDs are unique.
Configure redundancy by performing the following tasks:
1. Configuring AppDirector Redundancy Global Settings, page 191
2. Configuring VRRP, page 195 or Configuring Proprietary Redundancy, page 204 (Proprietary
Redundancy is available only in AppDirector versions prior to 2.30)
3. Configuring Mirroring for Redundancy, page 205
Note: Radware recommends using VRRP for AppDirector redundancy.

For VRRP configuration guidelines, see Configuration Guidelines for AppDirector Redundancy Using
VRRP, page 200.
For more information about supported AppDirector networking configurations for redundancy, see
Configuring AppDirector Redundancy Global Settings

Radware recommends that you configure more than one AppDirector device on a network so that
they back up one another. Before you configure VRRP or Proprietary redundancy, configure
redundancy global settings, and selective interface grouping, if required. You can copy this
configuration to the backup device by downloading the configuration and then uploading it to the
backup device.
191

To configure redundancy global settings

1.
In the Configuration perspective Networking tab navigation pane, select Redundancy > Global
Settings.
2.
Note: To configure selective interface grouping, in the Configuration perspective Networking

tab navigation pane, in the navigation pane, select Redundancy > Global Settings >
Selective Interface Grouping. For more information, see Configuring Selective
Interface Grouping, page 194.
Table 109: Redundancy Global Parameters
Parameter
Description
IP Redundancy Admin
Status
The method used to achieve redundancy between pairs of AppDirector

devices.
Values:
DisabledNo redundancy method is enabled.
ProprietaryWorking with Address Resolution Protocol (ARP)
enables monitoring of the other device in a pair and checking its
availability. Using Proprietary ARP redundancy, at failover, the IP
addresses of the main device are managed by the backup device
and are associated with the backup devices MAC address.
VRRPWorking with Virtual Router Redundancy Protocol enables
dynamic redundancy to be maintained using a logical entity called
a virtual router. (VRRP was initially developed to provide high
availability for routers, hence the name virtual router.)
Default: Disabled
Interface Grouping
Ensures that if one port fails, the others are also taken down. When it
is enabled, the backup device takes over only when all the interfaces
of the main device are down.
To configure interface grouping for specified ports only, enable this
option and configure selective interface grouping to define which
interfaces activate Interface Grouping when a port fails.
ARP with Interface

Grouping
Specifies whether the device can send ARP requests while the
interface grouping is active.
Values: Send, Avoid
Default: Send
192

Parameter
Description
Backup Device in VLAN
When AppDirector is installed in a bridge configuration, this parameter

determines how the device behaves when its redundancy state is set
to backup.
Values:
Forward TrafficForward all traffic. This is the default value, but it
should be used only when the device is in a routing configuration.
Block BroadcastWhen the device is in backup state broadcast
traffic is blocked in order to prevent loops.
Block AllWhen the device is in backup state, all traffic is blocked
in order to prevent loops. This cannot be used in a fully redundant
network configuration.
Default: Forward Traffic
Backup Fake ARP
When enabled, the backup device can perform a fake ARP.

available in AppDirector
2.30 and later.)
In networks with Layer 3 switches, the Fake ARP will confuse the
switch during the redundancy process. In this case, disable this
option.
Backup Interface Grouping When enabled, the backup device takes over only when the IP
interfaces defined in its Redundancy Table fail. Respectively, it will
release those interfaces only when all the main devices interfaces are
up.
VRRP Advertise Interval
The interval, in milliseconds, at which the main device sends

messages to the backup to notify that it is active. Use this setting for
advertise intervals of less than one second.
Values:
0Specifies that the Advertisements are sent according to the
Advertise interval per VR.
10025,000
Default: 0
Note: If this setting is greater than 0, it overrides the Advertise
interval per VR.
VRRP Automated
Configuration Updates
AppDirector can automatically add a new Virtual IP configured on the

device to the VRRP Associated IP Addresses table.
When this option is enabled and a Layer 4 policy is configured that
uses a new Virtual IP, this IP is automatically associated with the VRID
defined for the AppDirector interface that belongs to the same subnet
as the Virtual IP. Messages are sent to the device log announcing that
a Virtual IP was automatically associated to a specific VRID and
interface.
Default: Disabled
193

Parameter
Description
Force Down Ports Time
The time, in seconds, for which the port must be down.

When enabled, the value that should be used depends on how long it
takes the switch to clear its MAC tables.
Values:
0The feature is disabled.
560
Failure Action
Specifies when Proxy-related failures induce failover in an activebackup configuration.

Values:
Acceleration Engine FailAcceleration engine failure.
SSL or Acceleration Engine FailSSL accelerator or Acceleration
engine failure.
Compression or Acceleration Engine FailHardware Compression
Card or Acceleration engine failure.
SSL or Compression or Acceleration Engine FailSSL Accelerator,
Hardware Compression Card or Acceleration engine failure.
IgnoreIgnore failures and do not perform failover.
Configuring Selective Interface Grouping

In AppDirector redundant installations, main and redundant AppDirector devices can have separate
interfaces solely for management purposes and not for handling the traffic. When one of the
management ports is down and Interface Grouping is enabled, the backup device takes over. To
avoid this, you can define which interfaces activate Interface Grouping when the management port
is down.
Notes:
>> When a grouped port that has an IP address assigned to it, but no VRID, is
disconnected, it does not initiate failover.
>> When a non-grouped port that has an IP address and a VRID assigned to it is
disconnected, it will still initiate a failover.
To configure selective interface grouping

1.
In the Configuration perspective Networking tab navigation pane, select Redundancy > Global
Settings > Selective Interface Grouping.
The table displays the list of interfaces for which virtual routers (VRs) are defined, and whether
each interface is grouped, meaning whether it initiates interface grouping if the management
port is down.
2.
To change the interface grouping setting for an interface, double-click the row.
3.
Select or clear the Grouped check box, and click OK.
194

Table 110: Port Grouping Parameters
Parameter
Description
Port
(Read-only) The port name.
Grouped
When selected, the port can initiate interface grouping.
Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the
static default routed environment. VRRP specifies an election protocol that dynamically assigns
responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling
the IP addresses associated with a virtual router is called the Master, and forwards packets sent to
these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility
should the Master become unavailable. Any of the virtual routers IP addresses on a LAN can then be
used as the default first hops router by end-hosts.
To achieve redundancy between pairs of devices, Radware recommends using VRRP. VRRP enables
you to maintain dynamic redundancy using a logical entity called virtual router (VRRP was initially
developed to provide high availability for routers).
A virtual router (VR), has a Virtual Router Identifier (VRID) with one or more associated IP
addresses. Each VR has a VRMAC, which is a MAC address associated with the VR. This saves the
need for a MAC address update in case of a failover. The VRMAC address is determined by the VRID
and does not need to be configured manually.
The same VR needs to be configured on multiple devices to achieve redundancy between them for
the VR. Each device has a priority for a VR, and the main device for the VR is the device with the
highest priority. Using VRRP, the main device constantly sends advertisements to other VRRP
devices to indicate that it is online. When the advertisements stop, the main device is assumed to be
inactive. A new main device is then selected for this VR; that is, the device with the next highest
priority for that VR. However this protocol can be supported by a wide range of devices that are not
routers. As it is not a routing protocol, it does not advertise IP routes or affect the routing table in
any way. With VRRP, IP Addresses are associated with the Virtual MAC Addresses that are owned by
the main device, and are taken over by the backup device at failover time.
With VRRP, redundant AppDirector devices can synchronize their configurations. For more
information, see Online Configuration Synchronization, page 206.
To configure VRRP for redundancy

1. In the Configuration perspective Networking tab navigation pane, select Redundancy > VRRP.
2. From the VRRP Admin Status drop-down list, select the required option:
All DownSets the status of all VRs to Down, which shuts down the main device.
All UpSets the status of all VRs to Up, so that the main AppDirector device is immediately
activated and takes control from the backup device.
No ChangeMakes no change to the status of the VRs.
Default: No Change
Note: The VRRP Admin Status parameter is available only in AppDirector 2.14.03 and later.
195

3.

the option for the IP version that you require.
(Add) button; and then, choose
To add an entry in AppDirector versions prior to 2.30, click the
(Add) button.
4.
5.
To configure associated IP addresses, in the navigation pane, select Redundancy > VRRP >
Associated IPs.
For more information, see Configuring Associated IPs for VRRP, page 199.
Table 111: VRRP Router Parameters in AppDirector 2.30 and Later
Parameter
Description
IP Version
(Read-only) Specifies IPv4 or IPv6.
VR ID
The virtual routers identification number. This number must be unique on

the network.
Values: 1255
Port
The identifier of the physical port on the device.
Admin Status
When enabled, VRRP is activated for this port.
Priority
You must assign the highest priority (255) to the VR that is associated with
the physical IP address of the device.
Values: 1255
Default: 100
Notes:
>> When two devices are configured with VRRP and the master device
has a priority of 255 set for its virtual routers, shutting down all
virtual routers causes the backup state to move to master but
causes the client connections to cease. This is because when Virtual
Routers go down, the port does not go down. The port will continue
functioning, and as soon as the virtual router goes down, the port
will broadcast its MAC as the owner of the device interface IP. It will
continue sending health checks with source IP and interface IP and
ARPs for IPs on the directly connected networks.
>> These ARPs will poison the ARP cache of all machines on this
network, and they will record the interface MAC of the main box as
the holder of the interface IP that the backup device tried to take
over via VRRP.
>> Therefore, all traffic sent to the main device interface IP as a
gateway (reply traffic from the servers) reaches the main device
and is routed straight to the default gateway of the device. This is
not where this traffic should be heading because traffic sent to a
VIP which was taken over by the backup device (the main device
will not fix the IP headers) will route the packet as it stands which
will break the session.
>> When you do not use VR priority of 255 on the main device, you
cannot place its interface IP in the associated IP table. This means
that the default gateway will be a different IP which has no
problems being poisoned but with the interface activities of the
main device.
196

Table 111: VRRP Router Parameters in AppDirector 2.30 and Later
Parameter
Description
Primary IP
This is used internally only, as the source IP of VRRP messages sent by the
device. It is recommended to use virtual IP interfaces. For more information
about using virtual IP interfaces for VRRP, see the AppDirector User Guide.
It is recommended to leave the default, which is the IP interface defined on
this port.
Advertise Interval
The interval, in centiseconds, at which advertisements are sent for this VR.
This setting overrides the default global parameter.
Default: 100
Preempt Mode
When a device with a certain priority fails, the device with the next highest
priority takes control of the VR. Preemption Mode defines takeover
procedure for the VR when the device with the higher priority resumes
functioning.
Values:
EnabledThe higher priority device takes over the VR.
DisabledThe device with lower priority maintains control of the VR.
This is only applicable when two or more devices share a VR.
Notes:
>> All defined VRs must have the same Preemption Mode setting
except for the router owning the IP address associated with the VR.
>> The router owning the IP address associated with the VR always
preempts independently of Preemption Mode setting.
Preferred State
The preferred state of the virtual router. This field affects the configuration
of the parallel VRRP entry on the peer device.
Values:
BackupThe peers VRRP entry should have a higher priority.
MasterThe peers VRRP entry should have a lower priority.
Default: Master
Table 112: VRRP Router Parameters in AppDirector Versions Prior to 2.30
Parameter
Description
Port
The identifier of the port on the device.
VR ID
Virtual routers identification number. This number must be unique on the

network.
Values: 1255
Enabled
When enabled, VRRP is activated for this port.
197

Parameter
Description
Priority
You must assign the highest priority (255) to the VR that is associated with
the devices physical IP address (that is, the IP address that the device
owns).
Values: 1255
Default: 100
Notes:
>> When two devices are configured with VRRP and the master device
has a priority of 255 set for its virtual routers, shutting down all
virtual routers causes the backup state to move to master but
causes the client connections to cease. This is because when
Virtual Routers go down, the port does not go down. The port will
continue functioning, and as soon as the virtual router goes down,
the port will broadcast its MAC as the owner of the device interface
IP. It will continue sending health checks with source IP and
interface IP and ARPs for IPs on the directly connected networks.
>> These ARPs will poison the ARP cache of all machines on this
network, and they will record the interface MAC of the main box as
the holder of the interface IP that the backup device tried to take
over via VRRP.
>> Therefore, all traffic sent to the main device interface IP as a
gateway (reply traffic from the servers) reaches the main device
and is routed straight to the default gateway of the device. This is
not where this traffic should be heading because traffic sent to a
VIP which was taken over by the backup device (the main device
will not fix the IP headers) will route the packet as it stands which
will break the session.
>> When you do not use VR priority of 255 on the main device, you
cannot place its interface IP in the associated IP table. This means
that the default gateway will be a different IP which has no
problems being poisoned but with the interface activities of the
main device.
Primary IP
This is used internally only, as the source IP of VRRP messages sent by the
device. It is recommended to use virtual IP interfaces. For more
information about using virtual IP interfaces for VRRP, see the AppDirector
User Guide.
It is recommended to leave the default, which is the IP interface defined
on this port.
Authentication Type
The type of authentication.

Values: Simple Password, No Authentication
Authentication Key
198
A password up to eight characters. This is required only when an

authentication type is specified.

Parameter
Description
Enable Preemption
Mode
When a device with a certain priority fails, the device with the next highest
priority takes control of the VR. Preemption Mode defines takeover
procedure for the VR when the device with the higher priority resumes
functioning.
Values:
EnabledThe higher priority device takes over the VR.
DisabledThe device with lower priority maintains control of the VR.
This is only applicable when two or more devices share a VR.
Notes:
>> All defined VRs must have the same Preemption Mode setting
except for the router owning the IP address associated with the
VR.
>> The router owning the IP address associated with the VR always
preempts independently of Preemption Mode setting.
Advertise Interval
The interval, in seconds, at which advertisements are sent for this VR. This
setting overrides the default global parameter.
Default: 1
Configuring Associated IPs for VRRP

The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the
static default routed environment. VRRP specifies an election protocol that dynamically assigns
responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling
the IP addresses associated with a virtual router is called the Master, and forwards packets sent to
these IP addresses. The election process provides dynamic failover in the forwarding responsibility
should the Master become unavailable. Any of the virtual routers IP addresses on a LAN can then be
used as the default first hops router by end-hosts.
To configure associated IPs for VRRP

1. In the Configuration perspective Networking tab navigation pane, select Redundancy > VRRP
> Associated IPs.
2. Select the VRID for which to add an associated IP, and click Go. The table displays associated
IPs for the selected VRID.
To add an associated IP, click the
(Add) button.
To edit an entry, double-click the entry.
4. Enter the associated IP address and click OK.
Table 113: Associated IP Parameters
Parameter
Description
VR ID
(Read-only) The virtual routers identification number.
Associated IP Address
The IP address of the associated IP.
199

Configuration Guidelines for AppDirector Redundancy Using VRRP

The configuration needed in redundant environments depends on the following factors:
Redundancy configuration: Active-Backup or Active-Active
Network configuration: Routing or Bridging
VRRP Preemption state: enabled or disabled
Note: A fully redundant network environment affects only the required inter-AppDirector
connectivity and Layer 2 configuration. All other redundancy configuration parameters
are affected by the factors mentioned above.
These guidelines are for redundancy configurations using VRRP for the following scenarios:
Active-Backup Routing Configuration, page 200
Active-Active Routing Configuration, page 201
Example Active-Backup Bridging Configuration, page 203
Active-Backup Routing Configuration

In an Active-Backup configuration, the main AppDirector device is configured with the main Virtual
IP addresses. This device performs the regular AppDirector operations, handling all the inbound
sessions to the Virtual IP addresses and distributing traffic among the servers in the farm linked to
the Virtual IP address (via Layer 4 Policy).
The backup AppDirector device is configured with identical Virtual IP addresses that contain the
exact same Layer 4 Policies, servers and farm settings. This device acts as a hot standby and does
not perform load balancing as long as the main device is active. When the backup AppDirector
detects that the main AppDirector has failed, the backup device takes over the IP addresses of its
primary partner, informing all devices on the network that the backup device is now responsible for
the services of the main device.
When the main device is back online, the backup device releases the services if VRRP preemption is
enabled (default) or if a proprietary redundancy protocol is used. If VRRP preemption is disabled,
the backup device will remain active as long as it is online.
Table 114: Example Active-Backup Configuration
Parameters
Global Parameters
200
Main
Backup
IP Redundancy Admin
Status
VRRP
Same as main
Interface Grouping
Enable
Same as main
Backup Interface
Grouping
Enable
Same as main
Backup Device in VLAN N/Ruse default
Same as main
Force Down Port Time
Same as main
N/Ruse default

Table 114: Example Active-Backup Configuration
Parameters
VRID Internet Side
VRID
Main
Backup
Same as main
If Index
Same as main
Primary IP
100.1.1.10
Same as main
Priority
200
100
Preempt Mode
Same for all VRIDs
Same as main
Associated IPs
100.1.1.100,
Same as main
100.1.1.10
Outbound NAT
addresses, if relevant
VRID Server Side
VRID
Same as main
Port
Same as main
Primary IP
20.1.1.10
Same as main
Priority
200
100
Preempt Mode
Same for all VRIDs
Same as main
Associated IPs
20.1.1.10
Same as main
Client NAT addresses, if

relevant
Mirroring
Mirroring Status
Disabled (if
preemption is
enabled)
Enabled
Enabled (if
preemption is
disabled)
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as main
Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution
Active-Active Routing Configuration

AppDirector devices can be configured to function in an Active-Active mode where each AppDirector
is the primary provider of some services and a backup for the services provided by the other
AppDirector in the pair. In this case, both devices are set up as the main AppDirector for one or
more Virtual IPs and as backup AppDirector for the Virtual IPs for which the other unit is the main.
When one device fails, the other continues to handle traffic to its own Virtual IPs while assuming
responsibility for the backup devices Virtual IPs.
Note: Using the Active-Active setup, each server can provide service to Virtual IPs that are
active on one device. A server cannot provide service to multiple Virtual IPs where one
Virtual IP is active on one device, while another Virtual IP is active on another device.
201

Table 115: Example Active-Active Routing Configuration
Parameters
Global Parameters
VRID Internet Side

for VIP active in
AppDirector 1
AppDirector 1
AppDirector 2
IP Redundancy Admin
Status
VRRP
Same as AppDirector 1
Interface Grouping
Enable
Backup Interface
Grouping
Enable
Backup Device in VLAN N/Ruse default
Same as main
Force Down Port Time
N/Ruse default
Same as main
VRID
Port
G1
Primary IP
100.1.1.10
Priority
200
100
Preempt Mode
Same for all VRIDs
Associated IPs
100.1.1.100,
100.1.1.10
Outbound NAT
addresses (if relevant)
VRID Internet Side
for VIP active in
AppDirector 2
VRID
Port
G1
Primary IP
200.1.1.10
Priority
100
200
Preempt Mode
Same for all VRIDs
Associated IPs
200.1.1.100,
200.1.1.10
Outbound NAT
addresses (if relevant)
VRID Server Side for
VIP active in
AppDirector 1
VRID
Port
Primary IP
20.1.1.10
Priority
200
100
Preempt Mode
Same for all VRIDs
Associated IPs
20.1.1.10
Client NAT addresses (if

relevant)
202

Table 115: Example Active-Active Routing Configuration
Parameters
VRID Server Side for
VIP active in
AppDirector 2
AppDirector 1
AppDirector 2
VRID
Port
Primary IP
30.1.1.10
Priority
100
200
Preempt Mode
Same for all VRIDs
Associated IPs
30.1.1.10
Client NAT addresses (if

relevant)
Mirroring
Mirroring Status
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution
Example Active-Backup Bridging Configuration

Parameters
Global Parameters
VRID
Main
Backup
IP Redundancy Admin
Status
VRRP
Same as main
Interface Grouping
Enable
Same as main
Backup Interface
Grouping
Enable
Same as main
Backup in VLAN
Enable
Same as main
Force Port Down
Enable
Same as main
VRID
Same as main
Port
100001
Same as main
Primary IP
100.1.1.10
Same as main
Priority
200
100
Preempt Mode
Same for all VRIDs
Same as main
Associated IPs
100.1.1.100,
Same as main
100.1.1.10
203

Parameters
Mirroring
Mirroring Status
Main
Backup
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as main
Session ID Table
Configuring Proprietary Redundancy

This feature is available only in AppDirector versions prior to 2.30.
The Radware Proprietary redundancy mechanism uses Address Resolution Protocol (ARP) to ensure
that the backup AppDirector device is available and that the network connections between the main
and backup devices are up and that failover is achieved when the main device fails.
The backup device manages the polling process by continuously polling the main device, using the
ARP protocol. If the main device fails, the teaching process is realized when the backup device sends
broadcast ARPs informing its network neighbors that the IP addresses of the main device are now
associated with its own MAC addresses. This ensures that all traffic destined to the IP addresses of
the main device arrives to the backup device.
In Proprietary redundancy configurations, both AppDirector devices, the main and the backup, must
be defined to work with virtual and physical addresses. The virtual IP addresses are defined on the
backup AppDirector in the same manner as on the main AppDirector and the main device makes
sure that the backup AppDirector supports virtual addresses. Different physical IP addresses are
used for the main and backup devices, and an additional configuration is required on the redundant
AppDirector to support backup for the physical IP addresses of the main device.
Note: To allow the backup device to poll the main device, it must be aware of the main device
IP interfaces that its IP interfaces are backing up.
To configure proprietary redundancy

1.
In the Configuration perspective Networking tab navigation pane, select Redundancy >
Proprietary.
2.

To add an IP redundancy, click the
(Add) button.
To edit an entry, double-click the entry.

3.
Configure IP redundancy parameters and click OK.
204

Table 116: IP Redundancy Parameters
Parameter
Description
Interface IP Address
The IP address of the backup interface.
Main Router Address
IP address on the main AppDirector interface, which this AppDirector is

backing up.
Poll Interval
Polling interval, in seconds, for the main AppDirector interfaces. If the

interval is 0, the AppDirector is not polled.
Time Out
Interval, in seconds, during which the AppDirector must respond. If the

main AppDirector does not respond within this interval, it is considered
inoperative. If Time Out is 0, the backup AppDirector ignores the row.
Configuring Mirroring for Redundancy

Stateful failover, also known as mirroring, allows a backup device to take over when a main device
fails, without dropping existing sessions or breaking persistency. Stateful failover is provided by
mirroring the content of the tables that define a session.
For effective and reliable mirroring, you must do the following:
Provide a direct connection between the two devices. It is recommended to use a trunk (link
aggregation).
Configure an IP interface on each device for the direct connection port and address used as the
Mirroring Device Address for the other device.
Exclude the physical port used for inter-device communication from Interface grouping.
Mirroring can handle long and short sessions and support HTTP traffic.
The following can be mirrored:
Client table (FTP, HTTP, and NATall types)
Session ID Table
Dynamic DNS Persistency Table
Proximity table (AppDirector global load balancing license only)
Notes:
>> Mirroring is not supported when delayed binding is used with Layer 7 Persistent
Switching Mode and configured to either overwrite or maintain.
>> Mirroring is supported for the Layer 7 Persistent Switching Mode named First.
>> When setting up Mirroring, Radware recommends using the same AppDirector software
version for the main and backup devices.
>> Setting up Mirroring affects the general device performance.
>> Radware recommends that mirroring is used for Stateful Failover with the VRRP
redundancy mechanism.
205

To configure mirroring for redundancy

1.
Mirroring.
2.
Table 117: Mirroring Parameters
Parameter
Description
Main Device Mirroring Parameters
Proximity Table Mirroring

(AppDirector global load
balancing license only)
Enables Proximity Table Mirroring.

Default: Disabled
Dynamic DNS Persistency Enables Dynamic DNS Persistency Table Mirroring (AppDirector Global
Table Mirroring
Only).
Default: Disabled
Client Table Mirroring
Enables Client table MirroringFTP, HTTP, and all types of NAT.

Default: Disabled
Session Id Table Mirroring Enables ID Table Mirroring.

Default: Disabled
Backup Device Mirroring Parameters

Mirroring Status
Enables backup device mirroring.

Default: Disabled
Mirror Device IP Address
IP address of the device to mirror from.
Online Configuration Synchronization

This feature is available in AppDirector 2.14 and later.
The Online Configuration Synchronization feature is relevant only for redundant VRRP
configurations.
In a redundant configuration, the peer devices require consistent configuration. To ensure that the
configuration is synchronized between a pair of redundant devices, you can use the Online
Configuration Synchronization feature to avoid the tedious and error-prone manual process.
Notes:
206

Device RolesMaster and Slave

Online Configuration Synchronization operates in a master/slave mode.
You set the device role, Master or Slave, manually. You set the main device (the device with the
higher specified priority) as master. The device role never changes dynamically, in contrast to the
VRRP mechanism, where the main device can fail over to the backup devicethat is, the backup
device becomes the active device. The specified device role Online Configuration Synchronization
roles are independent of the devices redundancy operation mode (active or backup).
You configure the master device only. You cannot configure the slave device. The master device
automatically updates the configuration on the slave device with all configuration changes.
The redundancy configuration is updated on the master device according to the recommended
configuration in Configuration Guidelines for AppDirector Redundancy Using VRRP, page 200.
After a configuration change that requires a reboot, the Online Configuration Synchronization
mechanism queries VRRP status when it reboots a slave device. If the slave is the VRRP active
device, reboot is suppressed to avoid unnecessary failover that will cause connection disruption. The
master will wait for the VRRP role to switch over and only then issue the reboot command.
With the exception of a few parameters, as long as Online Configuration Synchronization is enabled,
you cannot configure parameters on the slave device.
Online Configuration Synchronization does not synchronize the following parameters, and you can
configure them on both master and slave devices even when Online Configuration Synchronization is
enabled:
Device Name
VRRP Global Admin Status
OSPF Router ID
Layer 2 Interface parameters
Online Configuration Synchronization does not synchronize the following actions, and you can
perform them on both master and slave devices even when Online Configuration Synchronization is
enabled:
Software upgrade on the slave device
License upgrade on the slave device
Reset statistics
Clear table (for example, Client table and other tables)
Non-configuration commands (such as ping, telnet, and so on)
Troubleshooting operations (for example, filter Client table view, configure diagnostics, and
retrieve a support file)
CLI terminal configuration
Reset Slave Device

When the changes performed on the configuration require device reboot to become active or when
full synchronization is performed, it is necessary to reboot the slave device.
To avoid unnecessary failover from forwarded connection disruption, if the slave device is the VRRP
active device, the master device will not reboot the slave device. Full synchronization is required and
the configuration synchronization is suspended until VRRP control returns to the master of
configuration, and only then will full synchronization occur.
You can override this behavior by selecting Allow Active Slave Reboot checkbox. When the Allow
Active Slave Reboot checkbox is selected, the configuration master disregards the VRRP status
and reboots the slave device whenever the configuration synchronization requires.
For configuration changes requiring a reboot (such as table-size tuning), the master device will
update the slave device with the configuration change like any other change, but will not reboot the
slave immediately. Instead, the master device will wait until it is rebooted itself, because until then,
207

the configuration change will not have taken effect in either device, and the configurations are still
synchronized. When the master device comes online after rebooting, a self-check will show that it
has a more updated configuration (due to the reboot) and a full synchronization will occur.
If you make a configuration change that requires reboot, and the slave device was rebooted for any
reason (manually, due to crash or due to full synchronization after connection loss), before the
master device was rebooted, the slave device will now have a more updated configuration than the
master. This is the only case where this occurs.
Monitoring Online Configuration Synchronization

You can monitor the operation of the Online Configuration Synchronization featurefor both master
and slave devices. For more information, see the APSolute Vision online help.
Online Configuration Synchronization Criteria

When you configure Online Configuration Synchronization, the master device checks the that
following conditions are met:
The master device and the master device use the same hardware platform and have the same
memory size.
The master device and the master device have the same licensed features.
Note: License upgrade must be done manually on both the master and slave device, since
each license is associated with a specific machine.
The master device and the master device have the same software version.
Note: Any software upgrade must be performed manually on each device. During the
software upgrade, Online Configuration Synchronization must be disabled.
Parallel ports connected to the same subnets and the same IP addresses match crosswise.
There is at least one matching IP interface (with the same subnet and same interface) on the
master and slave devices.
Example
MasterIP: 1.1.1.1, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.2
SlaveIP: 1.1.1.2, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.1
In addition, you must ensure that parallel ports connected to the same subnets and the same IP
addresses match crosswise.
208

Configuring Online Configuration Synchronization

This feature is available in AppDirector 2.14 and later.
Configuring Online Configuration Synchronization involves the following steps:
1. On the slave device, set the Device Role to Slave and configure a new value for the
Synchronization Session Password. For security purposes, the initial password is randomly
generated.
2. On the master device, set the Device Role to Master and configure the Synchronization Session
Password with the same value used on the slave device. In a few seconds, the devices will start
to synchronize with each other. This process triggers a reboot of the slave device.
3. When the slave device finishes rebooting, the devices finish the synchronization process and
their configuration will match.
4. Each subsequent configuration change that is made on the master device is synchronized on the
slave device.
Notes:
>> For each IP interface configured on the master device, a Peer IP address must be
configured. This IP address is used as the IP interface on the slave device.
>> You can monitor synchronization state on the master device. The state should show InSync. For more information, see the APSolute Vision online help.
>> If a configuration change requires a reboot, the change will take effect on the slave
device only after you reboot the master device. (The master device automatically
reboots the slave device.)
To configure Online Configuration Synchronization

1. In the Configuration perspective Networking tab navigation pane, select Redundancy >
Configuration Synchronization.
209

Table 118: Configuration Synchronization Parameters in AppDirector 2.14.03 and Later
Parameter
Description
Device Role
The role the device plays in the Online Configuration

Synchronization mechanism.
Values:
DisabledThe device does not participate in Online
Configuration Synchronization mechanism.
MasterOnly this device is configurable, and it
synchronizes its configuration with that of the slave device.
SlaveThis device receives its configuration from the
master device. only certain changes can be made on the
slave device. For more information, see Device Roles
Master and Slave, page 207.
Default: None
Synchronization Session
Password
The password used to establish an SSH session between the

The same value must be configured on both devices.
Verify Synchronization Session

Password

Allow Active Slave Reboot
Specifies whether the device reboots the slave device when

configuration changes require reboot and the slave device is
currently the active (not the backup) device.
Default: Disabled
Note: For more information, see Reset Slave Device,
page 207.
Connection Preference
The IP interface through which configuration-synchronization

communication with the peer device is established.
Values:
AnyThe device tries to establish connectivity via any of
the device IP interfaces.
Any MNG IPThe device tries to establish connectivity via
any of the device IP interfaces configured on dedicated
management (MNG) ports.
Specific device IP interfacesSelect a specific device IP
interface for configuration synchronization communication.
Only IP interfaces for which a Peer IP Address is configured
are eligible.
Default: Any
Note: If the value changes during the configurationsynchronization communication, you must run the
Reconnect Slave command, which will cause the
devices to connect via the new preferred interface.
210

Parameter
Description
Alternate Connection Preference
The IP interface through which configuration-synchronization

communication with the peer device is established in case the IP
interface specified for the Connection Preference parameter is
not available.
Values:
NoneNo alternate connection.
AnyThe device tries to establish connectivity via any of
the device IP interfaces.
Any MNG IPThe device tries to establish connectivity via
any of the device IP interfaces configured on dedicated
management (MNG) ports.
Specific device IP interfacesOnly IP interfaces for which a
Peer IP Address is configured are eligible.
Default: None
Reconnect Slave
(This option button is available
only in AppDirector 2.14.03.)
Reconnects to the slave device with the current Connection

Preference.
Peer Connectivity Timers

Keep Alive Interval (Master Only) The interval, in seconds, at which the device sends keep-alive
messages to the slave device.
Values: 5600
Default: 120
Slave Response Timeout (Master The time, in seconds, after the slave device has not responded
Only)
that the master device considers the slave device disconnected.
Values: 1600
Default: 20
Slave Connect Interval (Master
Only)
The interval, in seconds, at which the device attempts to reestablish a connection with a slave device that is not responding.
Values: 1600
Default: 15
Slave Reboot Timeout (Master

Only)
The time, in seconds, after the master device sends a reboot

command to the slaveand the slave has not responded to a
connection attemptthat the master device considers the slave
device disconnected.
Values: 1600
Default: 240
Peer Disconnect Alert Delay
The time, in seconds, that the device (a master or a slave) sends

a trap after identifying a disconnection from its peer.
A trap alerting on slave disconnection will be sent only after
slave is disconnected for this period (to avert flip-flops).
Values: 03600
Default: 60
211

Parameter
Description
Master Communication Timeout

(Slave Only)
The time, in seconds, after the slave device does not receive any
message from the master device that the slave considers the
master device to be disconnected.
Values: 5600
Default: 180
Exclude From Synchronization

Management IP
Specifies whether Online Configuration Synchronization does not

synchronize the IP interfaces defined on the management ports
MNG-1 and MNG-2.
Default: Disabled
Secured Management Settings

synchronize the secure management interface settings and the
certificates they use. These include the secure Web-based
management and SSH.
Default: Disabled
Table 119: Configuration Synchronization Parameters in AppDirector 2.14.01 and 2.14.02
Parameter
Description
Device Role
The role the device plays in the Online Configuration

Synchronization mechanism.
Values:
DisabledThe device does not participate in Online
Configuration Synchronization mechanism.
MasterOnly this device is configurable, and it
synchronizes its configuration with that of the slave device.
SlaveThis device receives its configuration from the
master device. only certain changes can be made on the
slave device. For more information, see Device Roles
Master and Slave, page 207.
Default: None
Synchronization Session
Password

Verify Synchronization Session

Password

Allow Active Slave Reboot
Specifies whether the device reboots the slave device when

configuration changes require reboot and the slave device is
currently the active (not the backup) device.
Default: Disabled
Note: For more information, see Reset Slave Device,
page 207.
212

Table 119: Configuration Synchronization Parameters in AppDirector 2.14.01 and 2.14.02
Parameter
Description
Discover Management IP Only
Specifies whether the master device its peer only via the
management IP interface or via any device interface.
Default: Enabled
Peer Connectivity Timers

Keep Alive Interval (Master Only) The interval, in seconds, at which the device sends keep-alive
messages to the slave device.
Values: 5600
Default: 120
Slave Response Timeout (Master The time, in seconds, after the slave device has not responded
Only)
that the master device considers the slave device disconnected.
Values: 1600
Default: 20
Slave Connect Interval (Master
Only)
The interval, in seconds, at which the device attempts to reestablish a connection with a slave device that is not responding.
Values: 1600
Default: 15
Slave Reboot Timeout (Master

Only)
The time, in seconds, after the master device sends a reboot

command to the slaveand the slave has not responded to a
connection attemptthat the master device considers the slave
device disconnected.
Values: 1600
Default: 240
Peer Disconnect Alert Delay
The time, in seconds, that the device (a master or a slave) sends

a trap after identifying a disconnection from its peer.
A trap alerting on slave disconnection will be sent only after
slave is disconnected for this period (to avert flip-flops).
Values: 03600
Default: 60
Master Communication Timeout

(Slave Only)
The time, in seconds, after the slave device does not receive any
message from the master device that the slave considers the
master device to be disconnected.
Values: 5600
Default: 180
Exclude from Synchronization

Management IP

synchronize the IP interfaces defined on the management ports
MNG-1 and MNG-2.
Default: Disabled
Exclude Secured Management

Settings

synchronize the secure management interface settings and the
certificates they use. These include the secure Web-based
management and SSH.
Default: Disabled
213

Configuring AppDirector VLANs

A Virtual LAN (VLAN) is a group of devices on different physical LAN segments or on a single LAN
segment that can interact with each other as if they were all on the same physical LAN segment. In
other words, a VLAN is a group of PCs, servers, and other network resources that behave as if they
were connected to a single, network segment even though they are not, physically. They can share
resources and bandwidth as if they were connected to the same section.
Some switches are configured to support single or multiple VLANs. When a switch supports multiple
VLANs, the broadcast domains are not shared between the VLANs. The device learns the Layer 2
addresses on every VLAN port. Known unicast frames are forwarded to the relevant port. Unknown
unicast frames and broadcast frames are forwarded to all ports.
AppDirector VLANs provide bridging and switching functionality among ports assigned to the same
VLAN. AppDirector supports both Regular VLAN and Switch VLAN.
Note: AppDirector devices support up to 64 regular or switched VLANs and up to 2048 VLAN
IDs.
To configure a VLAN
1.
In the Configuration perspective Networking tab navigation pane, select VLANs.
2.
To add a VLAN, click the
(Add) button.
To edit a VLAN, double-click the row.
3.
Configure VLAN settings and click OK.
4.
To add ports to the VLAN, in the navigation pane, select VLANs > VLAN Ports.
For more information, see Configuring AppDirector VLAN Ports, page 216.
Table 120: VLAN Parameters
Parameter
Description
VLAN ID
Interface number of the VLAN automatically assigned by the management

station.
Protocol
Required VLAN protocol. You can choose IP or Switch VLAN only when the
VLAN type is Switch. Otherwise, the protocol is IP or Other.
Default: Other
Type
Required VLAN type.

Values:
Regular The VLAN acts as a bridge.
SwitchThe Switch VLAN can be part of a Regular VLAN.
Default: Regular
214

Table 120: VLAN Parameters
Parameter
Description
Up Criterion
The conditions under which a VLAN interface is considered to be up.

Values:
Default by TypeFor Regular VLAN, when interface grouping is
enabled, all ports in the VLAN are up; otherwise, at least one port in
the VLAN is up.
For Switch VLAN, at least one port in the VLAN is up.
All PortsThe VLAN is considered up when all the ports in the VLAN
are up.
One PortThe VLAN is considered up when at least one port in the
VLAN is up.
Default: Default by Type
Down Criterion
The conditions under which a VLAN interface is considered to be down.

Values:
Default by TypeFor Regular VLAN, when interface grouping is
enabled, at least one port in the VLAN is down; otherwise, all ports in
the VLAN are down.
For Switch VLAN, all ports in the VLAN are down.
All PortsThe VLAN is considered down when all the ports in the
VLAN are down.
One PortThe VLAN is considered down when at least one port in the
VLAN is down.
Default: Default by Type
AppDirector Regular and Switch VLANs

Regular VLAN
A Regular VLAN can be described as an IP Bridge (a software bridge) between multiple ports that
incorporates all the traffic redirection of passing traffic at all layers (Layer 2Layer 7). Two protocols
can be used with Regular VLANs:
IP ProtocolThe VLAN must be assigned an IP address. All the traffic between ports is
intercepted transparently by AppDirector. Packets that need intelligent intervention are checked
and modified by AppDirector and then forwarded to the relevant port. Other packets are simply
bridged by AppDirector as if they were on the same wire.
Other ProtocolAn Other Protocol VLAN cannot be assigned an IP address. This type of VLAN
is used to bridge non-IP traffic through AppDirector. To handle both packets that need intelligent
intervention and non-IP traffic, you can configure IP VLAN and Other VLAN on the same ports.
Note: Switch VLAN can be standalone or part of a Regular VLAN.
Switch VLAN
Switch VLAN is not available in OnDemand Switch 1 or OnDemand Switch VL.
Switch VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric
of the AppDirector device.
215

Depending on the protocol defined for the Switch VLAN, frames are treated as follows:
Switch VLAN ProtocolFrames arriving at the VLAN port are switched according to Layer 2
information. AppDirector does not intercept this traffic.
IP ProtocolFrames reaching the VLAN port are switched according to Layer 2 information,
except those whose Layer 2 address is the same as the AppDirector port Layer 2 address.
Frames with AppDirector Layer 2 destination are processed by AppDirector and then forwarded.
Configuring AppDirector VLAN Ports

After you create a VLAN, you can add ports to it.
To configure VLAN ports

1.
In the Configuration perspective Networking tab navigation pane, select VLANs > VLAN Port
Table.
2.
Select the VLAN for which you want to configure ports.
3.
4.
To add a port, click the
(Add) button.
To edit a VLAN port, double-click the row.
Configure VLAN port settings and click OK.
Table 121: VLAN Port Association Parameters
Parameter
Description
Select VLAN
Select the VLAN for which you want to add a port.
Port
The Layer 2 interface that you want to attach to the VLAN. The interface
can be a port index, trunk index, or Switch VLAN.
Include in Interface
Grouping
Specifies whether the status of this L2 interface should be taken into

consideration when calculating VLAN status for Interface Grouping
(relevant in redundant configurations only).
When enabled, interfaces can initiate Interface Grouping if this interface
is down.
Configuring AppDirector VLAN Advanced Parameters

AppDirector can rewrite VLAN tags on packets that pass through it.
To configure VLAN advanced parameters

1.
In the Configuration perspective Networking tab navigation pane, select VLANs > VLAN
Advanced Parameters.
2.
216

Table 122: VLAN Advanced Parameters
Parameter
Description
Auto Config Aging Time
This parameter is not supported.

Default: 3600
Bridge Forwarding Table Aging

Time
The time, in seconds, that unused entries remain in the Bridge

Forwarding table before the device deletes them.
Default: 3600
VLAN Ether_Type
The Ethernet type for user-defined VLANs.

Default: 0000
VLAN Ether_Type Mask
The mask on Ethernet type for user defined VLANs.

Default: ffff
Enable 802.1q
Specifies whether the device handles VLAN tags traffic according

to IEEE 802.1Q.
Values:
EnabledThe device handles VLAN-tagged traffic according
to IEEE 802.1Q.
DisabledThe device drops all VLAN-tagged traffic.
Default: Disabled
VLAN Tag Handling
Specifies how the device handles VLAN tags.

Values:
RetainThe device preserves existing VLAN tags on the
ingress traffic that passes through the device. Traffic
generated by the device is tagged according to the IPinterface configuration. If an ingress packet has no VLAN tag,
the device performs VLAN tagging on the egress packet
according to the IP interface configuration.
OverwriteThe device performs VLAN tagging of outgoing
traffic according to the IP-interface configuration.
AppDirector sets tags for packets according to the IP
interface via which the traffic will exit the device. If the
packet destination IP address is on a subnet local to the
AppDirector device, AppDirector uses the device IP interface
for the subnet. If the packet destination IP address is not on
a subnet local to the AppDirector device, AppDirector selects
the device IP interface from the same subnet as the next hop
router through which the packet must be sent in order to
reach its destination.
Default: Overwrite
Note: If a packet arrives without a VLAN tag, at a destination
interface of AppDirector with a VLAN tag, AppDirector
sets the tag on the packet according to the destination
local subnet, even if it is in Retain VLAN Tag Handling
mode and behaves as in Overwrite VLAN Tag Handling
mode.
217

Configuring Segmentation for AppDirector

Sometimes a single AppDirector device is needed to load-balance multiple farms, each located on a
different segment around a firewall. AppDirector must ensure that all traffic between segments are
passed through the firewall. Dividing your network into logical segments, where a single AppDirector
load balances the traffic and all segments can be inspected by a single firewall is called
segmentation.
To support segmentation, AppDirector defines a type of network entity known as a segment.
Segments are logical entities that can be associated either with physical ports (including VLANs and
Trunks) or with VLAN tags. Layer 4 Policies are also associated with segments, to define the logical
location of each VIP. AppDirector allows traffic for a Layer 4 Policys VIP only when the traffic arrives
from the same segment where this policy resides.
A default gateway can be associated with each segment; usually, the firewall interface of that
segment. There are cases when AppDirector receives traffic that cannot be handled due to segment
conflicts; the segment over which traffic was received does not match the segment to which traffic is
forwarded. AppDirector does not route traffic between segments. All traffic between segments is
sent via a segment NHR.
Notes:
>> You can also assign a backup gateway to each segment, similar to the way Next Hop
Routers can be associated with Virtual IPs.
>> AppDirector default gateway can only belong to the default segment.
For more information about segmentation configurations, see the AppDirector User Guide.
For information about configuring segmentation in AppDirector 2.11.x, see Segmentation in
AppDirector 2.11, page 220.
Before you configure a Server Cracking profile, ensure that you have configured the NHRs to use for
segmentation. For more information, see Configuring NHRs in AppDirector, page 172.
To configure segmentation
1.
In the Configuration perspective Networking tab navigation pane, select Segmentation.
2.
Configure segmentation global parameters and click
3.
To create a new segment, click the
To edit an existing entry, double-click the row.
(Add) button.
4.
Configure segment parameters, and click OK.
5.
To associate an NHR to each segment, in the navigation pane, select Segmentation >
Segment NHR.
For more information, see Associating NHRs to Segments, page 221.
218

Table 123: Segmentation Global Parameters
Parameter
Description
Segmentation Mode
The segmentation operating method. All the segments must be of the

same type, either port segments or VLAN tag segments.
Values:
PortsSegmentation is enabled and is based on the devices physical
ports, trunks, or VLAN tags.
VLAN TagSegmentation is enabled and based on the 802.1q
environment. In AppDirector versions prior to 2.13, when the VLAN
Tag mode is in use, an 802.1q environment must be enabled and the
VLAN Tag Handling parameter must be set to Retain.
DisabledThe feature is disabled.
Default: Disabled
Default Segment
Forwarding Mode
Physical ports, VLANs, Trunks, and 802.1q VLAN tags that are not part of
any segment are considered to be members of a default segment. The
default segment is a grouping of all the ports, VLANs, trunks and 802.1q
VLAN tags that do not belong to any segment.
Configure the behavior of traffic from a port or tag that is not a member of
any segment and is destined to a port or tag that is a segment member.
Values:
ForwardForwards traffic to destination (not via Firewall) as if
Segmentation is disabled.
DiscardDiscards the traffic.
Default GatewayForwards the traffic to the AppDirector default
gateway with Segmentation if necessary.
Default: Default Gateway
Segmentation Shared
Ports
Select the port on which the firewall is connected to participate in all

segments automatically (even VLAN tag segments).
Default Segment
Shared VIP
When selected, enables VIPs belonging to the default segment to receive

traffic from any other segment directly (without passing via the firewall).
Table 124: Segment Parameters
Parameter
Description
Segment Name
The unique name of the segment.
Available Ports
The list of Fast Ethernet ports, Gigabit Ethernet ports or Trunk Ports
that can be associated with the segment.
To associate a port, select the port and click
Selected Ports
The list of Ethernet ports, Gigabit Ethernet ports or Trunk Ports that
are associated with the segment.
To remove a port association, select the port and click
VLAN Tag List
The list of VLAN tags to be associated with the segment. Use commas
(,) to separate VLAN tag entries.
Special Segmentation Flag When enabled, VIPs belonging to this segment can receive traffic from
any other segment directly (without passing via firewall).
219

Parameter
Description
Back-end Segmentation
The behavior when the Layer 4 policy (VIP) and the server that
provides the service to the VIP belong to different segments. Back-end
Segmentation is an override that should be used when the server is
not within the same segment that is associated with the Layer 4 policy
and the client sends traffic to the VIP (for load balancing).
(This parameter is
available only in
AppDirector 2.14.03 and
later.)
Values:
EnabledThe device performs segmentation (forwards traffic to
Layer 4 policy segment NHR).
DisabledThe device forwards traffic directly to server.
Default: Enabled
Segmentation in AppDirector 2.11

For general information about segmentation, see Configuring Segmentation for AppDirector,
page 218.
In AppDirector 2.11:
You can configure only one VLAN tag per segment.
A configuration where farms associated with the same Layer 4 Policy VIP are associated with
different segments is not supported; therefore, ensure that such configuration conflicts are
avoided. Similarly, configurations where servers and the Virtual IP do not belong to the same
segment are not supported.
To configure segmentation
1.
In the Configuration perspective Networking tab navigation pane, select Segmentation.
2.
Configure segmentation global parameters and click
3.
To create a new segment, click the
(Add) button.
4.
Configure segment parameters, and click OK.
5.
To associate an NHR to each segment, in the navigation pane, select Segmentation >
Segment NHR.
For more information, see Associating NHRs to Segments, page 221.
220

Table 125: Segmentation Global Parameters
Parameter
Description
Segmentation Mode
The segmentation operating method. All the segments must be of the

same type; either port segments or VLAN tag segments.
Values:
PortsSegmentation is enabled and is based on the devices physical
ports, trunks or VLANs.
VLAN TagSegmentation is enabled and based on the 802.1q
environment. When the VLAN tag mode is in use, 802.1q
environment must be enabled and the VLAN Tag Handling parameter
must be set to Retain.
Disabled The feature is disabled.
Default: Disabled
Default Segment
Forwarding Mode
Physical ports, VLANs, Trunks, and 802.1q VLAN tags that are not part of
any segment are considered to be members of a default segment. The
default segment is a grouping of all the ports, VLANs, Trunks and 802.1q
VLAN tags that do not belong to any segment.
Configure the behavior of traffic from a port or tag that is not a member of
any segment and is destined to a port or tag that is a segment member.
Values:
Forward (Handling without Segmentation)Forwards traffic to
destination (not via Firewall) as if Segmentation is disabled.
Default Gateway (Handling with Segmentation if necessary)
Forwards the traffic to the AppDirector Default gateway with
Segmentation if necessary.
Default: Default Gateway
Parameter
Description
Segment Name
The unique name of the segment.
Available Ports
The list of Fast Ethernet ports, Gigabit Ethernet ports or Trunk Ports that
can be associated with the segment.
To associate a port, select the port and click
Selected Ports
The list of Ethernet ports, Gigabit Ethernet ports or Trunk Ports that are
associated with the segment.
To remove a port association, select the port and click
VLAN Tag
Enter the VLAN tag to be associated with the segment.
Associating NHRs to Segments

A default gateway must be associated to each segment; this would be the Firewall interface of that
segment. When AppDirector receives traffic that cannot be handled due to segment conflicts,
meaning the segment over which traffic was received does not match the segment over which traffic
should be forwarded. AppDirector sends this traffic to the default gateway of the receiving segment.
You must assign a default gateway to each segment.
221

Before you associate NHRs to segments, ensure that you have configured the next-hop routers
(NHRs) to use for segmentation. For more information, see Configuring NHRs in AppDirector,
page 172.
To associate NHRs to segments

1.
Segmentation > Segment NHR.
2.
3.
To create a new association, click the
(Add) button.
Configure segment NHR parameters, and click OK.
Table 127: Segment NHR Parameters in AppDirector 2.30 and Later
Parameter
Description
Segment Name
The name of the segment for association of NHR. Select from the list.
Main NHR
IPv4 Address
Select the NHR IP address.
IPv6 IP Address
Weight
Configure a weighting for the NHR.

Values: 1100
Backup NHR
IPv4 IP Address
Select the backup NHR IP address.
IPv6 IP Address
Weight
Configure a weighting for the backup NHR.

Values: 1100
No Route Action
Configures AppDirector behavior when both the main and backup NHRs
are down.
Values:
Use Regular RoutingSends traffic according to the regular route.
Enable Load Sharing
When selected, outgoing traffic is sent through both NHRs at the same
time.
Table 128: Segment NHR Parameters in AppDirector Prior to Version 2.30
Parameter
Description
Segment Name
The name of the segment for association of NHR. Select from the list.
Main NHR
IP Address
Weight
Configure a weighting for the NHR.

Values: 1100
222

Table 128: Segment NHR Parameters in AppDirector Prior to Version 2.30
Parameter
Description
Backup NHR
IP Address
Select the backup NHR IP address.
Weight
Define a weighting for the backup NHR.

Values: 1100
No Route Action
Configures AppDirector behavior when both the main and backup NHRs
are down.
Values:
Use Regular RoutingSends traffic according to the regular route.
Enable Load Sharing
When selected, outgoing traffic is sent through both NHRs at the same
time.
Configuring AppDirector Advanced Networking

Parameters
To configure AppDirector advanced networking parameters
1. In the Configuration perspective Networking tab navigation pane, select Advanced.
Table 129: AppDirector Advanced Networking Parameter
Parameter
Description
Duplicate IPv6 Address Detection
Duplicate Address Detection (DAD) is the process by which a node determines that an IPv6 address
considered for use is not already in use by a neighboring node. (This is equivalent to the use of
gratuitous ARP frames in IPv4.) The DAD process consists of sending a neighbor discovery
whenever the device is assigned a new IP address, asking for a neighbor with the same address.
The device performs the DAD procedure for each newly configured IPv6 address: IP interface, VIP,
VIPIm, and client NAT addresses belonging to a subnet configured on the device (matching IP
interface). DAD is not performed for VIP, VIPIs, and client NAT addresses that do not have a
matching IP interface (that is, orphan addresses).
DAD is also performed for each configured IP addresses (IP interfaces, non-orphan VIPs, VIPIs and
client NAT addresses) on device startup.
Retransmits Number
Enables the DAD process and determines the number of times that the
DAD Neighbor discovery message is transmitted, where value of zero
means DAD is disabled.
223

Parameter
Description
IPv6 Router Advertisement
With IPv6, routers can be dynamically discovered and adopted as default gateways by the host
nodes on the same local link, rather than having to statically configure the default gateway and
change it on every network restructure. This process also allows the node to automatically assign
its own global unicast IP address, by having the router publish a prefix for the subnet to be
attached to the hosts link local address. This is called stateless auto-configuration and comes as an
alternative to DHCP, which is stateful, because it has to keep record of the assigned IP address.
Nevertheless, DNS server addresses must still be obtained from DHCP servers, but this does not
incur state maintenance.
The managed device can periodically send Router Advertisements (RAs) on each IP interface
according to a random interval, between specified minimum and maximum times. The managed
device also sends these messages in response to Router Solicitation messages.
To edit the IPv6 router advertisement, right-click the relevant row in the table, and select Edit
IPv6 Router Advertisement Entry.
Interface Index
(Read-only) The identifier of the interface on the physical device.
Send Router
Advertisements (RA)
Specifies whether the managed device sends IPv6 Router Advertisement

(RA) messages.
Default: Disabled
Max RA Interval
The maximum time, in seconds, between Router Advertisements that the

managed device sends.
Values: 41800
Default: 600
Min RA Interval
The minimum time, in seconds, between Router Advertisements that the

managed device sends.
Values: 31350
Default: 200
Note: The value must be no greater than 75 percent of the specified
Max RA Interval.
MTU
The Maximum Transmission Unit value the managed device puts in the
router advertisement message.
Values:
0Specifies that no MTU options are put in the message.
128065,536
Default: 0
Managed Address
Configuration
Specifies whether the Managed Address Configuration Flag is set in the

messages that the managed device sends. The flag indicates to the hosts
on the respective network link that they should use stateful configuration
with DHCPv6 for obtaining addresses and all networking configuration.
Default: Disabled
Other Stateful
Configuration
Specifies whether the Other Stateful Configuration Flag is set in the

messages that the managed device sends. The flag indicates to the hosts
on the respective network link that they should use stateful configuration
with DHCPv6 for obtaining additional networking configuration, excluding
IP addresses.
Default: Disabled
224

Parameter
Description
Reachable Time
The Reachable Time value, in milliseconds, that the managed device puts
in the router advertisement message. This value is for the use of the
nodes that receive it. The Reachable Time specifies the time, in
milliseconds, that a neighbor node on the network link is considered
reachable since the last reachability confirmation.
Values:
0The Reachable Time is not specified in the router advertisement
message.
13600000
Default: 0
Retransmit Time
The Retransmit Time value, in milliseconds, that the managed device puts
in the router advertisement message. This value is for the use of the
nodes that receive it.
Values:
0The Retransmit Time is not specified in the router advertisement
message.
1232
Default: 0
Current Hop Limit
The Current Hop Limit value that the managed device puts in the router
advertisement message. This value is for the use of the nodes that receive
it.
Values:
0The Current Hop Limit is not specified in the router advertisement
message.
1255
Default: 64
Default Router Lifetime The Router Lifetime value, in seconds, that the managed device puts in
the router advertisement message. This value is for the use of the nodes
that receive it. The Router Lifetime specifies the time, in seconds, this
device should be used as a default router. Note that this is an expiration
interval only for the status of the device as a default router, not for other
information in the Router Advertisement message.
Values:
0Specifies that this device should not be used as a default router.
49000
Default: 1800
Configuring DefensePro Redundancy

This feature is available in DefensePro 5.10 and later.
Radware recommends installing DefensePro devices in pairs to provide high availability (HA)that
is, fault tolerance in the case of a single device failure.
To support high availability, you configure two compatible DefensePro devices to operate in a twonode cluster. One member of the cluster is configured as the primary; the other member of the
cluster assumes the role of secondary.
225

When you configure a cluster and commit the configuration, APSolute Vision configures the required
parameters on the secondary device.
You can configure a cluster from the APSolute Vision sites tree or from the High Availability pane in
the Configuration perspective.
For more information, see Configuring DefensePro High Availability, page 101.
Configuring Basic Networking Parameters in DefensePro

In DefensePro 5.12 and later, use the Basic pane to do the following:
Specify the IP Version Mode (IPv4 or IPv6)
Specify whether jumbo frames bypass the device or are discardedavailable only on platforms
with the DoS Mitigation Engine (DME)
Specify whether to inspect jumbo frames or discard themavailable only in DefensePro 6.05
and later
Configure the IP Fragmentation parameters
Specifies whether the device passes through all traffic that matches no network policy
configured on the device
In DefensePro versions prior to 5.12, use the Basic pane to configure the following:
Enable/disable tunneling
Enable/disable MPLS-RD
Specify the IP Version Mode (IPv4 or IPv6)
Tunneling Support in DefensePro Versions Prior to 5.12

This section is relevant only for DefensePro versions prior to 5.12.
Carriers, service providers, and large organizations use various tunneling protocols to transmit data
from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS devices and load balancers cannot locate the relevant information because
their decisions are based on information located inside the IP packet in a known offset, and the
original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning
DefensePro in peering points and carrier network access points.
In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators
deploy GRE and GTP.
Caution: When you enable tunneling, you must reboot the device before you can configure
MPLS RD groups.
IPv4 and IPv6 Support

DefensePro supports IPv6 and IPv4 protocols and provides a fully functional IPS and DoS prevention
solution for IPv6/IPv4 packets. Management works only in IPv4.
Caution: Changing the configuration of this feature takes effect only after a device reset.
226

DefensePro supports processing of IPv6 packets and ICMPv6 packets, including:
Setting networks with IPv6 addresses
Applying security policies
Blocking attacks
Security reporting
IP Fragmentation
This section is relevant only for DefensePro 5.12 and later.
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the managed device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments belong to same datagram, then classifies and forwards them
accordingly. The device does not reassemble the original IP packet, but forwards the fragmented
datagrams to their destination, even if the datagrams arrive at the device out of order.
Note: In DefensePro versions prior to 5.12, you configure the IP Fragmentation in the IP
Fragmentation pane in the Configuration perspective Advanced Parameters tab
navigation pane.
1. In the Configuration perspective Networking tab navigation pane, select Basic.
Table 130: Basic Networking Parameters
Parameter
Description
Basic Parameters
IP Version Mode
The IP version that the device supports.

Values:
IPv4The device processes IPv4 packets only.
IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are
configured, all IPv6 policies (rules) are automatically
disabled. Policies applied on both IPv4 and IPv6 traffic
continue to process IPv4 traffic only. The IPv6 information
remains visible.
227

Parameter
Description
Jumbo Frames
Inspect Jumbo Frames

(On platforms with the DoS
Mitigation Engine, the
checkbox is available only
when the Bypass Jumbo
Frames checkbox is
cleared.)
Specifies whether the device inspects jumbo frames or discards

them.
Values:
EnabledThe device inspects frames up to 9216 bytes.
DisabledThe device discards frames that are larger than 1550
bytes.
Default: Disabled
Notes:
>> Changing the configuration of this option takes effect only
after a device reset.
>> When this option is enabled, all DefensePro monitoring and
protection modules support monitoring, inspection,
detection, and mitigation of traffic and attacks on packets up
to 9216 bytes. For example, when this option is enabled, TCP
Authentication using Transparent Proxy supports an
additional maximum segment size (MSS) value to improve
performance of the protected networks.
Bypass Jumbo Frames
Specifies whether jumbo frames bypass the device.
(This parameter is displayed

only on platforms with the
DoS Mitigation Enginethat
is, the DME. This parameter
is available only when the
checkbox is cleared.)
Values:
EnabledFrames of 15509216 bytes bypass the device without
any inspection or monitoring.
DisabledThe device discards frames that are larger than 1550
bytes.
Default: Disabled
Notes:
>> Changing the configuration of the option takes effect only
after a device reset.
>> When the option is enabled on an x412 platform, there may
be some negative effect on the following features: Packet
Anomalies, Black and White Lists, and BDoS real-time
signatures.
>> When the option is enabled on an x06 or x016 platform,
there may be some negative effect on Black and White lists.
>> When the option is enabled, TCP SYN Protection may not
behave as expected because the third packet in the TCP
three-way-handshake can include data and be in itself a
jumbo frame.
>> When the option is enabled, some protections that rely on
the DefensePro session table might produce false-negatives
and drop traffic when all the session traffic bypasses the
device in both directions for a period longer than Session
Aging Time.
IP Fragmentation
Enable IP Fragmentation
When selected, enables IP fragmentation.

Default: Enabled
228

Parameter
Description
Queuing Limit
The percentage of IP packets the device allocates for out-of-sequence

fragmented IP datagrams.
Values: 0100
Default: 25
Aging Time
The time, in seconds, that the device keeps the fragmented

datagrams in the queue.
Values: 1255
Default: 1
Traffic Exclusion
This group box is available only in DefensePro 6.02 and later on x412 platforms with the DME.
Traffic Exclusion
Specifies whether the device passes through all traffic that matches
no network policy configured on the deviceregardless of any other
protection configured.
Default: Enabled
Caution: If Traffic Exclusion is enabled, to inspect traffic that
matches a Server Protection policy, you must configure
the Server Protection policy as a subset of the Network
Protection Policy rule.
To configure the Basic Networking parameters in DefensePro versions prior to 5.12

1. In the Configuration perspective Networking tab navigation pane, select Basic.
Note: When you enable tunneling, you must reboot the device before you can configure MPLS
RD groups.
Table 131: Basic Networking Parameters in DefensePro Versions Prior to 5.12
Parameter
Description
Enable Tunneling
Enables tunneling support on the device.
Enable MPLS-RD
Enables MPLS RD support on the device.
IP Version Mode
The IP version that the device supports.

Values:
IPv4The device processes IPv4 packets only.
IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are
configured, all IPv6 policies (rules) are automatically
disabled. Policies applied on both IPv4 and IPv6 traffic
continue to process IPv4 traffic only. The IPv6 information
remains visible.
229

Configuring Port Pairs for DefensePro

You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic
from the receiving port is always sent out of the device from its corresponding transmitting port. The
ports are paired; one port receives traffic while another transmits traffic.
You can set the operation mode of a port pair. When the port pair operates in Process mode, the
traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates
in Forward mode, the traffic is forwarded to the destination port without any inspection.
Note: DefensePro x06 models automatically create static-forwarding definitions on the

following port pairswhen they are not assigned to packet trace or trunks: G-1G-2
and G-3G-4.
To configure a pair of ports

1.
In the Configuration perspective Networking tab navigation pane, select Port Pairs.
2.
3.
To add a pair of ports, click the
To edit a pair of ports, double-click the row.
(Add) button.
Table 132: Port Pair Parameters
Parameter
Description
Port Pairs
Source Port
The user-defined source port for received traffic.
Destination Port
The user-defined destination port for transmitted traffic.
Operation
The operation mode assigned to a pair of ports.

Values:
ForwardThe traffic is forwarded without any inspection.
ProcessThe traffic passes thought the CPU and is inspected for attacks,
bandwidth, and so on.
230

Table 132: Port Pair Parameters
Parameter
Description
Failure Mode
Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
When you configure Fail-Open for a port pair, you cannot:
Assign the ports into a link aggregation.
Configure either port as a copied destination port.
Configure the ports for SSL inspection.
Note: For more information, see Internal Bypass for RJ-45 Ports in
DefensePro, page 231.
In Port
Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.
Advanced Parameters
In DefensePro x06 models, this group box and the Enable Interface Grouping checkbox is not
displayed. In x06 models, Interface Grouping is always enabled.
Enable Interface
Grouping
Specifies whether the device groups the statuses of the port-pair interfaces.
When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also; so, a
remote device connected to the DefensePro device perceives the same
disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy. Interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled
Internal Bypass for RJ-45 Ports in DefensePro

You can configure whether the traffic passes through (bypasses) a pair of RJ-45 ports when the
platform is rebooting or is powered down (for example, if the device fails). You can choose from two
failure modes: Fail-Close or Fail-Open.
With the Fail-Close option, traffic does not pass through when the platform is powered down. When
a pair of ports enters fail-close state, traffic is blocked and the link appears to be down (no power),
and switches connected to DefensePro detect the link as being down.
With the Fail-Open option, traffic passes through (not inspected by DefensePro) when the platform is
powered down.
231

When you configure a port pair to use the Fail-Open option, you cannot do the following:
Assign the ports into a link aggregation.
Use either of the ports for management purposes.
Configure either of the ports as a copied destination port.
Configure the ports for SSL inspection.
By default, all the interfaces that support configurable failure modeexcept the last pairare
configured with the Process option for Port Operation with the failure mode set to Fail-Open.
For network debugging or testing purposes, using CLI, you can manually force a pair of ports into
the failure statewithout turning the power off or rebooting the device.
In high-availability, you can set the failure mode of a copper port on a primary device to fail-close.
Thus, when the primary device goes down, the data path will have to change to the secondary
device. On the secondary, device you should consider the fail-open configuration to ensure that
failure of both DefensePro devices will not result in traffic loss.
DefensePro sends appropriate notifications at the following times:
When the configuration of a port pair changes from Fail-Close to Fail-Open.
With the Fail-Open option, when:
A port changes status from up to down.
A port changes status from down to up.
Configuring SSL Inspection for DefensePro

Notes:
>> This solution is deprecated.
>> This solution is not supported in DefensePro x06 models.
DefensePro in conjunction with Radwares AppXcel, can inspect SSL encrypted sessions and protect
SSL tunnels from attacks. When a session is encrypted using SSL, an IPS/IDS device based on
signature matching cannot inspect the secured traffic. DefensePro passively inspects SSL encrypted
sessions. SSL traffic is mirrored by DefensePro and the decrypted session is inspected.
SSL traffic is classified by the device the same way regular traffic is. Traffic is mirrored by
DefensePro and sent to AppXcel. AppXcel decrypts the HTTPS to HTTP and DefensePro then applies
its security policies on the HTTP traffic. If an attack is identified, DefensePro sends a RST packet to
the source and/or destination of the original connection.
232

Figure 32: SSL-based Protection Flow

AppXcel
HTTPS
2
RST
HTTP
3
4 RST
1
HTTPS
Router
DefensePro
Web servers
1. A client initiates an HTTPS session with the server.

2. When DefensePro forwards the traffic to the server, it replicates the HTTPS session to a
preconfigured port, where an AppXcel unit is connected.
3. AppXcel operates in passive SSL mode, decrypts the HTTPS session and returns it as an HTTP
session.
4. DefensePro inspects the HTTP traffic received from AppXcel based on its policies. If an attack is
detected, DefensePro sends a Reset packet to the source and/or destination.
Note: Bandwidth Management, DoS, SYN protection and other policies can also be applied to
the original SSL streams.
Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by
setting the operating mode to Process.
When you assign the same Destination Port to more than one Source Port, you must set the
Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with
Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the
Destination Port must be defined (1 or 2).
To configure SSL inspection

1. In the Configuration perspective Networking tab navigation pane, select SSL Inspection.
To add an SSL inspection physical port, click the
To edit a port, double-click the row.
(Add) button.
3. Configure SSL inspection physical port settings and click OK.

4. Configure SSL inspection Layer 4 port settings.
233

Table 133: SSL Inspection Physical Port Parameters
Parameter
Description
Incoming Port
The scanning port that was configured for one of the traffic directions.
Port towards AppXcel The port that is used for SSL acceleration.
This port must be dedicated to the SSL acceleration and cannot be used for
other purposes, such as static forwarding or network interface.
Configuring SSL Inspection Layer 4 Ports for DefensePro

Notes:
>> This solution (configuring SSL-based protection with AppXcel) is deprecated.
>> This solution is not supported in DefensePro x06 models.
To configure SSL inspection Layer 4 ports

1.
In the Configuration perspective Networking tab navigation pane, select SSL Inspection >
L4 Ports.
2.
3.
To add an SSL inspection Layer 4 port, click the
To edit a port, double-click the row.
(Add) button.
Configure SSL inspection Layer 4 port settings and click OK.
Table 134: SSL Inspection Layer 4 Port Parameters
Parameter
Description
TCP Incoming Port
The SSL service port of the original traffic.

This TCP port is used for forwarding SSL sessions.
TCP Port towards

AppXcel
The corresponding service port that AppXcel uses for decrypted sessions.
This HTTP port is used after decryption.
IPv6 Support in AppDirector

AppDirector supports dual-stack IPv6 and IPv4 environments, including IPv4/IPv6 gateway
functionality.
AppDirector is certified for compliance with the IPv6 Ready logo Phase 1 requirements.
234

AppDirector application delivery capabilities, including Layer 4 and Layer 7 traffic management,
application acceleration (SSL offload, caching, compression), global traffic redirection, and high
availability (health monitoring, VRRP failover), are supported for the following types of traffic:
Pure IPv4IPv4 client to IPv4 servers
Pure IPv6IPv6 client to IPv6 servers
Mixed (gateway):
IPv4 client to IPv4 and/or IPv6 servers
IPv6 client to IPv4 and/or IPv6 servers
Unless otherwise specified, the various IP objects in the AppDirector configuration can accept both
IPv4 and IPv6 addresses.
235

236
Chapter 7 Managing AppShape-Template

Instances
Use AppShape templates to accelerate, simplify, and optimize the configuration of Alteon ADC
devices for deployments of the following business applications:
SAP PortalFor an SAP portal that supports ASLR version 1.2.
SharePointFor Microsoft SharePoint Server 2010.
AppShape supports an application-centric view, including management screens, and compliance.

This results in simplified and efficient application management in the ADC.
Each AppShape instance automatically checks for changes in application resources and
automatically synchronizes them to the ADC.
When you configure an instance of an AppShape template, you specify an Alteon device that the
APSolute Vision server is managing. After you specify the Alteon device, you configure a small set of
parameters. The AppShape template sets and configures all the required ADC options, which are
tailored for the specific business application. APSolute Vision periodically validates and synchronizes
the device configuration to the AppShape template.
Note: When you specify the Alteon device for the AppShape instance the device can be
unlocked. However, to configure the parameters, submit, and apply the configuration,
the Alteon device must be locked (as with any configuration change to a device
managed in APSolute Vision).
To view the basic parameters of AppShape instances that the APSolute Vision is
managing
In the Configuration perspective system pane, select the AppShapes tab.
Table 135: Basic Parameters of AppShape Instances in APSolute Vision
Parameter
Description
Instance Name
The name of the AppShape instance.

Note: You can change the name in the configuration of the instance
on the device.
Configuration Validation
The latest-known status that specifies whether the AppShape instance

is synchronized with the AppShape template.
Last Validation
The last time that the configuration of the device was synchronized with
the AppShape template.
Device Name
The name of a device the on which the AppShape instance is deployed.
Virtual Address
The virtual IP address of the service.
237

Managing AppShape-Template Instances
To view the configuration of an existing AppShape instance on a specific device

1.
In the Asset Management perspective system pane, select AppShape. The AppShape tab is
displayed.
2.
Select the row with the device whose configuration you want to view.
3.
Click Configure and View AppShape Instance.
Related Topics
SAP Message Server Automated Configuration Parameters, page 264
Configuring an SAP Portal AppShape Instance

An SAP Portal automates the configuration of an AppShape instance on an Alteon device. You can
configure up to four SAP Portal connections in an AppShape instance.
After you enable and configure the SAP Portal connection, you must configure an SAP Message
Server Automated Configuration scheduled task. The task periodically polls the SAP Portal and
updates the Alteon-device configuration.
The following diagram shows an APSolute Vision server, an Alteon device, and an example SAP
Portal configuration supporting two servers in a single host and two ports.
Figure 33: APSolute Vision Server, Alteon Device, and SAP Portal
APSolute Vision
Management
ADC
VIP 1.1.1.1
Client
ASL
R
SAP Portal
SAP Servers:
Host: 10.203 .100 .100
Ports: 50000
50200
The SAP Portal AppShape generates the following configurations:
SLB ConfigurationThe global parameters, slb on and direct enabled, are mandatory.
APSolute Vision automatically generates the server list. The logic removes or adds entries based
on the SAP servers listverifying the ports, the addresses, and the weights. APSolute Vision
creates a single group supporting both HTTP and HTTPS entries. Index 1 is the default, but the
device can use other indexes based on the HTTP service group index. The HTTP service redirects
to HTTPS. The user can remove the redirection flag. The HTTPS application service supports
HTTP compression and modification. The HTTPS SSL application service uses the user-defined
certificate and the generated SLL policy. Maintaining persistency, the pbind insert cookie is
activated (mandatory).
Compression Policy Configuration.
The Compression Policy configuration enables compression and creates a default policy.
The compression level is 1. The compression level is a recommendation; the user can set an
alternate value.
238

SSL Configuration.
By default, SSL offloading is enabled.
The SSL configuration enables SSL offloading and creates the SSL policy accordingly. APSolute
Vision uses the SSL certificate that is specified in the configuration. The automated logic (that is,
the daemon) enforces convert to disabled.
Layer 7 Modification Configuration.
HTTP modification is vital in supporting the SAP portal.
The APSolute Vision mechanism enforces both the rules and the modification action, which are
required since Alteon replaces the service port (443) with the server port.
To configure an SAP Portal AppShape instance

1.
In the Configuration perspective system pane, AppShapes tab, select AppShape > SAP Portal.
2.
In the SAP Portal tab, to add an entry to the table:

a.
b.
Click the
(Add) button.
In the Create AppShape dialog box, from the Device Name drop-down list, select the
device on which to instantiate the AppShape template. The Device Name drop-down list
contains all compatible Alteon devicesstandalone, VA, and vADC devices. However, the list
does not filter out the devices that are not locked. To configure the instance the device must
be locked.
c.
Click OK.
3.
Click Configure and View AppShape Instance.
4.
(Submit).
Table 136: SAP PortalAppShape Parameters
Parameter
Description
SAP Portal AppShape Instance
Last Validation
(Read-only) The last time, in yyyy-MM-dd hh:mm:ss.f

format, that the configuration device was synchronized
with the AppShape template.
Name
Virtual Address
Application Servers
Message Server Auto-Discovery
Specifies whether the SAP Message Server uses autodiscovery.

Default: Disabled
Address/Port table
Contains the addresses and ports of each real server.
(The table is displayed only when the

Message Server Auto-Discovery
checkbox is cleared.)
Click the
(Add) button to add a new server. For
information on configuring real servers, see
239

Table 136: SAP PortalAppShape Parameters
Parameter
Description
Message Server Connection Settings
(The group box and the parameters in it are displayed only when the Message Server AutoDiscovery checkbox is selected.)
Host Name
The DNS name or IPv4 address of the SAP Message

Server.
Port
The listening port of the SAP Message Server.
Default: 8101
Load Balancing Settings

SLB Metric
The SLB metric used to select next server in group.

Default: Round Robin
Note: If you choose a value other than the default,
AppShape always uses the default value for any
additional, specifically related parameter. For
example, if the value of SLB Metric is Min Misses,
the specifically related Minmiss Hash is always
the default 24 Bits. For more information on the
SLB Metric, see Configuring Server Groups for
Virtual Services, page 392.
Health Check
The type of content that is examined during health checks.

The content depends on the type of health check.
Default: TCP
HTTP
Compression
Specifies whether the HTTP profile uses compression.

Default: Enabled
SSL
SSL Acceleration
Specifies whether SSL offloading is enabled for

acceleration.
Default: Enabled
Server Certificate
The name of the SSL certificate.
(This parameter is displayed only when

the Enable checkbox is selected.)
To view the existing SSL certificates, click
. And then,
to edit an SSL certificate in the dialog box, double-click on
it.
For information on configuring SSL certificates, see
Managing the Certificate Repository, page 472.
240

Configuring a SharePoint AppShape Instance

To configure a SharePoint AppShape instance
1. In the Configuration perspective system pane, AppShapes tab, select AppShape >
SharePoint.
2. In the SharePoint tab, to add an entry to the table:
a.
b.
Click the
(Add) button.
In the Create AppShape dialog box, from the Device Name drop-down list, select the
device on which to instantiate the AppShape template. The Device Name drop-down list
contains all compatible Alteon devicesstandalone, VA, and vADC devices. However, the list
does not filter out the devices that are not locked. To configure the instance the device must
be locked.
c.
Click OK.
3. Click Configure and View AppShape Instance.

(Submit).
Table 137: SharePointAppShape Parameters
Parameter
Description
SharePoint AppShape Instance
Last Validation
(Read-only) The last time, in yyyy-MM-dd hh:mm:ss.f

format, that the configuration device was synchronized with
the AppShape template.
Name
Virtual Address
Application Servers
Address/Port table
Contains the addresses and ports of each real server

configured for the SharePoint server.
Click the
(Add) button to add a new server. For
information on configuring real servers, see
Load Balancing Settings

SLB Metric
The SLB metric used to select next server in group.

Default: Round Robin
Note: If you choose a value other than the default,
AppShape always uses the default value for any
additional, specifically related parameter. For
example, if the value of SLB Metric is Min Misses, the
specifically related Minmiss Hash is always the
default 24 Bits. For more information on the SLB
Metric, see Configuring Server Groups for Virtual
Services, page 392.
241

Table 137: SharePointAppShape Parameters
Parameter
Description
Health Check
The type of content that is examined during health checks.

The content depends on the type of health check.
Default: TCP
HTTP
Caching
Specifies whether the HTTP profile uses caching.

Default: Enabled
Compression
Specifies whether the HTTP profile uses compression.

Default: Enabled
Connection Management
Specifies whether the HTTP profile uses connection

management.
If enabled, you must configure the proxy IP address.
Default: Enabled
PIP
Opens the Add New Proxy IP dialog box. For information on

adding
a new proxy IP address, see Configuring Proxy IP,
(This button is displayed only when
page
367.
the Connection Management
checkbox is selected.)
SSL
SSL Acceleration
Specifies whether SSL offloading is enabled for acceleration.

Default: Enabled
Server Certificate
The name of the SSL certificate.
(This parameter is displayed only

when the Enable checkbox is
selected.)
To view the existing SSL certificates, click

. And then, to
edit an SSL certificate in the dialog box, double-click on it.
For information on configuring SSL certificates, see Managing
the Certificate Repository, page 472.
242
Chapter 8 Managing Device Operations and

Maintenance
Use the APSolute Vision Monitoring perspective for operation and maintenance of managed devices:
Rebooting a Managed Device, page 243
Shutting Down a Managed Device, page 244
Enabling and Disabling APSolute Vision Monitoring, page 244
Viewing and Setting Device Date and Time, page 245
Upgrading Device Software, page 245
Downloading a Devices Log File to the APSolute Vision Client, page 246
Updating a Radware Signature File or RSA Signature File in DefensePro Devices, page 247
Downloading a Devices Technical Support File to the APSolute Vision Client, page 248
Managing Device Configurations, page 249
Updating Policy Configurations, page 252
Checking Device Memory Availability, page 253
Purging AppDirector HTTP and OCPF Caches, page 253
Resetting the Baseline for DefensePro Devices, page 253
Enabling and Disabling Interfaces, page 254
Rebooting a Managed Device

Some configuration changes on the device require a device reboot for the configuration to take
effect. This is indicated by a Reboot required notification in the Properties pane. You can activate
the device reboot from APSolute Vision.
Note: You can schedule device reboots in the APSolute Vision scheduler. For more information,
see Managing Tasks in the Scheduler, page 256.
To reboot a managed device

1.
In the Monitoring perspective system pane, right-click the device name and select Reboot.
2.
Click Yes in the Confirmation Required dialog box.
243

Managing Device Operations and Maintenance
Shutting Down a Managed Device

You can activate a device shutdown from APSolute Vision.
Note: This feature applies only to OnDemand Switch platforms.
To shut down a managed device

1.
In the Monitoring perspective system pane, right-click the device name and select Shutdown.
2.
Click Yes in the Confirmation Required dialog box.
Enabling and Disabling APSolute Vision Monitoring

APSolute Vision monitoring is available by default. When enabled, APSolute Vision polls the
managed device for its status and collects device statistics.
You might want to disable APSolute Vision monitoring when testing, or using the device in a nonproduction environment.
When you disable APSolute Vision monitoring for a device:
APSolute Vision stops polling the device for its status.
The device icon in the system pane includes a small question mark (?)
AppDirector,
for Alteon,
for
for DefensePro.
The Alerts pane does not receive alerts from the device.
The device node in the sites tree does not include the device entities (for example, ports and
trunks).
Monitoring perspective tabs are unavailable.
DefensePro real-time and historical reports are not collected.
To enable APSolute Vision monitoring

In the Monitoring perspective system pane, right-click the device name and select Enable
Vision Monitoring.
To disable APSolute Vision monitoring

In the Monitoring perspective system pane, right-click the device name and select Disable
Vision Monitoring.
244

Viewing and Setting Device Date and Time

You can view the current date and time on a managed device and you can change its date and time
setting.
To view the date and time on a managed device

In the Monitoring perspective system pane, right-click the device name and select Show Date
& Time.
Note: The date and time display is a snapshot only. It does not change if the dialog box is
left open.
To change the date and time on a managed device

1. In the Monitoring perspective system pane, right-click the device name and select Set Date and
Time.
2. Set the date and/or time as required, and click OK.
Upgrading Device Software

You can upgrade the software version on managed devices from APSolute Vision.
A device upgrade enables the new features and functions on the device without altering the existing
configuration. In exceptional circumstances, new software versions are incompatible with legacy
configuration files from earlier software versions. This most often occurs when attempting to
upgrade from a very old version to the most recently available version.
The software version file must be located on the APSolute Vision client system. APSolute Vision
automatically transfers it to the APSolute Vision server and uploads it to the device. New software
versions require a password, which can be obtained from the Radware corporate Web site. For a
maintenance-only upgrade, the password is not required.
After the device upgrade is complete, you must reboot the device.
Caution: Before upgrading to a newer software version, do the following:

>> Back up the existing configuration file. For more information, see Downloading a
Devices Configuration File, page 249.
>> Ensure that you have configured on the device the authentication details for the protocol
used to upload the file.
245

To update the device software version

1.
In the Monitoring perspective system pane, right-click the device name and select Manage
Software Versions.
2.
Configure software upgrade parameters, and click OK.
3.
When the device upgrade is complete, reboot the device.
Table 138: Software Upgrade Parameters
Parameter
Description
Upload Via
The protocol used to upload the software file from APSolute Vision to the
device.
Values: HTTP, HTTPS, TFTP
File Name
The name of the file to upload.
Software Version
The software version number as specified in the new software

documentation.
Password
Enter the password received with the new software version, and verify.
The password is case sensitive.
Downloading a Devices Log File to the APSolute Vision

Client
You can download a managed devices log file to the APSolute Vision client system. The log file is
automatically generated by the device and contains a report of configuration errors. The log file can
be used for debugging.
To download a device log file

1.
In the Monitoring perspective system pane, right-click the device name and select Export Log
File.
2.
Configure download parameters, and click OK.
Table 139: Device Log File Download Parameters
Parameter
Description
Download Via
The protocol used to download the log file.

File Name
246
Save the downloaded log file as a text file on the client system. Enter or
browse to the location of the saved log file, and select or enter a file
name.

Updating a Radware Signature File or RSA Signature File

in DefensePro Devices
You can upload an updated Radware signature file or RSA signature file to a managed device.
Notes:
>> For AppDirector 2.30 and later, you can update a signature file, but only from you client
PC, and only manually (that is, not using a scheduled task).
>> RSA-signature support is available in DefensePro 5.10 and later.
You can upload an updated Radware signature file to a DefensePro device from the following
sources:
Radware.com or the proxy file server that is configured in the Vision Server
Connection configurationThe Alerts pane displays a success or failure notification and
whether the operation was performed using a proxy server.
APSolute Vision client systemThe name of the signature file on the must be DEVICE-MACADDRESS.sig.
Note: You can schedule Signature File updates in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.
For more information about using signature files, see the DefensePro User Guide.
To update the signature file of a device

1. In the Monitoring perspective system pane, right-click the device name and select Update
Attack Signature.
2. Configure the parameters, and click OK.
Table 140: Update Device Signature File Parameters for AppDirector
Parameter
Description
Update From
(Read-only) The location of the signature file to upload. For

AppDirector, this is Client. APSolute Vision uploads the signature file
from the APSolute Vision client system.
Upload Via
The protocol used to upload the signature file.

File Name
The name of the signature file on the client system.
247

Table 141: Update Device Signature File Parameters for DefensePro
Parameter
Description
Signature Type
The type of the signature file to upload to the device.

Values:
Radware Signatures
RSA Signatures
Update From
The location of the signature file to upload.

Values:
Radware.comAPSolute Vision uploads the signature file directly
from Radware.com or from the proxy server that is configured in
the Vision Server Connection configuration.
ClientAPSolute Vision uploads the signature file from the
APSolute Vision client system. This option is only available for
Radware signatures.
Upload Via
The protocol used to upload the signature file.

File Name
Name of the signature file on the client system.
(This parameter is
displayed only when
Update From Client is
selected)
Downloading a Devices Technical Support File to the

APSolute Vision Client
For debugging purposes, a managed device can generate a TAR file containing the technical
information that Radware Technical Support requires. The file includes output of various CLI
commands; for example, a printout of the Client table.
You can download a managed devices technical support file to the APSolute Vision client system and
send it to Radware Support.
Note: If you encounter problem with APSolute Vision server or APSolute Vision client (as
opposed to the managed device), see the APSolute Vision Administrator Guide.
To download a devices technical support file

1.
In the Monitoring perspective system pane, right-click the device name and select Export Tech
Support File.
2.
Configure download parameters, and click OK.
248

Table 142: Device Technical Support File Download Parameters
Parameter
Description
Download Via
The protocol used to download the technical support file.

Save As
Save the downloaded technical support file as a text file on the client
system. Enter or browse to the location of the saved file, and select or
enter a file name.
Managing Device Configurations

This section describes how to manage configurations of the Radware devices that are configured on
the APSolute Vision server.
Configuration File Content

The configuration file content is divided into two sections:
Commands that require rebooting the deviceThese include BWM Application

Classification Mode, Application Security status, Device Operation Mode, tuning parameters, and
so on. Copying and pasting a command from this section takes effect only after the device is
rebooted. The section has the heading: The following commands will take effect
only once the device has been rebooted!
Commands that do not require rebooting the deviceCopying and pasting a command
from this section takes effect immediately after pasting. The commands in the section are not
bound to SNMP. The section has the heading: The following commands take effect
immediately upon execution!

The commands are printed within each sectionin the order of implementation.
At the end of the file, the device prints the signature of the configuration file. This signature is used
to verify the authenticity of the file and that it has not been corrupted. The signature is validated
each time the configuration file is uploaded to the device. If the validity check fails, the device
accepts the configuration, but a notification is sent to the user that the configuration file has been
tampered with and there is no guarantee that it works. The signature looks like File Signature:
063390ed2ce0e9dfc98c78266a90a7e4.
Downloading a Devices Configuration File

You can download a devices configuration file from the device to APSolute Vision for backup,
Whether you choose to download to the APSolute Vision server or client system, a copy is always
saved in the APSolute Vision database.
For AppDirector in an active-backup configuration, you can send a devices configuration file to a
backup device. Or, for AppDirector in an active-active configuration, you can send a devices
configuration file to a peer device.
249

By default, you can save up to five (5) configuration files per device on the APSolute Vision server.
You can change this parameter in the APSolute Vision Setup page up to a maximum of 10. When the
limit is reached, you are prompted to delete the oldest file. For more information, see the APSolute
Vision Administrator Guide.
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
To download a devices configuration file

1.
In the Monitoring perspective system pane, right-click the device name and select Export
Configuration File from Device.
2.
Configure the download parameters; and then, click Save.
Table 143: Device Configuration File Download Parameters
Parameter
Description
Download to
Where to back up the device configuration file.

Values: Client, Server
Download Via
The protocol used to download the configuration file.

Alteon value: HTTPS
AppDirector and DefensePro values: HTTP, HTTPS, TFTP
Save As
Save the downloaded configuration file as a text file on the client system.
On the server, the default name is a combination of the device name and
backup date and time. You can change the default name.
Type
An Alteon or AppDirector device can generate configuration files for itself,

its peer device (active-active configuration), and its backup device
(This parameter is
(active-backup configuration). You can select any of these files for
available only in
AppDirector, and only in download.
AppDirector versions
Other device types generate configuration files only for the device itself.
after 1.07.12.)
Values: Device, Peer, Backup
Passphrase
The passphrase.
(This parameter is
available only in Alteon
devices.)
Include Private Keys
(This parameter is
available only in Alteon
and AppDirector 2.11
and later.)
250
When enabled, the certificate private key information is included in the

downloaded file. You must include the private key information to restore
the private keys; otherwise, the device reverts to default keys.

Restoring a Devices Configuration

You can restore a managed devices configuration file from a backup configuration file on the
APSolute Vision server or client system to the managed device. When you upload the configuration
file to the device, it overwrites the existing device configuration.
After the restore operation is complete, you must reboot the device.
To restore a devices configuration

1. In the Monitoring perspective system pane, right-click the device name and select Import
Configuration File to Device.
2. Configure upload parameters, and click OK.
3. When the upload completes, reboot the device.
Table 144: Device Configuration File Upload Parameters
Parameter
Description
Upload from
The location of the backup device configuration file to send.

Values: Client, Server
Upload Via
The protocol used to upload the configuration file.

Alteon value: HTTP
AppDirector and DefensePro values: HTTP, HTTPS, TFTP
File for Upload
When uploading from the client system, enter or browse to the name of
the configuration file to upload.
When uploading from the server, select the configuration to upload.
Passphrase
The passphrase.
(This parameter is
available only with
Alteon devices.)
Synchronizing AppDirector Configurations

When AppDirector devices are organized in a cluster, you can synchronize the active device
configuration on the main device with backup devices in the cluster, if the devices are of the same
platform, version, and license.
Notes:
251

This feature works only if Online Configuration Synchronization is enabled. For information on Online
Configuration Synchronization, see Online Configuration Synchronization, page 206.
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
To synchronize an AppDirector device configuration

1.
In the Monitoring perspective system pane, right-click a main device in the cluster and select
Synchronize Device Configuration.
2.
Configure synchronization parameters, and click OK.

When synchronization completes, the backup device is rebooted.
Table 145: Synchronize Device Configuration Parameters
Parameter
Description
File Type
The AppDirector device stores separate configuration files for a peer

device (in an active-active configuration), and a backup device (in an
active-backup configuration). Select which configuration file to use for the
synchronization.
Values: Peer, Backup

synchronization.
Backup Device
(Read-only) The backup device that is being synchronized.
Updating Policy Configurations

You can apply the following configuration changes to a managed device in a single operation:
Network security policy
Server security policy
ACL policy
White list
Black list (relevant for DefensePro only)
Classes
To update policy configurations on a managed device

1.
In the Monitoring perspective system pane, right-click the device name and select Update
Policies.
2.
Click Yes in the Confirmation dialog box.
252

Checking Device Memory Availability

You can check whether a managed device has enough memory before you change any tuning
parameters, including NAT tuning.
To check device memory availability

In the Monitoring perspective system pane, right-click the device name and select Check
Available Memory. A message box is displayed, which notifies you whether there is enough
memory on the device, or, if not, how much memory is required.
Purging AppDirector HTTP and OCPF Caches

You can purge the HTTP and OCPF cache on an AppDirector device in version 2.14 and later.
To purge an HTTP or OCPF cache on an AppDirector device

1. In the Monitoring perspective system pane, right-click the device name and select one of the
following:
Purge HTTP Cache
Purge OCPF Cache
2. Click OK.
Resetting the Baseline for DefensePro Devices

Resetting baseline-learned statistics clears the baseline traffic statistics and resets default normal
baselines. Reset the baseline statistics only when the characteristics of the protected network have
changed entirely and bandwidth quotas need to be changed to accommodate the network changes.
You can reset the baseline for all the network policy rules that contain a BDoS or DNS Protection
profile, or for a selected network policy rule that contains a BDoS or DNS Protection profile.
For information about configuring network-protection policy rules, see the DefensePro User Guide.
To reset BDoS baseline statistics

1. In the Monitoring perspective system pane, right-click the device name and select Reset BDoS
Baseline.
2. Select whether to reset the baseline for all network policy rules that contain a BDoS profile, or
for a specific network-protection rule that contains a BDoS profile; and then, click OK.
253

To reset DNS baseline statistics

1.
In the Monitoring perspective system pane, right-click the device name and select Reset DNS
Baseline.
2.
Select whether to reset the baseline for all network policy rules that contain a DNS profile, or for
a specific network-protection rule that contains a DNS profile, then click OK.
Enabling and Disabling Interfaces

You can enable and disable interfaces from the Monitoring perspective. In AppDirector, you can
enable and disable device ports and trunks, and VLANs. In DefensePro, you can enable and disable
device ports and trunks.
To enable an interface
1.
In the Monitoring perspective system pane, select the relevant device.
2.
Expand the node in the tree to display the interfaces.
3.
Right-click the interface name and select Enable.
Note: If the interface is already enabled, this option is unavailable.
To disable an interface
1.
In the Monitoring perspective system pane, select the relevant device.
2.
Expand the node in the tree to display the interfaces.
3.
Right-click the interface name and select Disable.
Note: If the interface is already disabled, this option is unavailable.
254
Chapter 9 Scheduling APSolute Vision and

Device Tasks
The following topics describe how to schedule APSolute Vision and device operations in the APSolute
Vision Scheduler:
Overview of Scheduling, page 255
Managing Tasks in the Scheduler, page 256
Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled
operations are called tasks.
The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be
performed next. When you configure a task for multiple devices, the task runs on each device
sequentially. After the task completes on one device, it begins on the next. If the task fails to
complete on a device, the Scheduler will activate the task on the next listed device.
Scheduled tasks run according to the time as configured on the APSolute Vision client.
Caution: If the APSolute Vision client timezone differs from the timezone of the APSolute Vision
server or the managed device, take the time offset into consideration.
When you define a task, you can choose whether to enable or disable the task. All configured tasks
are stored in the APSolute Vision database.
You can define the following types of scheduled tasks:
Back up the APSolute Vision server configuration
Back up a device configuration
Back up the APSolute Vision Reporter data
Reboot a device
Validate the AppShape SharePoint configuration
Validate the AppShape SAP Portal configuration and poll the SAP Message Servers
Synchronize the AppDirector-device configuration with backup device
Update the Radware signature file onto a DefensePro device from Radware.com or the proxy
server
Update the RSA signature file onto a DefensePro device from Radware.com or the proxy server
Update the APSolute Vision Attack Description file from Radware.com or the proxy server
Note: You can perform some of the operations manually, from the Monitoring perspective.
255

Scheduling APSolute Vision and Device Tasks
Managing Tasks in the Scheduler

The Scheduler window is the starting point for viewing and configuring tasks, which are scheduled
operations.
The Tasks table displays the following information for each configured task.
Parameter
Description
Name
The name of the configured task.
Task Type
The type of task to be performed.
Enabled
When selected, the task is performed according to the defined schedule.

Disabled tasks are not activated, but the task is saved in the database.
Schedule
The frequency at which the task is performed; for example, daily or

weekly. The schedule start date is displayed, if it has been defined.
Last Execution Status
Whether the last task run was successful. When the task is disabled, or
has not yet started, the status is Never Executed.
Last Execution Time
The date and time of the last task run. When the task is disabled, or has
not yet started, this field is empty.
Next Execution Time
The date and time of the next task run. When the task is disabled, this
field is empty.
Description
The user-defined description of the task.
To configure a task schedule

1.
In the Configuration perspective main toolbar, click the

displays information for each scheduled task.
2.
To add or edit a task:
3.
(Scheduler) button. The Tasks table
To add a new task, click the

(Add) button. Select the type of task, and click OK. The
dialog box for the selected task type is displayed.
To edit a task, double-click the entry in the table.
Configure task parameters, and click OK. All task configurations include basic parameters and
scheduling parameters. Other parameters depend on the type of task selected.
APSolute Vision Configuration Backup, page 257
APSolute Vision Reporter Backup, page 259
AppShape SharePoint Configuration Validation, page 260
To run an existing task

1.
In the Configuration perspective main toolbar, click the

displays information for each scheduled task.
2.
Right-click the required task; and then, click Run Task.
256
(Scheduler) button. The Tasks table

Task Parameters
Set the following parameters to configure tasks in the Scheduler:
APSolute Vision Configuration Backup, page 257
APSolute Vision Reporter Backup, page 259
AppShape SharePoint Configuration Validation, page 260
Device Configuration Backup Parameters, page 262
Device Reboot Parameters, page 263
SAP Message Server Automated Configuration Parameters, page 264
Synchronize Active Device Configuration Parameters, page 265
Update RSA Signatures File Parameters, page 267
Update Radware Security Signatures Files for a Device, page 268
Update APSolute Vision Attack Description File Parameters, page 270
APSolute Vision Configuration Backup

This task creates a backup of the APSolute Vision configuration in the specified location.
Each backup includes the following:
The APSolute Vision system configuration
The local users
The managed devices
The host IP addresses in the database-viewer list
The task does not back up the following:
The password of the radware user of the APSolute Vision server appliance
The IP address/es of the APSolute Vision server appliance
The DNS address/es of the APSolute Vision server appliance
The network routes of the APSolute Vision server appliance
Attack data
The system stores up to five configuration-backup iterations. After the fifth configuration-backup,
the system deletes the oldest one.
Note: For information on managing the backups using CLI, see the APSolute Vision
Parameter
Description
Basic Parameters
Name
A unique name for the task.

Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.
Description
A user-defined description of the task.
257

Parameter
Description
Enabled

Disabled tasks are not activated, but the task configuration is saved in the
database.
Schedule
Frequency
The frequency at which the task is performed.

Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
The date and time at which the task is activated.
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Parameters
Protocol
The protocol that APSolute Vision uses for this task.

Values:
FTP
SCP
SFTP
SSH
Default: FTP
Destination
IP Address
The IP address of the server.
Directory
The path to the export directory.
258

Backup File Name
The name of the backup, up to 15 characters, with no spaces. Only

alphanumeric characters and underscores (_) are allowed.
User
The username.
Password
The user password.
Verify Password
The user password.
APSolute Vision Reporter Backup

This task creates a backup of the APSolute Vision Reporter data in the specified location. The backup
includes all the APSolute Vision Reporter data.
The system stores up to three iterations of the APSolute Vision Reporter data. After the third
reporter-backup, the system deletes the oldest one.
Note: For information on managing the backups using CLI, see the APSolute Vision
Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
259

Parameter
Description
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Parameters
Protocol

Values:
FTP
SCP
SFTP
SSH
Default: FTP
Destination
IP Address
The IP address of the server.
Directory
The path to the export directory.
Backup File Name
The name of the backup, up to 15 characters, with no spaces. Only

alphanumeric characters and underscores (_) are allowed.
User
The username.
Password
The user password.
Verify Password
The user password.
AppShape SharePoint Configuration Validation

The AppShape SharePoint Configuration Validation task checks whether the AppShape SharePoint
instances on the specified devices conform to the AppShape SharePoint template.
260

Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Devices
available devices. The Selected Devices list displays the Alteon devices on which this task runs.
261

Device Configuration Backup Parameters

Note: By default, you can save up to five (5) configuration files per device on the APSolute
Vision server. You can change this parameter in the APSolute Vision Setup tab. For more
information, see the APSolute Vision Administrator Guide.
Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
262

Configuration Type (AppDirector only)

File Type
The AppDirector device stores separate configuration files for itself, its
peer device (for an active-active configuration), and its backup device (for
available in AppDirector an active-backup configuration). Select which configuration file to back
up.
versions prior to 2.x.)
Values: Device, Peer, Backup
Communication Parameters (Not Relevant for Alteon Devices)

Note: This group box and the parameter in it are not relevant for Alteon devices. Alteon devices
support only HTTPS for this task.
Protocol

Values: HTTPS, TFTP
Default: HTTPS
Devices
available devices. The Selected Devices list displays the devices whose configurations this task
backs up.
Device Reboot Parameters

Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
263

Parameter
Description
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Devices
available devices. The Selected Devices list displays the devices that this task reboots.
SAP Message Server Automated Configuration Parameters

You can configure up to four SAP message-server connections. An SAP Portal AppShape instance
automates the configuration of an Alteon standalone, VA, or vADC.
After you enable and configure the SAP message-server connection, you must configure an SAP
Message Server Automated Configuration scheduled task. The task periodically polls the SAP
Message Server, validates, and, if necessary, updates the configuration of the SAP Portal AppShape
instances on the specified devices.
Note: The frequency range for the SAP Message Server Automated Configuration task is 5
3600 minutes.
Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
264

Parameter
Description
Schedule
Frequency

parameters.
Values:
time.
Vision client.
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Devices
available devices. The Selected Devices list displays the Alteon devices that use the SAP Message
Server connection configured on them to update its configuration accordingly.
Synchronize Active Device Configuration Parameters

Notes:
265

Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Synchronization Parameters
File Type
(This parameter is
available only in
later than 1.07.12.)
266
The AppDirector device stores separate configuration files for a peer

device (in an active-active configuration), and a backup device (in an
active-backup configuration). Select which configuration file to use for the
synchronization.
Values: Peer, Backup

(This parameter is
available only in
later than 1.07.12.)

synchronization.
Cluster
Select the AppDirector cluster to synchronize.
Device
Select the device whose configuration will be used for synchronization.
Communication Parameters
Protocol

Values: HTTP, HTTPS
Default: HTTPS
Update RSA Signatures File Parameters

Note: The frequency range for the Update RSA Security Signature task is 1060 minutes. The
default interval is 60 minutes.
Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
267

Parameter
Description
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Devices
DefensePro devices with Fraud Protection enabled. The Selected Devices list displays the
DefensePro devices whose RSA signature files this task update.
Update Radware Security Signatures Files for a Device

Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
268

Parameter
Description
Schedule
Frequency

parameters.
Values:
time.
Vision client.
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
Communication Parameters
Upload Protocol
The protocol used to upload the updated signature file from APSolute
Vision to the device.
Values: HTTPS, HTTP, TFTP
Default: HTTPS
Devices
available devices. The Selected Devices list displays the devices whose Radware signature files this
task updates.
269

Update APSolute Vision Attack Description File Parameters

Parameter
Description
Basic Parameters
Name

sequential number.
Description
Enabled

database.
Schedule
Frequency

parameters.
Values:
time.
Vision client.
Schedule Period
Run Always
Values:
Default: Enabled
Start Date
Start Time
End Date
End Time
270
Radware Ltd. End User License Agreement

By accepting this End User License Agreement (this License Agreement) you agree to be contacted
by Radware Ltd.s (Radware) sales personnel.
If you would like to receive license rights different from the rights granted below or if you wish to
acquire warranty or support services beyond the scope provided herein (if any), please contact
Radwares sales team.
THIS LICENSE AGREEMENT GOVERNS YOUR USE OF ANY SOFTWARE DEVELOPED AND/OR
DISTRIBUTED BY RADWARE AND ANY UPGRADES, MODIFIED VERSIONS, UPDATES, ADDITIONS,
AND COPIES OF THE SOFTWARE FURNISHED TO YOU DURING THE TERM OF THE LICENSE
GRANTED HEREIN (THE SOFTWARE). THIS LICENSE AGREEMENT APPLIES REGARDLESS OF
WHETHER THE SOFTWARE IS DELIVERED TO YOU AS AN EMBEDDED COMPONENT OF A RADWARE
PRODUCT (PRODUCT), OR WHETHER IT IS DELIVERED AS A STANDALONE SOFTWARE PRODUCT.
FOR THE AVOIDANCE OF DOUBT IT IS HEREBY CLARIFIED THAT THIS LICENSE AGREEMENT
APPLIES TO PLUG-INS, CONNECTORS, EXTENSIONS AND SIMILAR SOFTWARE COMPONENTS
DEVELOPED BY RADWARE THAT CONNECT OR INTEGRATE A RADWARE PRODUCT WITH THE
PRODUCT OF A THIRD PARTY (COLLECTIVELY, CONNECTORS) FOR PROVISIONING,
DECOMMISSIONING, MANAGING, CONFIGURING OR MONITORING RADWARE PRODUCTS. THE
APPLICABILITY OF THIS LICENSE AGREEMENT TO CONNECTORS IS REGARDLESS OF WHETHER
SUCH CONNECTORS ARE DISTRIBUTED TO YOU BY RADWARE OR BY A THIRD PARTY PRODUCT
VENDOR. IN CASE A CONNECTOR IS DISTRIBUTED TO YOU BY A THIRD PARTY PRODUCT VENDOR
PURSUANT TO THE TERMS OF AN AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT
VENDOR, THEN, AS BETWEEN RADWARE AND YOURSELF, TO THE EXTENT THERE IS ANY
DISCREPANCY OR INCONSISTENCY BETWEEN THE TERMS OF THIS LICENSE AGREEMENT AND THE
TERMS OF THE AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT VENDOR, THE TERMS
OF THIS LICENSE AGREEMENT WILL GOVERN AND PREVAIL. PLEASE READ THE TERMS AND
CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE OPENING THE PACKAGE
CONTAINING RADWARES PRODUCT, OR BEFORE DOWNLOADING, INSTALLING, COPYING OR
OTHERWISE USING RADWARE'S STANDALONE SOFTWARE (AS APPLICABLE). THE SOFTWARE IS
LICENSED (NOT SOLD). BY OPENING THE PACKAGE CONTAINING RADWARE'S PRODUCT, OR BY
DOWNLOADING, INSTALLING, COPYING OR USING THE SOFTWARE (AS APPLICABLE), YOU
CONFIRM THAT YOU HAVE READ AND UNDERSTAND THIS LICENSE AGREEMENT AND YOU AGREE
TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT. FURTHERMORE, YOU HEREBY WAIVE
ANY CLAIM OR RIGHT THAT YOU MAY HAVE TO ASSERT THAT YOUR ACCEPTANCE AS STATED
HEREINABOVE IS NOT THE EQUIVALENT OF, OR DEEMED AS, A VALID SIGNATURE TO THIS LICENSE
AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS OF THIS LICENSE
AGREEMENT, YOU SHOULD PROMPTLY RETURN THE UNOPENED PRODUCT PACKAGE OR YOU
SHOULD NOT DOWNLOAD, INSTALL, COPY OR OTHERWISE USE THE SOFTWARE (AS APPLICABLE).
THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE SOFTWARE
BETWEEN YOU AND RADWARE, AND SUPERSEDES ANY AND ALL PRIOR PROPOSALS,
REPRESENTATIONS, OR UNDERSTANDINGS BETWEEN THE PARTIES. YOU MEANS THE NATURAL
PERSON OR THE ENTITY THAT IS AGREEING TO BE BOUND BY THIS LICENSE AGREEMENT, THEIR
EMPLOYEES AND THIRD PARTY CONTRACTORS. YOU SHALL BE LIABLE FOR ANY FAILURE BY SUCH
EMPLOYEES AND THIRD PARTY CONTRACTORS TO COMPLY WITH THE TERMS OF THIS LICENSE
AGREEMENT.
1.
License Grant. Subject to Section 2 below (if applicable), Radware hereby grants to you, and
you accept, a nonexclusive, nontransferable license to install and use the Software in machinereadable, object code form only and solely for your internal purposes (Commercial License).
You further agree that you will not assign, sublicense, transfer, pledge, lease, rent or share your
rights under this License Agreement nor will you distribute copies of the Software.
2.
Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which You download the Software, as inferred from any timelimited evaluation license keys that You are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (Evaluation Use) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole
271

discretion (the Evaluation Period). The evaluation copy of the Software contains a feature that
will automatically disable it after expiration of the Evaluation Period. You agree not to disable,
destroy, or remove this feature of the Software, and any attempt to do so will be a material
breach of this License Agreement. During or at the end of the evaluation period, you may
contact Radware sales team to purchase a Commercial License to continue using the Software
pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial
License, You agree to stop using the Software and to delete the evaluation copy received
hereunder from all computers under your possession or control at the end of the Evaluation
Period. In any event, your continued use of the Software beyond the Evaluation Period (if
possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to
the terms of this License Agreement, and You agree to pay Radware any amounts due for any
applicable license fees at Radwares then-current list prices.
3.
Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt, or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble, decompile,
reverse engineer or otherwise attempt to derive source code (or the underlying ideas,
algorithms, structure or organization) from the Software; or (c) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (d) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding Section
3(d), if you provide hosting or cloud computing services to your customers, you are entitled to
use and include the Software in your IT infrastructure on which you provide your services.
4.
Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.
5.
No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided AS IS by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. This disclaimer of warranty constitutes
an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radwares authorized service
personnel.
6.
Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no

event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors,
contractors, subsidiaries, or parent organizations (together, the Radware Parties), be liable for
any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating
to the use of, or the inability to use, the Software, or to your relationship with, Radware or any
of the Radware Parties (including, without limitation, loss or disclosure of data or information,
and/or loss of profit, revenue, business opportunity or business advantage, and/or business
interruption), whether based upon a claim or action of contract, warranty, negligence, strict
liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of
272

the possibility of such damages. If any Radware Party is found to be liable to You or to any thirdparty under any applicable law despite the explicit disclaimers and limitations under these
terms, then any liability of such Radware Party, will be limited exclusively to refund of any
license or registration or subscription fees paid by you to Radware.
7. Third Party Software. The Software includes software portions developed and owned by third
parties (the Third Party Software). Third Party Software shall be deemed part of the Software
for all intents and purposes of this License Agreement; provided, however, that in the event that
a Third Party Software is a software for which the source code is made available under an open
source software license agreement, then, to the extent there is any discrepancy or inconsistency
between the terms of this License Agreement and the terms of any such open source license
agreement (including, for example, license rights in the open source license agreement that are
broader than the license rights set forth in Section 1 above and/or no limitation in the open
source license agreement on the actions set forth in Section 3 above), the terms of any such
open source license agreement will govern and prevail. The terms of open source license
agreements and copyright notices under which Third Party Software is being licensed to
Radware or a link thereto, are included with the Software documentation or in the header or
readme files of the Software. Third Party licensors and suppliers retain all right, title and interest
in and to the Third Party Software and all copies thereof, including all copyright and other
intellectual property associated therewith. In addition to the use limitations applicable to Third
Party Software pursuant to Section 3 above, you agree and undertake not to use the Third Party
Software as a general SQL server, as a stand-alone application or with applications other than
the Software under this License Agreement.
8. Term and Termination. This License Agreement is effective upon the first to occur of your
opening the package of the Product, purchasing, downloading, installing, copying or using the
Software or any portion thereof, and shall continue until terminated. However, sections 3-11
shall survive any termination of this License Agreement. The License under this License
Agreement is not transferable and will terminate upon transfer of the Software.
9. Export. The Software or any part thereof may be subject to export or import controls under the
laws and regulations of the United States and/or Israel. You agree to comply with such laws and
regulations, and, agree not to knowingly export, re-export, import or re-import, or transfer
products without first obtaining all required Government authorizations or licenses therefor.
10. Governing Law. This License Agreement shall be construed and governed in accordance with
the laws of the State of Israel.
11. Miscellaneous. If a judicial determination is made that any of the provisions contained in this
License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or
provisions shall be rendered void or invalid only to the extent that such judicial determination
finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder
of this License Agreement shall remain operative and in full force and effect. In any event a
party breaches or threatens to commit a breach of this License Agreement, the other party will,
in addition to any other remedies available to, be entitled to injunction relief. This License
Agreement constitutes the entire agreement between the parties hereto and supersedes all prior
agreements between the parties hereto with respect to the subject matter hereof. The failure of
any party hereto to require the performance of any provisions of this License Agreement shall in
no manner affect the right to enforce the same. No waiver by any party hereto of any provisions
or of any breach of any provisions of this License Agreement shall be deemed or construed
either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of
any other provision or breach of any other provision of this License Agreement.
IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, YOU MUST REMOVE THE
SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMIDIATELY CEASE USING THE
SOFTWARE.
COPYRIGHT 2012, Radware Ltd. All Rights Reserved.
273

APSVision User Guide

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

APSVision User Guide

Transféré par

Droits d'auteur :

Formats disponibles

APSolute Vision User Guide

Software Version 1.30

APSolute Vision User Guide

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

This product includes software developed by Markus Friedl

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Notice traitant du copyright

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Ce produit inclut un logiciel dvelopp par Markus Friedl

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 1: Electrical Shock Hazard Label

DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE

Figure 2: Dual-Power-Supply-System Safety Warning in Chinese

Translation of Dual-Power-Supply-System Safety Warning in Chinese:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 3: Statement for Class A VCCI-certified Equipment

Translation of Statement for Class A VCCI-certified Equipment:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 4: Statement for Class B VCCI-certified Equipment

Translation of Statement for Class B VCCI-certified Equipment:

Figure 5: KCCKorea Communications Commission Certificate of Broadcasting and

Figure 6: Statement For Class A KCC-certified Equipment in Korean

Translation of Statement For Class A KCC-certified Equipment in Korean:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

This marking or statement includes the following text warning:

Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla

Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt

Unit is intended for connection to IT power systems for Norway only.

To connect the power connection:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 7: tiquette davertissement de danger de chocs lectriques

AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES DALIMENTATION

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 9: Dclaration pour lquipement de classe A certifi VCCI

Traduction de la Dclaration pour lquipement de classe A certifi VCCI:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 10: Dclaration pour lquipement de classe B certifi VCCI

Traduction de la Dclaration pour lquipement de classe B certifi VCCI:

Translation de la Dclaration pour lquipement de classe A certifi KCC en langue corenne:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Cette marque ou remarque inclut lavertissement textuel suivant:

Finlande (tiquette et inscription dans le manuel) - Laite on liitettv

Norvge (tiquette et inscription dans le manuel) - Apparatet m tilkoples jordet stikkontakt

Lunit peut tre connecte un systme lectrique IT (en Norvge uniquement).

Pour brancher lalimentation lectrique:

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES.

Figure 13: Warnetikett Stromschlaggefahr