Académique Documents
Professionnel Documents
Culture Documents
Important Notices
The following important notices are presented in English, French, and German.
Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 20062012. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.
Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 20062012. Tous droits rservs.
Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels
contenus dans ce guide sont la proprit de Radware Ltd.
Ce guide dinformations est fourni nos clients dans le cadre de linstallation et de lusage des
produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui
pour lequel il a t conu.
Les informations rpertories dans ce document restent la proprit de Radware et doivent tre
conserves de manire confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement pralable crit de Radware.
Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert:
Copyright Radware Ltd. 20062012. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.
Copyright Notices
The following copyright notices are presented in English, French, and German.
Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit.
(http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This code is hereby placed in the public domain.
This product contains code developed by the OpenBSD Project
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1.
Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2.
Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
3.
Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
ALL THE SOFTWARE MENTIONED ABOVE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product contains work derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm. RSA Data Security, Inc. makes no representations concerning either the merchantability
of the MD5 Message - Digest Algorithm or the suitability of the MD5 Message - Digest Algorithm for
any particular purpose. It is provided as is without express or implied warranty of any kind.
3.
Le nom de luniversit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour
approuver ou promouvoir un produit driv de ce programme sans lobtention pralable dune
autorisation crite.
La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.
2.
La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.
LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE
GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS SY LIMITER, TOUTE GARANTIE
IMPLICITE DE QUALIT MARCHANDE ET DADQUATION UN USAGE PARTICULIER EST EXCLUE.
EN AUCUN CAS LAUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS,
INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS
SY LIMITER, LACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE DUSAGE,
DE DONNES OU DE PROFITS OU LINTERRUPTION DES AFFAIRES), QUELLE QUEN SOIT LA CAUSE
ET LA THORIE DE RESPONSABILIT, QUIL SAGISSE DUN CONTRAT, DE RESPONSABILIT
STRICTE OU DUN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE
QUELLE QUE FAON QUE CE SOIT DE LUSAGE DE CE LOGICIEL, MME SIL A T AVERTI DE LA
POSSIBILIT DUN TEL DOMMAGE.
Copyrightvermerke
Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code
Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL
Toolkit. (http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die
Rijndael cipher
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
ffentlich zugnglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine
ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Dieser Code wird hiermit allgemein zugnglich gemacht.
Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de
Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses
Produkt enthlt von Dug Song entwickelte Software
Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien
Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses
Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin
entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt
enthlt von Nils Nordman entwickelte Software
Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND (AS IS)
BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH,
DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER
ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN.
UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR
BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR
SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH
NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN
NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE
ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE,
GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT
ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST
WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.
Safety Instructions
The following safety instructions are presented in English, French, and German.
Safety Instructions
CAUTION
A readily accessible disconnect device shall be incorporated in the building installation wiring.
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
The following figure shows the caution label that is attached to Radware platforms with dual power
supplies.
GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
48V DC-powered platforms have an input tolerance of 36-72V DC.
SPECIFICATION CHANGES
Specifications are subject to change without notice.
Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN
61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-411For CE MARK Compliance. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required
to correct the interference at his own expense.
VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS
10
INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:
If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.
If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.
Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark
deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket
outlet which is connected to a protective earth. Socket outlets which are not connected to earth
are not to be used!
Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.
11
CAUTION
Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one
power supply module. To isolate the unit completely, disconnect all power supplies.
Instructions de scurit
AVERTISSEMENT
Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment.
En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et dincendie,
chaque procdure impliquant louverture des panneaux ou le remplacement de composants sera
excute par du personnel qualifi.
Pour rduire les risques dincendie et de chocs lectriques, dconnectez le dispositif du bloc
dalimentation avant de retirer le couvercle ou les panneaux.
La figure suivante montre ltiquette davertissement appose sur les plateformes Radware dotes
de plus dune source dalimentation lectrique.
Figure 8: Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois)
Traduction de la Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois):
Cette unit est dote de plus dune source dalimentation lectrique. Dconnectez toutes les sources
dalimentation lectrique avant dentretenir lappareil ceci pour viter tout choc lectrique.
ENTRETIEN
Neffectuez aucun entretien autre que ceux rpertoris dans le manuel dinstructions, moins dtre
qualifi en la matire. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare.
HAUTE TENSION
Tout rglage, opration dentretien et rparation de linstrument ouvert sous tension doit tre vit.
Si cela savre indispensable, confiez cette opration une personne qualifie et consciente des
dangers impliqus.
12
Les condensateurs au sein de lunit risquent dtre chargs mme si lunit a t dconnecte de la
source dalimentation lectrique.
MISE A LA TERRE
Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de
cette unit doivent tre relies au systme de mise la terre du btiment.
LASER
Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1: 1993 + A1:
1997 + A2: 2001.
FUSIBLES
Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en
remplacement. Lusage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre
vits. Lorsquil est pratiquement certain que la protection offerte par les fusibles a t dtriore,
linstrument doit tre dsactiv et scuris contre toute opration involontaire.
TENSION DE LIGNE
Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source
dalimentation correspond aux exigences de linstrument. Consultez les spcifications propres
lalimentation nominale correcte du dispositif.
Les plateformes alimentes en 48 CC ont une tolrance dentre comprise entre 36 et 72 V CC.
MODIFICATIONS DES SPCIFICATIONS
Les spcifications sont sujettes changement sans notice pralable.
Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil
numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022
Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC
61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une
protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un
environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et,
sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des
interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une
zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur
devra corriger le problme ses propres frais.
DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI
13
Figure 11: KCCCertificat de la commission des communications de Core pour les equipements de
radiodiffusion et communication.
Figure 12: Dclaration pour lquipement de classe A certifi KCC en langue corenne
14
Les cbles de connexion lunit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou
DP-2. (Remarque- sils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES
SURCHARGES.
Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit
tre intgr au cblage du btiment pour chaque puissance consomme.
BATTERIES REMPLAABLES
Si lquipement est fourni avec une batterie, et quelle est remplace par un type de batterie
incorrect, elle est susceptible dexploser. Cest le cas pour certaines batteries au lithium, les
lments suivants sont donc applicables:
Si la batterie est place dans une zone daccs oprateur, une marque est indique sur la
batterie ou une remarque est insre, aussi bien dans les instructions dexploitation que
dentretien.
Si la batterie est place ailleurs dans lquipement, une marque est indique sur la batterie ou
une remarque est insre dans les instructions dentretien.
Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les
dviations du Danemark. Le cordon inclut un conducteur de mise la terre. Lunit sera
branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas
utilises!
Sude (tiquette et inscription dans le manuel) - Apparaten skall anslutas till jordat uttag.
15
AVERTISSEMENT
Risque de choc lectrique et danger nergtique. La dconnexion dune source dalimentation
lectrique ne dbranche quun seul module lectrique. Pour isoler compltement lunit, dbranchez
toutes les sources dalimentation lectrique.
ATTENTION
Risque de choc et de danger lectriques. Le dbranchement dune seule alimentation stabilise ne
dbranche quun module Alimentation Stabilise. Pour Isoler compltement le module en cause, il
faut dbrancher toutes les alimentations stabilises.
Attention: Pour Rduire Les Risques dlectrocution et dIncendie
1.
Toutes les oprations dentretien seront effectues UNIQUEMENT par du personnel dentretien
qualifi. Aucun composant ne peut tre entretenu ou remplace par lutilisateur.
2.
NE PAS connecter, mettre sous tension ou essayer dutiliser une unit visiblement dfectueuse.
3.
4.
Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme
capacit, comme indiqu sur ltiquette de scurit proche de lentre de lalimentation qui
contient le fusible.
5.
NE PAS UTILISER lquipement dans des locaux dont la temprature maximale dpasse 40
degrs Centigrades.
6.
Assurez vous que le cordon dalimentation a t dconnect AVANT dessayer de lenlever et/ou
vrifier le fusible de lalimentation gnrale.
Sicherheitsanweisungen
VORSICHT
Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert
integrieren.
Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge,
in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von
qualifiziertem Servicepersonal durchgefhrt werden.
Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der
Abdeckung oder der Paneele von der Stromversorgung getrennt werden.
Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit
Doppelspeisung angebracht ist.
16
17
18
Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung.
Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder einer Erklrung in der Wartungsanleitung.
Sweden - (Markierungsetikett und im Handbuch) - Apparaten skall anslutas till jordat uttag.
19
Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des
Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe
Montageanleitung.
2.
3.
Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen,
einzuschalten oder zu betreiben.
4.
Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT
SIND.
5.
Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der
selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem
Stromkabelanschluss, am Sicherungsgehuse.
6.
Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung
40C berschreitet.
7.
Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die
Hauptsicherung entfernen und/oder prfen.
Document Conventions
The following describes the conventions and symbols that this guide uses:
Item
Description
Description (French)
Beschreibung (German)
An example scenario
Un scnario dexemple
Ein Beispielszenarium
Possible damage to
equipment, software, or
data
Endommagement
Mgliche Schden an
possible de lquipement, Gert, Software oder
des donnes ou du
Daten
logiciel
Additional information
Informations
complmentaires
Zustzliche
Informationen
A statement and
instructions
Rfrences et
instructions
A suggestion or
workaround
Une suggestion ou
solution
Example
Caution:
Note:
To
Tip:
Possible physical harm to Blessure possible de
the operator
loprateur
Verletzungsgefahr des
Bedieners
Warning:
20
Table of Contents
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Safety Instructions ......................................................................................................... 8
Document Conventions ............................................................................................... 20
21
67
67
69
71
72
78
79
80
82
83
85
87
87
88
89
91
92
22
101
106
108
108
112
112
119
120
121
122
124
124
126
131
131
131
132
132
133
134
135
136
137
138
139
140
141
142
142
144
147
150
157
159
23
164
166
167
168
169
172
173
174
176
178
179
191
195
200
204
205
206
24
247
Downloading a Devices Technical Support File to the APSolute Vision Client ....... 248
Managing Device Configurations .............................................................................. 249
Configuration File Content ................................................................................................
Downloading a Devices Configuration File ......................................................................
Restoring a Devices Configuration ..................................................................................
Synchronizing AppDirector Configurations .......................................................................
249
249
251
251
257
259
260
262
263
264
265
267
268
270
25
26
Notes:
>> For information about installing the APSolute Vision server and client, initial settings on
the APSolute Vision platform, and connecting the client to the server, see the Radware
Installation and Maintenance Guide and the APSolute Vision Administrator Guide.
>> For information about administrator operations, see the APSolute Vision Administrator
Guide.
>> For information about the required workflows for configuring application delivery with
Alteon, see the Alteon Application Switch Operating System Application Guide.
>> For information about the required workflows for configuring application delivery with
AppDirector, see the AppDirector User Guide.
>> For information about the required workflows for configuring network security with
DefensePro, see the DefensePro User Guide.
>> For information about APSolute Vision Reporter and how to use it, see its online help and
the APSolute Vision Reporter User Guide.
The following topics introduce APSolute Vision:
Online configuration per device, including support for templates as well as AppShape, which
automates/streamlines ADC configuration for common applications, such as SAP Portal and
Microsoft SharePoint Server.
Monitoring and control of multiple devices, including enabling and disabling entities within a
device. APSolute Vision can monitor multiple devices in a single view.
DefensePro Security Groups, which enable DefensePro devices to share threat information and
block malicious sources as a group.
Reporting and statistics at the device level, and on logical entities within a device. For real-time
and historical security reporting, APSolute Vision can also provide site and network-level reports
for immediate problem isolation, convenient attack and status visibility and information drilldown.
27
A highly customized Role-Based Access Control system that allows granular control and
monitoring of various security aspects for different users.
Scheduling device control and maintenance tasks, such as, backup and restore, and so on.
Auditing
APSolute Vision includes a database for administrative, operational, and security events to facilitate
the creation of long and short-term reports.
APSolute Vision provides stability, capacity, and usability, due to its:
SSL
LAN/WAN
hb
or t
ou
nd
Firewall
APSolute Vision Server
(physical appliance or virtual appliance)
Alteon devices
28
AppDirector devices
SNMP V1/V2c/V3
IRP real-time statistics
HTTP(S)/TFTP
DefensePro devices
Transmits user requests to the server tier and displays the results in the APSolute Vision
interface in an intuitive and easy-to-read format.
The network physical device tier enables management of the collection of network elements
connected to APSolute Vision. This includes devices that provide server load-balancing, security,
intrusion prevention and denial-of-service (DoS) protection.
Scheduling, page 31
29
Inline filtering
Online configuration per device, including support for templates as well as AppShape, which
automates/streamlines ADC configuration for common applications, such as SAP Portal and
Microsoft SharePoint Server.
Logical-element grouping
Hierarchical browsing
Routing table
General status
Statistics
Presents device statistics tables for device level and logical level
Managing configuration templates for AppDirector and DefensePro devices. These configuration
templates
Managing DefensePro Security Groups, which enable DefensePro devices to share threat
information and block malicious sources as a group. Managing DefensePro Security Groups is
done in the Asset Management perspective.
Rebooting devices
30
Device Drivers
APSolute Vision device drivers enable you to install or upgrade Radware devices without the need to
upgrade your APSolute Vision server.
A device driver in APSolute Vision defines the graphical user interface and configuration for the
software version of a managed device. The software version of a managed device defines the
baseline driver version. You can install a newer version of the device driver, and you can revert to
the baseline version.
You can have only one device-driver version in use on any single APSolute Vision server (but, there
may be multiple device-driver versions released for a single software version of a device). Typically,
subsequent versions of device drivers for a particular software version of a managed device only
includes very minor changes and/or bug fixes.
Notes:
>> When you upgrade device software, you need to reboot the device. However, when you
install a new version of a device driver or revert to the baseline version, you do not need
to reboot the device.
>> Device drivers do not include the online help. If the APSolute Vision server is configure
so that the clients get help from the server (the default option), the APSolute Vision
administrator should make sure that the APSolute Vision server has the latest version of
the online-help package.
>> The Properties pane that is displayed for a device of includes the name of the device
driver.
Scheduling
Scheduling in APSolute Vision supports various operations for the APSolute Vision server and
managed devices, which enable you to automate the tasks and to run repeated tasks.
Scheduled tasks run according to the time as configured on the APSolute Vision client.
31
Access-control configuration and management in a local user table or using an external RADIUS
server (using RADIUS vendor attributes)
Note: For more information on RBAC, see the APSolute Vision Administrator Guide.
Password constraints
Administrative actions to create users, reset user passwords, and locking out users
Tracking user statistics for successful logins, failed logins, account locks, and so on
APSolute Vision clientFor APSolute Vision server options, such as, timeouts, connectivity,
event forwarding, and so on, and for server monitoring
Alteon VAA software-based ADC supporting AlteonOS functionality and running on the
VMware virtual infrastructure.
ADC-VXA specialized ADC hypervisor that runs multiple virtual ADC instances on dedicated
ADC hardware, Radwares OnDemand Switch platforms.
32
Notes:
>> For more information, see the Alteon Application Switch Operating System Application
Guide.
>> The Messages tab in the Alerts pane displays Alteon configuration messages. A message
is displayed in the Messages tab after each Alteon configuration-management action
(Apply, Save, Diff, Diff Flash, Revert, Revert Apply, and Dump). If the Alerts pane is
collapsed, it automatically expands immediately after the configuration-management
action. When you double-click a message, APSolute Vision opens an autonomous
window. The window contains the full message text, which you can copy to the
clipboard.
Advanced incident handling for security operating centers (SOCs) and network operating centers
(NOCs)
Note: For information on the products and versions that APSolute Vision Reporter supports,
see the APSolute Vision Release Notes.
Online Help
By default, APSolute Vision clients get online help from the APSolute Vision server. Installation of the
APSolute Vision server includes online-help files.
Depending on the APSolute Vision server configuration, the clients get online help from one of the
following locations:
radware.comThe online-help files at radware.com are always the most up-to-date, but
clients may encounter latency or connectivity problems.
33
Note: You can configure which perspective is displayed by default when you start an APSolute
Vision client session.
Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to
configure in the Configuration perspective system pane Organization tab. You can view and modify
device settings in the content pane tabs, which have their own navigation panes for easier
navigation through configuration tasks.
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.
The Configuration perspective also includes the Properties pane, which displays information about
the currently selected device.
When APSolute Vision manages Alteon, you choose the standalone, vADC or VA device to configure
in the Configuration perspective system pane Organization tab. You manage ADC-VXs and the
hosted vADCs in the Configuration perspective system pane Physical tab.
34
Configuration buttonOpens
the Configuration perspective
Content area
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab displays Alteon configuration messages.
35
Configuration buttonOpens
the Configuration perspective
Content area
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for AppDirector.
36
Configuration buttonOpens
the Configuration perspective
Navigation area for the tab
Content area
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.
37
To configure a device, you must lock it. For more information, see Locking and Unlocking
Devices, page 73.
When you change a field value, the field label is displayed in italics.
Mandatory fields are displayed in red. You must enter data, or select an option in these fields.
After setting a mandatory field, the field label changes to black.
By default, tables display up to 20 rows per table page. You can change the number of rows per
table up to a maximum of 100 rows.
You can perform one or more of the following operations on table entries:
Device configuration information is saved only on the managed device, not in the APSolute
Vision database. To commit information to the device, you must do the following:
Click
Some configuration changes require an immediate device reboot. When you submit the
configuration change the device will reboot immediately.
Some configuration changes require a device reboot to take effect, but you can save the
change without an immediate reboot. When you submit a change without a reboot, the
Properties pane displays a Reboot Required notification until you reboot the device.
For Alteon, APSolute Vision supports the configuration-management options: Apply, Save,
Diff, Diff Flash, Revert, Revert Apply, and Dump.
2.
Select the required device in the system pane by drilling down through the sites and subsites.
3.
4.
Select the required configuration tab in the content pane. Each tab displays a tab navigation
pane and configuration options.
5.
6.
Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects,
such as farms and servers. The Monitoring perspective navigation pane contains two navigation
tabs. The System tab contains the physical devices and interfaces. The Application Delivery tab
contains the logical entities for AppDirector. The Properties pane displays information about the
currently selected device. The content pane for each type of entity contains tabs in which you can
view different types of information. Some tabs contain a navigation pane.
38
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab. The
Alerts tab displays APSolute Vision and device alerts. The
Messages tab displays Alteon configuration messages.
39
Content area
40
Monitoring buttonopens
Monitoring perspective
Content area
Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.
41
Security DashboardA graphical summary view of all current active attacks in the network
with color-coded attack-category identification, graphical threat-level indication, and instant
drill-down to attack details.
Current AttacksA view of the current attacks in a tabular format with graphical notations of
attack categories, threat-level indication, drill-down to attack details, and easy access to the
protecting rules for immediate fine-tuning.
Traffic MonitoringA real-time graph and table displaying network information, with the
attack traffic and legitimate traffic filtered according to specified traffic direction and protocol.
Geo MapA graphical map view that displays threats by origin with hierarchical drill-down to IP
level.
HTTP ReportsReal-time graphs and tables with statistics on rules, protections according to
specified traffic direction and protocol, along with learned traffic baselines.
42
43
44
Note: For information about installing the APSolute Vision server and client, and connecting
the client to the server, see the Radware Installation and Maintenance Guide.
Caution: You install the APSolute Vision client by first accessing the APSolute Vision appliance
using a Web browser. Therefore, APSolute Vision appliance must have a proper IP
address installed already. For information on configuring the IP address of the
APSolute Vision appliance, see the APSolute Vision Administrator Guide.
This section includes the following topics:
45
CD-ROM
Caution: There are certain compatibility issues with Windows 7. For more information, see
the APSolute Vision Release Notes.
Any Web browser that has a Java plug-in installed. The browser is needed only for downloading
the APSolute Vision client to the PC.
Java client version 1.6.0_17 or later must be installed to run the APSolute Vision Reporter.
46
In the Password field, type the password. Use the password that you receive from your
system administrator. The initial default password is radware.
47
2.
3.
PasswordThe password for the user. Depending on the configuration of the server, you
may be required to change your password immediately. Default: radware.
Vision ServerThe name or IP address of the APSolute Vision server. This parameter is
displayed if you click Options. Otherwise, the login procedure tries to connect to the
APSolute Vision server that was specified previously.
AuthenticationThe method to authenticate the user: Local or RADIUS. That is, select
whether to use the credential stored in the APSolute Vision server or the credentials
managed by the specified RADIUS Authentication server. This parameter is displayed if you
click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server
using the authentication method that was specified previously.
Click OK.
2.
Click Options.
3.
4.
In the Change Password dialog box, enter your username, old password, new password, and
confirm the new password.
5.
Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.
48
49
2.
From the Filter drop-down list, select New. The contents of Filter Name drop-down list
disappear.
3.
4.
5.
Click Save.
To modify a filter
1.
2.
3.
4.
Click Save.
2.
Note: To disable filtering (that is, show all the elements in the tree), select None.
3.
Click Apply.
To delete a filter
From the Filter drop-down list, select the filter; and then, click Delete.
50
Category
Description
Device Name
Device IP Address
Device Type
Property
Values:
AppShape
Organization Site
Physical Container
Values:
Physical ContainerThe ADC-VX in the Physical tab.
Payload BladeSpecifies a specific payload blade, or any
payload blade when the field is empty.
Enabled vADCsSpecifies whether the enabled vADCs are
displayed.
Disabled vADCsSpecifies whether the disabled vADCs are
displayed.
Note: This filter criterion applies only in the Physical tab.
51
52
2.
Parameter
Description
Basic Parameters
Operational Status
Management IP Address
Hardware Platform
53
Parameter
Description
The up time of the APSolute Vision server, in days, hours, minutes, and
seconds.
Software
Software Version
Build
Hardware
RAM Size
Attack Description
Attack Descriptions Last
Update
The time of the latest update of the Attack Description file on the
APSolute Vision server.
Caution: Device drivers do not include changes to the online help. Depending on the
configuration of the APSolute Vision server, the APSolute Vision clients get online help
either from the APSolute Vision server (the default option) or radware.com. The
online-help files at radware.com are always the most up-to-date; but clients may
encounter latency or connectivity problems. If the APSolute Vision clients get online
help from the APSolute Vision server, after updating a device driver, the online-help
files on the server should be updated. It is the responsibility of the APSolute Vision
administrator to make sure that the help files on the server are updated as necessary.
54
Notes:
>> For device software versions that were released prior to the release of APSolute Vision
1.10, all the baseline versions of the device drivers reside on the APSolute Vision server.
>> For device software versions that were released after the release of APSolute Vision
1.10, the baseline versions of the device drivers reside on the devices themselves.
>> The device driver includes the minimum APSolute Vision version.
When an APSolute Vision server detects that a new device has been installed or that a new device
software version has been installed on an existing device, the server does the following:
1. Retrieves the driver version from the device.
2. Checks whether it already has a driver version that corresponds to the device software version,
and uses the newest device driver.
3. If the driver version on the device is newer than the device version on the server, the server
downloads the new driver from the device, but does not apply it. The table in the Device Drivers
tab (in the Asset Management perspective) displays the device-version row shaded gray.
4. If the device driver is incompatible or not found, APSolute Vision behaves as follows:
Issues an appropriate error message, but displays the device in the tree of the System pane
with a special icon (?) on top of it.
When you click the device in the tree, no screen is displayed, but the following information is
displayed is the Properties pane: Device Name (from Vision), Device Type (if known),
Status: Unsupported, and Software Version: <SW_version>
Column
Description
Product Name
Product Version
No. of Devices
The number of devices that use the same device software version.
Driver Baseline
The baseline version of the driver used for this device software version.
Driver in Use
Latest Driver
The latest driver version for this device software version that is stored in
the APSolute Vision server.
55
In the Asset Management perspective system pane, select General Settings > Device
Drivers.
2.
Right-click in the row with the relevant device and device version.
3.
4.
Browse to the driver and click Open. APSolute Vision verifies that the device driver version is
relevant for the device software.
5.
Read the confirmation message; and then, accept or abort the action.
The version of the driver that you install cannot be the same version or an older version of the
driver baseline version. If the driver version that you install is newer than the baseline version
but older than the driver version in use, APSolute Vision prompts you for confirmation to
downgrade the current driver. If the driver version that you install is newer than the baseline
version and new than the driver version in use, APSolute Vision prompts you for confirmation to
downgrade the current driver.
To revert to baseline driver version that resides on the APSolute Vision server
1.
In the Asset Management perspective system pane, select General Settings > Device
Drivers.
2.
Right-click in the row with the relevant device and device version.
3.
Note: This option is displayed only when the driver version in use is different from the
baseline driver release.
To update all the device drivers to the latest ones that are stored in the APSolute
Vision server
1.
In the Asset Management perspective system pane, select General Settings > Device
Drivers.
2.
Note: This command is available only when the APSolute Vision server has device driver
version that is later than one of the device drivers in use.
56
For information about configuring the maximum number of configuration files per device that can be
stored, see the APSolute Vision Administrator Guide.
Right-click the Description cell for the file and select Edit Description.
In the Description cell, add or edit the text, up to 50 characters.
5. To get the configuration file of the device from the APSolute Vision server and download the file
to the local PC:
a.
a.
b.
In the Save As text box, enter the path of the file or browse to the file.
Click Save.
Parameter
Description
File Name
File Type
An Alteon or AppDirector device can have configuration files for itself, its
peer device, and its backup device.
SW Version
Backup Date
The date and time that the file was saved on the APSolute Vision server.
Description
A description of the file. You can enter and edit text in this field.
57
AppDirector Farm
For information about configuring configuration templates, see Configuring and Using Configuration
Templates, page 74.
Use the Templates tab (Asset Management perspective, Configuration Templates) to do the
following:
The Templates tab (Asset Management perspective, Configuration Templates) comprises a filter
and the Templates table, which displays data on each template.
The Templates table, supports the following columns:
EnabledSpecifies whether the template is enabled. When a template is enabled, you can use
it to create new configuration objects and propagate the values of the template onto existing
configuration objects. If the template is disabled, you cannot use it or edit it; the template is
only stored in APSolute Vision.
Screen IDThe internal identifier of the user-interface that supports the template.
Software VersionThe software version of the device that supports the template.
Modified OnThe timestamp, in dd MMM hh:mm:ss format when the template was last
modified.
Modified ByThe APSolute Vision user who last modified the template.
Created OnThe timestamp, in dd MMM hh:mm:ss format when the template was created.
58
Parameter
Description
Enabled
Device Type
Software Version
Type
59
Parameter
Description
Template
Enabled
Name
Description
Type
Template Statistics
The values in this group box are read-only.
Screen ID
Device Driver ID
Software Version
Device Type
Created On
Created By
Modified On
The timestamp, in dd MMM hh:mm:ss format when the template was last
modified.
Modified By
Total Propagations
2.
In the Templates group box, right-click in the row and select Delete Row.
60
Caution: The Security Groups feature does not support redundant APSolute Vision servers.
Unexpected results may occur if more than one APSolute Vision server manages the
DefensePro devices that are members of a Security Group.
Note: APSolute Vision does not limit the number of Security Groups, the number of senders, or
the number of receivers. Radware has tested the feature with five Security Groups, each
with five senders and five receivers.
Security Group behavior:
1. The Anti-Scanning or Server Cracking module of a sender detects an attack. The configuration of
the Security Group includes the modules (Anti-Scanning and/or Server Cracking) that
participate in the group.
2. The sender notifies APSolute Vision using the regular security-event traps.
3. APSolute Vision configures each receiver with a Dynamic Black List rule.
The rule name is in the following format:
hhmm is the time (hour and minutes) that the Security Group configured the rule. This is the
time set in the APSolute Vision server (and not on the DefensePro receiver or sender).
61
Attacked address
Attacked port
Protocol
In the Asset Management perspective Networking tab navigation pane, select Security Groups.
2.
3.
(Add) button.
Parameter
Description
Enabled
Specifies whether the Security Group is enabled. This enables you to keep
a Security Group configuration even when it is not in use.
Default: Disabled
Group Name
Blocking Period
The time, in minutes, that the receivers block traffic. This is the value of
the Expiration Timer in the black-list rule with which APSolute Vision
configures the receivers. The Expiration Timer fields display the time
remaining.
Values: 1120
Note: For information on black lists, see Configuring Black Lists,
page 651.
(Read-only always enabled) Specifies that the receivers always block all the
traffic from the IP address of the source of the attack.
Destination IP Address Specifies that the receivers block the IP address of the attacked machine.
Default: Disabled
Destination Port
Specifies that the receivers block the attacked port of the attacked
machine.
Default: Disabled
Protocol
Specifies that the receivers block the protocol used in the attack.
Default: Disabled
Security Modules
Anti-Scanning
Specifies that the receivers block malicious traffic detected by the AntiScanning module of the senders.
Default: Enabled
62
Parameter
Description
Server Cracking
Specifies that the receivers block malicious traffic detected by the Server
Cracking module of the senders.
Default: Enabled
Senders
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the senders of the Security Group.
Receivers
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the receivers of the Security
Group.
Backing up the APSolute Vision dataYou can back up the configuration tables and other
APSolute Vision data. Backup operations run by means of CLI commands. For more information
about APSolute Vision CLI commands, see the APSolute Vision Administrator Guide.
Updating the Attack Description file. For information about updating the Attack Description file,
see the APSolute Vision Administrator Guide.
You can perform the following operations using APSolute Vision CLI:
For more information about APSolute Vision CLI commands, see the APSolute Vision Administrator
Guide.
63
64
This meets Sarbanes-Oxley requirements to audit any configuration change that might affect the
network. In APSolute Vision, you can also configure the managed devices to log all configuration
changes on the device.
The Auditing log is stored in the APSolute Vision database. All audit logs are sent to the Alerts pane,
and can be displayed in the Alerts pane depending on the alerts filter configuration.
The following information is logged to the audit log:
All user management events and user activities (for example, successful login, password change
by user, password reset by admin, and so on).
Actions performed on the device (for example, uploading or downloading a file to a device,
device reboot and shutdown, log file retrieval, and so on).
APSolute Vision activities (including appliance activities, APSolute Vision upgrade, and so on).
Device configuration activities (if device auditing is enabled). The audit log records all
configuration changes applied to the managed devices.
Enable or disable configuration auditing for devices. For more information, see Enabling
Configuration Auditing for Managed Devices, page 66.
Enable and configure syslog and e-mail settings for sending audit information from the Alerts
pane. For more information, see the APSolute Vision Administrator Guide.
65
Note: To prevent overloading the managed device and prevent degraded performance, the
feature is disabled by default.
In the Configuration perspective system pane, select the device for which you want to configure
auditing.
2.
3.
4.
Click
Managing Alerts
The Alerts tab in the Alerts pane stores and displays alerts.
Note: The Alerts pane includes the Messages tab, which displays Alteon configuration
messages.
The alerts are based on events that are received from:
All alert information is stored in the APSolute Vision database in a separate table from the audit
information. Alert information can be sent to a central audit repository via syslog, and to a
configured recipient via e-mail.
66
SNMP Traps
The Alerts pane handles all error traps generated by APSolute Vision and the managed devices,
including:
Generic traps, such as, Cold Start, Link Down, Link Up, Authentication Failure, and so on
Auditing Messages
APSolute Vision forwards all logged audit events from all APSolute Vision modules and managed
devices to the Alerts pane, including:
Alert Information
All alert information is stored in the APSolute Vision database.
Double-click on a an alert in the Alerts tab to open the Alert Details dialog box, which displays all the
information with the expanded alert message.
Each alert in APSolute Vision contains the following information:
67
Alert Information
Description
Ack
Severity
The APSolute Vision severity of the event: Critical, Major, Yes, by default
Minor, Warning, Info. SNMP trap severities are mapped
as shown in SNMP Trap to APSolute Vision Severity
Mappings, page 69.
Time
Displayed in
Alerts Pane?
Yes, by default
The values differ according to the alert type, as follows: Yes, by default
SNMP trapsThe value is the name of the device
that generated them.
APSolute Vision auditing events, which have device
context (configuration, monitoring). The value is the
name of the device to which the event relates.
When the alert is generated by the APSolute Vision
server, no device name is displayed.
Device IP
Yes, by default
Message
Yes, by default
Module
Yes, by default
Values:
Device SecurityFor network security alerts
Device GeneralFor all other device alerts
Vision ConfigurationAPSolute Vision configuration
auditing messages
Vision ControlAPSolute Vision Monitoring auditing
messages
Vision GeneralIncludes general APSolute Vision
auditing messages and APSolute Vision server
events
User Name
68
Yes, if
configured
Alert Information
Description
Displayed in
Alerts Pane?
Device Type
Yes, by default
Yes, if
configured
Port
The Raised Time, Device Name, and Message uniquely identify an alert, and are together considered
the Alert key.
Trap Severity
Fatal
Critical
Error
Major
Minor
Warning
Info
Info
69
Acknowledge and unacknowledge displayed alerts. Alerts of severity higher than Info require
user acknowledgement to indicate that they have been seen by the user. The alert remains in
the Alerts pane display.
Filter the alerts in the alert table to display a subset of alerts. For more information, see Filtering
Alerts, page 71.
Clear all the alerts in APSolute Vision database that match the current filter, whether or not the
alerts are visible in the Alerts pane.
To clear all the alerts in APSolute Vision database that match the current filter,
whether or not the alerts are visible in the Alerts pane
Click the
To acknowledge alerts
Do one of the following:
70
To acknowledge an alert, right-click the alert row in the table and select Acknowledge
Alert.
To acknowledge several alerts, select the corresponding rows, then right-click and select
Acknowledge Alert.
To unacknowledge alerts
Do one of the following:
To unacknowledge an alert, right-click the alert row in the table and select Unacknowledge Alert.
To unacknowledge multiple alerts, select the corresponding rows, then right-click and select
Un-acknowledge Alert.
To clear an alert, right-click the alert row in the table and select Clear Alert.
To clear several alerts, select the corresponding rows, then right-click and select Clear
Alert.
Notes:
>> Cleared alerts remain in the database, but cannot be viewed.
>> Clearing an unacknowledged alert automatically acknowledges the alert.
Automatic refresh is indicated by the selected
(Refresh) button.
Note: Radware recommends turning off automatic refresh while you are analyzing alert
information to prevent alerts disappearing from the display.
Filtering Alerts
You can display a subset of the currently displayed alerts by filtering the alerts according to various
alert information criteria.
The criteria are organized according to categories, for example, alert severity, device module, and
so on. Criteria from the same category are combined with logical OR. Criteria from different
categories are combined with logical AND.
The default filter settings include all criteria in all categories, meaning, by default, all alerts raised in
the last hour are displayed.
71
Note: Regardless of the filter defined, the configured number of most recent critical alerts are
always displayed at the top of the table on a colored background. This means that
critical alerts that match the filter criteria are displayed twice.
(Filter) button.
2.
Set filtering criteria parameters and click OK. The table is updated at the next automatic
refresh.
3.
To restore the default filtering criteria, click Restore Defaults, then click OK.
For more information about the filtering criteria, see Alert Information, page 67.
Parameter
Select Devices
Description
Click to select a subset of managed devices for which to display alerts.
In the Select Devices dialog box, move the required devices from the
Available list to the Selected list.
Raised Time
Alerts raised within the defined time period are displayed. For
example, if you define 1 hour, alerts raised in the last hour are
displayed. After the defined time, alerts are cleared from the display
(not from the Alerts database).
Values: 124 hours
Default: 1 hour
Severity
Module
Device Type
Acknowledgment
Client preferencesDefine how many critical alerts to display and how often the client polls the
server for alert information. For more information, see the APSolute Vision Administrator Guide.
Server preferencesDefine how the APSolute Vision server handles alerts. You can enable and
configure reporting and logging events from the Alerts browser to a syslog server. You can
configure sending alert information via e-mail to a defined recipient. For more information, see
the APSolute Vision Administrator Guide.
72
Note: Only one APSolute Vision server should manage any one Radware device. For more
information, see the APSolute Vision Administrator Guide.
While the device is locked:
The device icon in the system pane includes a small lock symbol
AppDirector,
for Alteon,
for
for DefensePro.
Configuration panes are displayed in read-only mode to other users with configuration
permissions for the device.
If applicable, the
If applicable, the
73
To lock a device
In the Configuration perspective system pane, right-click the device name, and select Lock
Device.
To unlock a device
In the Configuration perspective system pane, right-click the device name, and select Unlock
Device.
Notes:
>> This section describes configuration templates and how to configure and use them. For
information about managing configuration templates, see Managing Configuration
Templates, page 58.
>> For information on the parameters of the configuration object itself, refer to section on
the specific configuration object.
>> The device must be locked to configure and use configuration templates.
The Configuration Template feature enables you to configure a configuration object with multiple
parameters with just a few actions. For example, AppDirector Farm and DefensePro BDoS Profile are
configuration objects that supports the Configuration Template feature.
The APSolute Vision server stores and manages configuration templates, so you can use them on
any managed device of the same type and supported version.
With the Configuration Template feature, you can:
Propagate the values of a specified configuration template onto an existing configuration object.
Edit <Configuration Object Type> TemplateOpens the Edit <Configuration Object Type>
Configuration Template dialog box. The dialog box comprises a table with the corresponding
74
EnabledSpecifies whether you can use the template to create new configuration objects
or propagate the template onto existing configuration objects. If the template is disabled,
you cannot use it or edit it; the template is only stored in APSolute Vision.
The read-only template statistics are displayed in the Template Statistics group box.
Existing ValueThe propagation process preserves the existing value of the parameter.
Use Default Value The propagation process changes the existing value of the parameter
to the default value for the parameter.
Parameter
Description
Screen ID
Device Driver ID
Software Version
Device Type
Created On
Created By
Modified On
The timestamp, in dd MMM hh:mm:ss format when the template was last
modified.
Modified By
Total Propagations
Add New <Configuration Object> from TemplateCreates a new configuration object from
a template. This option is available only if the configuration option supports manually adding a
new parameter.
75
Configuration-Template Behavior
The Configuration Template feature supports the following:
APSolute Vision applies configuration templates sequentially for all selected configuration
objects within a device.
APSolute Vision logs changes in the audit trail (like other configuration changes): SuccessIf
the change was successfully applied; FailedIf something failed during the update.
APSolute Vision issues success and failure alerts for propagations of configuration templates.
APSolute Vision logs propagation information in the propagate.log files, which you can access
via the Web interface of the APSolute Vision server. APSolute Vision cyclically stores up to 10
propagate.log files of 5 MB each, appending the appropriate number to the .log extension.
Open your browser and enter the IP address of the APSolute Vision server. An Authentication
Required dialog box is displayed.
2.
Enter the User Name and password, type the password. Use the username and password that
you receive from your system administrator. The initial default user name is visionweb. The
initial default password is radware.
3.
4.
5.
Action
Description
Apply
Applies any changes that have been made to the device configuration.
This option is available only if the device is locked.
Save
Saves the current configuration in backup memory and saves the active
configuration by overwriting the current configuration.
This option is available only if the device is locked.
Revert
Revert Apply
76
Action
Description
Diff
Collects the pending configuration changes. You can view, save, and
copy the text when you double-click the associated message in the
Messages tab in the Alerts pane.
Diff Flash
Dump
Collects a dump of the current device configuration. You can view, save,
and copy the text when you double-click the associated message in the
Messages tab in the Alerts pane.
When an Alteon device is selected in the site tree, APSolute Vision exposes the configurationmanagement options in the device shortcut menu and in the main toolbar.
In the Configuration perspective system pane, right-click the device name; and then, select
the required option.
In the Configuration perspective system pane, select the device name, and; and then, from
main toolbar, click the required button. The Diff Flash button is displayed when you click
the arrow of the Diff button. The Revert Apply button is displayed when you click the
arrow of the Revert button.
Figure 28: Alteon Configuration Management Options in the Shortcut MenuDevice Is Locked
Figure 29: Alteon Configuration Management Options in the Shortcut MenuDevice Is Not Locked
77
Figure 31: Alteon Configuration Management Options in the Toolbar MenuDevice Is Locked
AppDirector Setup
You can configure the following setup parameters for a selected AppDirector device:
2.
3.
Click
78
Parameter
Description
Basic Parameters
Device Description
Device Name
Contact Information
System Up Time
(Read-only) The length of time that the device has been up since last
device reboot.
Device Date
Version Information
Software Version
Hardware Version
Serial Number
Note: When NTP is disabled, the time and date must be set manually for the device.
79
Parameter
Description
Enable NTP
Server IP Address
L4 Port
Polling Interval
Time Zone
Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.
In the Configuration perspective Setup tab, select Time Settings > Daylight Saving.
2.
Parameter
Description
Daylight Saving Time Parameters
Enabled
Current Mode
80
Parameter
Description
Delta
Month
Day
Values: 131
Instance
(Recurring mode only)
The instance of the day in the month when daylight saving begins.
For example, if daylight saving begins on the first Sunday in April,
the value is 1.
Hour
(Read-only) Displays the date and time at which daylight savings will
take effect.
Month
Day
Values: 131
Week Day
The instance of the day in the month when daylight saving ends. For
example, if daylight saving ends on the last Sunday in October, the
value is 4.
Hour
81
Note: The device optimizes the mailing process by gathering reports and sending them in a
single notification message once the buffer is full or once a timeout of 60 seconds
expires.
In the Configuration perspective Setup tab navigation pane, select Email Settings.
2.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 144.
Parameter
Description
Basic SMTP Parameters
Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled
82
Parameter
Description
Name in To Field
Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.
Default: Enabled
3. Do one of the following:
(Add) button.
83
Parameter
Description
Address or Hostname
Source Port
Destination Port
Facility
The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alerts
FTP Daemon
Log Audit
Kernel Messages
Mail System
Local 0
NTP Daemon
Local 1
Security Messages
Local 2
Syslogd Messages
Local 3
System Daemons
Local 4
Local 5
UUCP
2.
Table 17: Syslog Parameters for AppDirector Versions Other Than 2.14.03
Parameter
Description
Enable Syslog
Server Address
84
Table 17: Syslog Parameters for AppDirector Versions Other Than 2.14.03
Parameter
Description
Facility
The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alerts
FTP Daemon
Log Audit
Kernel Messages
Mail System
Local 0
NTP Daemon
Local 1
Security Messages
Local 2
Syslogd Messages
Local 3
System Daemons
Local 4
Local 5
UUCP
(Add) button.
85
Parameter
Description
Primary DNS Server Address The IP address of the primary DNS server to which AppDirector sends
queries.
Alternative Network Type
Parameter
Description
Host Name
IPv4 Address
IPv6 Address
Parameter
Description
Primary DNS Server Address The IP address of the primary DNS server to which AppDirector sends
queries.
Alternative DNS Server
Address
Parameter
Description
Host Name
IP Address
86
Parameter
Description
Server Address
The IP address of the BootP server. The device forwards BootP requests
to the BootP server and acts as a BootP relay.
Relay Threshold
The time, in seconds, that the device waits before relaying requests to
the BootP server. This delay allows local BootP servers to answer first.
Parameter
Description
87
Parameter
Description
When enabled, the device sends a TCP RST packet to the server
if no data is transmitted through the session because it may be a
SYN attack.
Default: Disabled
Lookup Mode
Aging Time
The initial suspend time period cannot be lower than the Minimal Aging Timeout.
Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.
When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.
In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.
2.
88
Parameter
Description
The time, in seconds, for which the managed device suspends firsttime offending source IP addresses.
Default: 10
Maximum Entries with Same The number of times the managed device suspends the same source
Source IP
IP address before the managed device suspends all traffic from that
source IP addressregardless of the specified Suspend Action. For
example, if the value for this parameter is 4 and the specified
Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the managed device
suspends all traffic from a source IP address that had an entry in the
Suspend list more than four times, even if the destination IP address,
source port, and destination ports were different for the previous
updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0
89
Parameter
Description
Client Table
L3 Client Table
Session ID Threshold
Requests Threshold
90
Parameter
Description
Throughput Utilization
Threshold
Note: Since the statistics files are cumulative, you must ensure that you disable the Statistics
Reporting Mode before you create files larger than you desire. Failure to do so can result
in creating files that fill all available memory.
91
Parameter
Description
Basic Parameters
Statistics Reporting
Mode
Enables the creation of statistics files. Select the type of statistics to send:
FullSends all statistics.
DisabledDisables creation and sending of statistics files.
FlowSends statistics concerning flow.
Health MonitoringSends statistics concerning health.
Default: Disabled
How often, in seconds, to update the statistics file with new flow rate data.
The file is cumulative, and new data is added to existing data.
Default: 60 seconds
Health Monitoring
Statistics Polling Time
How often, in seconds, to update the statistics file with new health data.
The file is cumulative, and new data is added to existing data.
Default: 60 seconds
Acceleration Statistics
Interval
All Application Acceleration measuring and statistics are performed for the
defined interval, in seconds. The statistics are updated at the end of every
(This parameter is not interval. This means that a longer interval will give better average results
available in AppDirector but will lower the ability to see Security Monitoring values.
1.07.12.)
Default: 5
SRP Configuration
SRP Management Host
IP Address
If the Destination address is listed in the same interface as the Source address, AppDirector
discards the frame.
If the Destination address is listed in another interface, AppDirector forwards the frame to the
relevant interface.
If the Destination address is not listed in any interface, AppDirector broadcasts the frame to all
interfaces participating in the VLAN.
92
(Add) button.
Parameter
Description
Receive Port
Type
DefensePro Setup
You can configure the following setup parameters for a selected DefensePro device:
93
In the Configuration perspective Setup tab navigation pane, select Global Parameters.
2.
(Submit) to submit
Parameter
Description
Basic Parameters
Device Description
Device Name
Location
Contact Information
System Up Time
(Read-only) The length of time since that the device has been up
since last device reboot.
Device Date
Version Information
Software Version
Hardware Version
Note: When NTP is disabled, the time and date must be set manually for the device.
94
Parameter
Description
Enable NTP
Server Name
L4 Port
Polling Interval
The interval, in seconds, between time query messages sent to the NTP
server.
Default:
64For DefensePro 5.11
172,800For DefensePro versions other than version 5.11
Time Zone
Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.
95
Parameter
Description
Enabled
Begins at
Ends at
Current Mode
Note: The device optimizes the mailing process by gathering security and system events,
which it sends in a single notification message when the buffer is full, or when a timeout
of 60 seconds expires.
In the Configuration perspective Setup tab navigation pane, select Email Settings.
2.
Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 144.
Parameter
Description
Basic SMTP Parameters
Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled
96
Parameter
Description
SMTP Server Parameters
Mail address that will appear in the Sender field of e-mail messages
generated by the device, for example device1@domain.com.
Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.
Default: Enabled
3. Do one of the following:
(Add) button.
97
Parameter
Description
Server Address
Source Port
Destination Port
Facility
The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alert
FTP Daemon
Log Audit
Kernel Messages
Mail System
Local 0
NTP Daemon
Local 1
Syslogd Messages
Local 2
System Daemons
Local 3
Local 4
UUCP
Local 5
Default: Local Use 6
98
Parameter
Description
Protocol
(This parameter is
available only in
DefensePro version
6.02 and later.)
Values:
UDPThe device sends syslog messages using UDP. That is, the
device sends syslog messages with no verification of message
delivery.
TCPThe device sends syslog messages using TCP. That is, the device
verifies the message delivery. The device holds undelivered messages
in a backlog. As soon as the connection to the syslog server is reestablished, the device sends them. If the backlog is full (100
messages, non-configurable), the device replaces lower-priority
messages with higher-priority messages (FIFO).
TLSThe device sends syslog messages using TCP with Transport
Layer Security (TLS) and uses the CA certificate specified in the CA
Certificate Name field. That is, the device verifies message delivery.
The device holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the device sends
them. If the backlog is full (100 messages, non-configurable), the
device replaces lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Note: Report notification of lost syslog messages to your network
administrator.
CA Certificate Name
(This parameter is
available only in
DefensePro version
6.02 and later.)
The name of the CA certificate in the Certificate Table that the device uses
to send syslog messages when TLS is selected in the Protocol field.
To configure a new CA certificate, from the drop-down list, select New.
To view the existing certificates, click
in the dialog box, double-click on it.
Parameter
Description
Enable Syslog
Server Address
99
Parameter
Description
Facility
The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages
Local 6
Clock Daemon
Local 7
Clock Daemon2
Log Alerts
FTP Daemon
Log Audit
Kernel Messages
Mail System
Local 0
NTP Daemon
Local 1
Security messages
Local 2
Syslogd Messages
Local 3
System Daemons
Local 4
Local 5
UUCP
L4 Destination Port
2.
Parameter
Description
Server Address
The IP address of the BootP server. The device forwards BootP requests to
the BootP server and acts as a BootP relay.
Relay Threshold
The time, in seconds, that the device waits before relaying requests to the
BootP server. This delay allows local BootP servers to answer first.
100
High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in
a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software
license, throughput license, and Radware signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
When you configure a cluster and submit the configuration, the newly designated primary device
configures the required parameters on the designated secondary device.
You can configure a DefensePro high-availability cluster in the following ways:
To configure the primary device of the cluster, the failover parameters, and the advanced
parameters, you can use the High Availability pane (Configuration perspective, Setup >
High Availability). When you specify the primary device, you specify the peer device, which
becomes the secondary member of the cluster.
To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and
Associated Management Ports), you can use the Configuration perspective system pane.
The primary device transfers the relevant configuration objects to the secondary device.
A secondary device maintains its own configuration for the device users, IP interfaces, routing, and
the port-pair Failure Mode.
A primary device immediately transfers each relevant change to its secondary device. For example,
after you make a change to a Network Protection policy, the primary device immediately transfers
the change to the secondary device. However, if you change the list of device users on the primary
device, the primary device transfers nothing (because the secondary device maintains its own list of
device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
The following situations trigger the active device and the passive device to switch states (active to
passive and passive to active):
The passive device does not detect the active device according to the specified Heartbeat
Timeout.
All links are identified as down on the active device according to the specified Link Down
Timeout.
Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the
specified Idle Line Timeout.
You issue the Switch Over command. To switch the device states, in the Monitoring perspective
system pane, right-click the cluster node; and then select Switch Over.)
101
Switch the device state (that is, switch over active to passive and passive to active)
Reboot
Shut down
Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.
Notes:
>> Before you can configure a cluster, the devices must be locked.
>> By design, an active device does not to fail over during a user-initiated reboot. Before
you reboot an active device, you can manually switch to the other device in the cluster.
>> You can initiate a baseline synchronization if a cluster member is passive, using CLI or
Web Based Management.
>> When you upgrade the device software, you need to break the cluster (that is, ungroup
the two devices). Then, you can upgrade the software and reconfigure the cluster as you
require.
>> In an existing cluster, you cannot change the role of a device (primary to secondary or
vice versa). To change the role of a device, you need to break the cluster (that is,
ungroup the two devices), and then, reconfigure the cluster as you require.
>> If the devices of a cluster belong to different sites, APSolute Vision creates the cluster
node under the site where the primary device resides; and APSolute Vision removes the
secondary device from the site where it was configured.
>> APSolute Vision issues an alert if the state of the device clusters is ambiguous. For
example, if there has been no trigger for switchover and both cluster members detect
traffic. This state is normal during the initial synchronization process.
>> There is no failback mechanism. There is only the automatic switchover action and the
manual Switch Over command.
>> When a passive device becomes active, any grace time resets to 0 (for example, the
time of the Graceful Startup Mode Startup Timer).
>> You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
>> The Properties pane displays the high-availability information of the selected device.
102
Note: You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
The following table describes the icons that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.
Table 35: Icons in the System Pane for DefensePro High-Availability Clusters
Icon
Description
Cluster
Primary device
Secondary device
The following table describes the icon elements that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.
Table 36: Icons Elements in the System Pane for DefensePro High-Availability Clusters
Table 37: Icons in the System Pane for DefensePro High-Availability ClustersExamples
Icon
Description
The cluster is operating nominally.
The cluster is synchronizing its members.
The cluster is unavailable.
The primary device is active, unlocked, and operating nominally.
The primary device is passive, unlocked, and operating nominally.
The secondary device is passive, unlocked, and operating nominally.
103
Table 37: Icons in the System Pane for DefensePro High-Availability ClustersExamples
Icon
Description
The secondary device is active, unlocked, and operating nominally.
The secondary device is unlocked and unavailable.
In the Configuration perspective Setup tab navigation pane, select High Availability.
2.
Note: To rename the cluster, in the Configuration perspective system pane, right-click the
cluster node, and select Rename <Cluster Name>. Rename the cluster (up to
32 characters); and then, click outside the cluster node.
Parameter
Description
Cluster Definition
Cluster Member
Peer Device
The name of the other device in the cluster. The drop-down list contains
the names of all the DefensePro devices that are not part of a cluster.
When the device is a member of an existing high-availability cluster, the
drop-down list is unavailable.
Associated
Management Ports
Specifies the management (MNG) port or ports through which the primary
and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if the
cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.
104
Parameter
Description
Failover
Heartbeat Timeout
The time, in seconds, that the passive device detects no heartbeat from the
active device before the passive device becomes active.
Values: 110
Default: 5
The time, in seconds, after all links to the active device are identified as
being down before the devices switch states.
Values: 165,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members,
there is no switchover.
Specifies whether the devices switch states due to an idle line detected on
the active device.
Default: Disabled
Note: If an idle line is detected on both cluster members, there is no
switchover.
The time, in seconds, with line bandwidth below the Idle Line Threshold
that triggers a switchover when the Use Idle Line Detection option is
enabled.
Values: 365,535
Default: 10
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.
Advanced Configuration
Baseline Sync.
Interval
The interval, in seconds, that the active device synchronizes the BDoS and
HTTP Mitigator baselines.
Values: 360086400
Default: 3600
Note: The active device synchronizes the baselines also when the
cluster is created.
Switchover Sustain
Timeout
The time, in seconds, after a manual switchover that the cluster members
will not change states.
Values: 303600
Default: 180
105
2.
In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic
Protocols.
2.
Parameter
Description
FTP
Enable FTP
TFTP
Enable TFTP
106
Parameter
Description
Rshell
Enable Rshell
Rexec
Enable Rexec
H.225
Enable H.225
SIP
Enable SIP
107
Note: In DefensePro 5.12 and later, you configure the IP Fragmentation parameters in the
Basic Parameters pane under the Configuration perspective Networking tab.
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the managed device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments that belong to same datagram, then classifies and forwards
them accordingly. The device does not reassemble the original IP packet, but forwards the
fragmented datagrams to their destination, even if the datagrams arrive at the device out of order.
2.
Parameter
Enable IP Fragmentation
Description
When selected, enables IP fragmentation.
Default: Enabled
Queuing Limit
The percentage of IP packets the device allocates for out-ofsequence fragmented IP datagrams.
Values: 0100
Default: 25
Aging Time
108
Parameter
Description
Basic Parameters
Report Interval
The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low
The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low
109
Parameter
Description
The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low
The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low
Destination IP Address
Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the
feature and specifies the physical port to which the
DefensePro device sends identified attack traffic (when the
Packet Trace feature is enabled in the policy rule or profile).
Values:
noneThe Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the
management ports)
Default: none
Caution: A change to this parameter takes effect only
after you update policies.
Note: DefensePro x06 models support the Packet Trace
functionality only for dropped traffic.
Maximum Rate
110
Parameter
Description
Packet Reporting
This group box and the parameters in it are available only in DefensePro versions prior to 5.11.
Enable Packet Reporting
Destination Address
netForensics Reporting
Enable netForensics Reporting
Agent IP Address
L4 Port
111
Note: The feature works on Cisco routers that have the capability to mirror an interface and
accept ACL commands to reroute traffic. This feature was tested on Cisco 6509
IOS 12.2.
In the Configuration perspective Advanced Parameters tab navigation pane, select Out of Path.
2.
Parameter
Description
You must enable and reboot the device before you can configure out-ofpath settings.
When Out of Path is enabled, the only available protection is BDoS.
Router IP Address
The IP address of the organization router that manages all the incoming
traffic.
Routers Enable
Password
Verify Password
SSH Password
The router interface that is being monitored, and traffic from it will be
redirected.
In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.
2.
112
Table 43: Session Table Parameters in Defense Pro 6.05 and Later
Parameter
Description
Basic Parameters
The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 17200
Default: 100
The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 17200
Default: 100
The time, in seconds, that the Session table keeps idle SCTP
sessions.
Values: 17200
Default: 100
The time, in seconds, that the Session table keeps idle ICMP
sessions.
Values: 17200
Default: 100
The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 17200
Default: 100
Idle Other-Protocol-Session
Aging Time
The time, in seconds, that the Session table keeps idle sessions
of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 17200
Default: 100
113
Parameter
Description
Advanced Parameters
Session-Table-Full Action
The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold
Alert-Stop Threshold
114
Parameter
Description
Lookup Mode
ACL
Anti Scanning
Connection Packet Rate Limit
Connection Rate Limit
HTTP Mitigator
HTTP Replies Signatures
Out-of-State protection
Server Cracking
Stateful Inspection
SYN Protection
Table 44: Session Table Parameters in Defense Pro Versions 5.10 through 6.03
Parameter
Description
115
Parameter
Description
Send Reset to Destination When Specifies whether the DefensePro device sends a RST packet for
No Data is Received
TCP sessions where the device has seen the three-way
handshake (SYN and then ACK from the source) but has not seen
subsequent data packets.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled
Lookup Mode
Aging Time
ACL
Anti Scanning
HTTP Mitigator
Out-of-State protection
Server Cracking
Stateful Inspection
SYN Protection
116
Parameter
Description
Advanced Parameters
The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic
Alert-Start Threshold
Alert-Stop Threshold
Parameter
Description
When enabled, the device sends a TCP RST packet to the server
if no data is transmitted through the session because it may be a
SYN attack.
Default: Disabled
117
Parameter
Description
Lookup Mode
Aging Time
Server Cracking
HTTP Mitigator
Anti Scanning
Stateful Inspection
Out-of-State protection
ACL
Advanced Parameters
Session Protection Short
Lifetime
118
Parameter
Description
The initial suspend time period cannot be lower than the Minimal Aging Timeout.
Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.
When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.
119
Parameter
Description
The time, in seconds, for which the managed device suspends firsttime offending source IP addresses.
Default: 10
Maximum Entries with Same The number of times the managed device suspends the same source
Source IP
IP address before the managed device suspends all traffic from that
source IP addressregardless of the specified Suspend Action. For
example, if the value for this parameter is 4 and the specified
Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the managed device
suspends all traffic from a source IP address that had an entry in the
Suspend list more than four times, even if the destination IP address,
source port, and destination ports were different for the previous
updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0
SME OverloadWhen the overload occurs in the string-matching engine (SME), the
accelerator reduces the number of new sessions sent to the SME. The existing sessions continue
to pass through the SME and are inspected. Features that require the SME, including some of
the attack signatures, will not be applied to some of the sessions.
Master OverloadWhen the overload occurs in the Master CPU, only a percentage of the
traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data,
ensuring the continuation of the feature, but Stateful inspection and SYN protection do not work.
Accelerator OverloadWhen the overload occurs in the Accelerator CPU, only a percentage of
the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is
passed to the Master and SME if they are not overloaded.
System Wide OverloadIf all offload operations have failed to prevent overloaded conditions,
then a full bypass is implemented. Every device application is bypassed, including Bandwidth
Management, Statistics, Security, and so on.
120
(Submit) to submit
Parameter
Description
Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which
identifies and reports overload conditions.
Radware recommends that the overload-protection mechanism
always be enabled.
SRP Management Host IP
Address
Caution: Changing the configuration of this feature takes effect only after a device reset.
121
In the Configuration perspective Advanced Parameters tab navigation pane, select Tunneling
Inspection.
2.
Web services
In the Configuration perspective Setup tab navigation pane, select Access Protocols.
2.
Parameter
Description
Web Access
L4 Port
122
Parameter
Description
L4 Port
Certificate
The certificate file used by the secure Web server for encryption.
Telnet
Enable Telnet
L4 Port
Session Timeout
Authentication Timeout
SSH
Enable SSH
L4 Port
Session Timeout
Authentication Timeout
Web Services
This group box is not available in AppDirector 2.30 and later. In AppDirector 2.30 and later, Web
services are always enabled.
Enable Web Services
123
In the Configuration perspective Setup tab navigation pane, select SNMP Versions.
2.
Parameter
Description
The SNMP versions supported by the SNMP agent after resetting the
device. Select the SNMP version to support. Clear the versions that
are not supported.
Note: The managed devices must have access to the RADIUS server and must allow device
access.
In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.
2.
Configure RADIUS authentication parameters for the managed Radware device, and then,
click
Parameter
Description
Main
L4 Port
124
Parameter
Description
Secret
Verify Secret
Server IP Address
Backup
L4 Port
Secret
Verify Secret
Server IP Address
Basic Parameters
Timeout
The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1
Retries
Client Lifetime
Table 51: RADIUS Authentication Parameters in AppDirector Versions Prior to 2.30 and
DefensePro
Parameter
Description
Main
Server IP Address
125
Table 51: RADIUS Authentication Parameters in AppDirector Versions Prior to 2.30 and
DefensePro
Parameter
Description
L4 Port
Secret
Verify Secret
Backup
Server IP Address
L4 Port
Secret
Verify Secret
Basic Parameters
Timeout
The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1
Retries
Client Lifetime
126
(Add) button.
Parameter
Description
Task Name
Frequency
Time
Date
If the event frequency is once, configure the date that the event occurs
in the DD/MM/YYYY format.
Days of Week
If the selected event frequency is weekly, select the day or days the
event occurs.
127
In the Configuration perspective Setup tab navigation pane, select License Upgrade.
2.
Configure license upgrade parameters for the new license keys; and then, click
submit the changes.
(Submit) to
Table 53: AppDirector License Upgrade Parameters in AppDirector 2.14 and Later
Parameter
Description
Basic Information
The MAC address of the first port on the device. This is the MAC
address on which the license is based.
License Upgrade
License ID
Throughput License ID
Compression on Server
Side License ID1
Compression on Server
Side License Key1
128
Table 53: AppDirector License Upgrade Parameters in AppDirector 2.14 and Later
Parameter
Description
Parameter
Description
Basic Information
The MAC address of the first port on the device. This is the MAC
address on which the license is based.
License Upgrade
License ID
Throughput License ID
129
Parameter
Description
Compression on Server
Side License ID1
Compression on Server
Side License Key1
Parameter
Description
Basic Information
The MAC address of the first port on the device. This is the MAC
address on which the license is based.
License Upgrade
License ID
Throughput License ID
Parameter
Description
Basic Information
The MAC address of the first port on the device. This is the MAC
address on which the license is based.
License Upgrade
License ID
130
Parameter
Description
Throughput License ID
Managing Certificates
This section describes certificates and how to manage them using APSolute Vision.
Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It can also include information from a third-party
verifying identity. Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
A basic certificate includes the following:
The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency
Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the
Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only
by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or
interpret the data. The recipient also uses the key to authenticate that the data comes from the
sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. AppDirector and
DefensePro support the following key size lengths: 512, 1024, or 2048 bytes.
Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an
HTTPS session, the managed device uses a certificate for identification. By default, the device has
self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.
131
Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management
(WBM).
You can also create certificate signing requests and keys for new certificates.
Note: In AppDirector 2.11 and later, you can create and modify certificates for SSL policies and
Client CA policies. Also, in AppDirector 2.11 and later, you can manage certificates only
if you are connected via SNMPv3.
2.
3.
(Add) button.
Parameter
Description
Name
Type
132
Parameter
Description
Key Size
Common Name
Organization
Email Address
Any e-mail address that you want to include within the certificate.
Key Passphrase
Locality
State / Province
Organization Unit
Country Name
Certificate Expiration
1 If you select this option when it is not allowed (according to the type of certificate you
are using), the device alerts you with an error message.
133
Parameter
Description
Common Name
Locality
State / Province
Organization
Organization Unit
Country Name
Email Address
Importing Certificates
Depending on the product, you can import keys and certificates from another machine, and import a
certificate to an existing Signing Request to complete its process. You can also import intermediate
CA certificates for SSL policies, and Client CA Certificates for Client Authentication policies.
Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for
certificate, you must import them consecutively with the same entry name.
2.
3.
Parameter
Description
Entry Name
Entry Type
Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Intermediate CA CertificateImports a certificate to be used in
the SSL policy.
Client CA CertificateImports a Client CA certificate.
Root TSL Certificate
Default: Key
134
Parameter
Description
Passphrase
Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.
Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.
File Name
Parameter
Description
Entry Name
Entry Type
Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Certificate of Client CAImports a Client CA certificate.
Default: Key
Note: In Web Based Management, DefensePro supports the
following three additional options: Intermediate CA
Certificate, Certificate and Key, SSH Public Key.
Passphrase
(This parameter is available
only when the Entry Type is
Key.)
Verify Passphrase
Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.
Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.
File Name
Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing
configurations to another system or for completion of Signing Request processes. You can export
certificates from a device by copying and pasting a key or by downloading a file. Keys and
certificates are exported to PEM format.
Note: The Radware key is created without a Radware password at system startup, thus it can
be exported without a Radware password.
135
2.
3.
Parameter
Description
Entry Name
Select the name of the entry to export. By default, the name of the
selected certificate in the Certificates table is displayed.
Entry Type
Passphrase
Required when exporting Keys. Use the passphrase entered when the key
was created or imported. You must enter the key passphrase to validate
that you are authorized to export the key.
2.
3.
Select the entry name to show. By default, the name of the selected certificate in the
Certificates table is displayed.
4.
Select the entry type, and password for the key, if required.
5.
Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between APSolute Vision and network devices.
Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.
136
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the
APSolute Vision are discarded.
Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and
authentication details must match one of the users configured on the device.
The following topics describe the procedures to configure SNMP on a selected device:
Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
>> In the SNMP configuration, a user name is also known as a security name.
To configure an SNMP users for a device connected with SNMPv3 with Authentication
and Privacy
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP
User Table.
2. Do one of the following:
(Add) button.
137
Parameter
Description
User Name
The user name, also known as a security name. The name can be up
to 18 characters.
Authentication Protocol
Authentication Password
Privacy Protocol
Privacy Password
Note: You cannot change the community string associated with the user name that you are
currently using.
In the Configuration perspective Device Security tab navigation pane, select SNMP >
Community.
2.
3.
(Add) button.
138
Parameter
Description
Index
A descriptive name for this entry. This name cannot be modified after
creation.
Default: public
Community Name
Security Name
The security name identifies the SNMP community used when the
notification is generated.
Default: public
Transport Tag
Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. The target addresses identified by
this tag are defined in the SNMP Target Addresses table. At least one entry
in the SNMP Target Addresses table must include the specified transport tag.
If no tag is specified, addresses are not checked when an SNMP request is
received or when a trap is sent.
(Add) button.
139
Parameter
Description
Group Name
Security Model
The SNMP version that represents the required security model. Security models
are predefined sets of permissions that can be used by the groups. These sets
are defined according to the SNMP versions. By selecting the SNMP version for
this parameter, you determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based (SNMPv3)
Default: SNMPv1
Security Name
If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.
In the Configuration perspective Device Security tab navigation pane, select SNMP > Access.
2.
3.
(Add) button.
140
Description
Group Name
Security Model
Security Level
The name of the View that specifies which objects in the MIB tree are
readable by this group.
The name of the View that specifies which objects in the MIB tree are
writable by this group.
The name of the View that specifies which objects in the MIB tree can be
accessed in notifications (traps) by this group.
(Add) button.
141
Parameter
Description
Name
A descriptive name for this entry, for example, the type of notification.
Tag
A string that defines the target addresses that are sent this notification. All
the target addresses that have this tag in their tag list are sent this
notification.
In the Configuration perspective Device Security tab navigation pane, select SNMP > View.
2.
3.
(Add) button.
Parameter
Description
View Name
Sub-Tree
Type
Specifies whether the object defined in the entry is included or excluded in the
MIB view.
Values: Included, Excluded
Default: Included
142
(Add) button.
Parameter
Description
Name
Message Processing
Model
Security Model
Security Name
If the User Based security model is used, the security name identifies the
user that is used when the notification is generated. For other security
models, the security name identifies the SNMP community used when the
notification is generated.
Security Level
143
In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Address.
2.
3.
(Add) button.
Parameter
Description
Name
Mask
Tag List
144
(Add) button.
Parameter
Description
Device Users Table
User Name
Password
Email Address
Enable Configuration Tracing When selected, the specified user receives notifications of
configuration changes made in the device.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The device gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
Name of the MIB variable that was changed.
New value of the variable.
Time of configuration change.
Configuration tool that was used (APSolute Vision, Telnet, SSH,
WBM).
User name, when applicable.
Access Level
145
Parameter
Description
Advanced Parameters
Authentication Mode
In the Configuration perspective Device Security tab navigation pane, select Advanced.
2.
3.
Select or clear the checkboxes to allow or deny access; and then, click OK.
Parameter
Description
Port
SNMP Access
Telnet Access
SSH Access
Web Access
SSL Access
146
Caution: Radware strongly recommends that you perform any device tuning only after
consulting with Radware Technical Support.
This section contains the following:
Note: Radware recommends performing a memory check before rebooting the device.
For information about tuning parameters for AppDirector 1.07.12, see Tuning Parameters in
AppDirector 1.07.12, page 149.
147
Parameter
Description
Device Tuning
For more information, see the tuning document, which is available from the Radware Web site.
Bridge Forwarding Table
IP Forwarding Table
Routing Table
Requests Table
Session IDs
Network Segments
L4 Policies
Application Delivery
Client Table
L3 Client Table
Session Table
148
Parameter
Description
Proximity Subnets
Parameter
Description
Device Tuning
IP Forwarding Table
Routing Table
Requests Table
Session IDs
Network Segments
L4 Policies
Application Delivery
Client Table
L3 Client Table
Session Table
149
Parameter
Description
In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.
2.
To change the current setting, enter the new value in the After Reset column.
3.
Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.
Note: Radware recommends performing a memory check before rebooting the device.
Parameter
IP Fragmentation Table
Description
The maximum number of IP fragments that the device stores.
Values: 1256,000
Default: 1240
Session Table
Routing Table
150
Parameter
Description
Pending Table
Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several
TCP sessions to one destination address.
Each security table is responsible for clearing tables of old entries that are no longer required, and
ensuring that traffic is properly classified and inspected.
Parameter
Description
151
Parameter
Description
DoS Shield filters use thresholds for activation. This table counts
the number of times traffic matches a DoS Shield signature per
policy. When the number of packets exceeds the predefined limit,
it is identified as an attack.
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Max. Number of Entries in
Generic Signature Table
152
Parameter
Description
Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device
Pairs
stores for anti-scanning purposes.
Values: 10,0001,000,000
Default: 100,000
Max. Number of Entries in
Counter Target Table
153
Parameter
Description
Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 10064,000
Default: 100
Max. Number of Entries in
Generic Signature Table
154
Parameter
Description
155
Parameter
Description
The number of entries in the table that stores data regarding the
delayed binding process. An entry exists in the table from the
time a client starts the three-way handshake until the handshake
is complete.
Values: 10500,000
Default: 200,000
The number of entries in the table that stores the ACK, or data
packet, the client sends, until the handshake with the server is
complete and the packet is sent to the server.
The Request table and the SYN Protection table are
approximately the same size while the Triggers table is much
smaller.
Values: 10500,000
Default: 200,000
In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Authentication Tables.
2.
Parameter
Description
Authentication Table Tuning
156
Parameter
Description
The time, in seconds, that the device keeps idle sources in the
TCP Authentication table.
Values: 603600
Default: 1200
The time, in minutes, that the device keeps idle sources in the
DNS Authentication table.
Values: 160
Default: 20
Note: The DNS Authentication Table Aging text box is
empty if DNS Flood Protection has not been enabled on
the device (Configuration perspective > Security
Settings > DNS Flood Protection > Enable DNS
Flood Protection). You can, however, enter a value
even if DNS Flood Protection is not enabled, and the
value will persist.
157
Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.
Note: Radware recommends performing a memory check before rebooting the device.
Parameter
Description
Max. Number of Content Entries The maximum number of content entries in the table.
Values: 164096
Default: 256
158
Note: Radware recommends performing a memory check before rebooting the device.
Parameter
Description
Policy Table
Policy Leaves
The number of traffic flows for which the device can provide
bandwidth or limit the number of sessions.
Values: 16400,000
Default: 2048
Destination Table
159
2.
Parameter
Description
160
To configure IP interfaces
1.
2.
3.
(Add) button.
161
Parameter
Description
IP Address
Prefix Length
Mask
Broadcast Address
Peer IP Address
162
Parameter
Description
Prefix Onlink
163
Parameter
Description
Status
Managing IP Routing
Radware devices forward IP packets to their destination using an IP routing table. This table stores
information about the destinations and how they can be reached. By default, all networks directly
attached to the device are registered in the IP routing table. Other entries can either be statically
configured or dynamically created through the routing protocol.
The following topics describe how to configure IP routing:
For a direct delivery (the destination is a neighboring node), the next-hop MAC address is the
destination MAC address for the IP packet.
For indirect delivery (the destination is not a neighboring node), the next-hop MAC address is
the IP router address according to the IP Routing table.
The destination IP address does not change from source to destination. The destination MAC
(Layer 2 information) is manipulated to move a packet across networks.
The MAC of the destination host is applied once the packet arrives on the destination network.
164
(Add) button.
Notes:
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.
Parameter
Description
Destination Network
Prefix Length
The prefix length that defines the subnet attached to this IP interface.
(This parameter is
available only in
AppDirector 2.30 and
later.)
For IPv4, the prefix length varies between subnets to subnets, and
renumbering subnets can be expensive. With IPv4, the allocation varies by
the size of the site, which can be a problem when you migrate from one
ISP to another.
For IPv6, the prefix length is a decimal value that indicates the number of
contiguous, higher-order bits of the address that make up the network
portion of the address. For example, 10FA:6604:8136:6502::/64 is a
possible IPv6 prefix. The prefix length for an IPv6 subnet will always be
less than 64. It allows you to place as many IPv6 devices as the
underlying network medium allows.
IPv4 values: 032
IPv6 values: 064
Netmask
165
Parameter
Description
Next Hop
IP address of the next hop toward the Destination subnet. (The next hop
always resides on the subnet local to the device.)
Via Interface
The local interface or VLAN through which the next hop of this route is
reached. This can be the port name, trunk name, or VLAN ID.
Type
Metric
Parameter
Description
When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
When this option is enabled, a trap is sent when there is an ICMP error
message.
Default: Enabled
Default Network
(This parameter is
available only in
AppDirector 1.07.12.)
The network from whose announcements the device will discover its
default gateway.
AppDirector selects as default gateway the router that was announced as
next hop router for the default network with the best metric (lowest
metric).
When a default network is configured, but the device also receives default
route announcements, the default gateway is selected according to default
route announcements.
166
To configure IP routing
1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing.
2. Do one of the following:
(Add) button.
Notes:
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.
Parameter
Description
When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled
Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
Default: Enabled
Note: When this option is enabled, a trap is sent when there is an ICMP
error message.
Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite
and is used by networked computers operating systems to send error messagesindicating, for
instance, that a requested service is not available or that a host or router could not be reached.
167
3.
Parameter
Description
IP Address
Destination Address
Advertise Interval
Minimum
Maximum
Lifetime
Preference Level
The preference level of the address as the default router address, relative
to other router addresses on same subnet.
168
(Add) button.
Parameter
Description
Port
IP Address
MAC Address
Type
Entry type.
Values:
OtherNot Dynamic or Static.
InvalidInvalidates ARP entry and effectively deletes it.
DynamicEntry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
StaticEntry has been configured by the network management
station and is permanent.
Parameter
Description
The time, in seconds, that inactive ARP cache entries can remain in the
ARP table before the device deletes them. If an ARP cache entry is not
refreshed within a specified period, it is assumed that there is a problem
with that address.
Values: 19999999
Default: 60000
169
Notes:
>> STP is not supported on OnDemand Switch 1 platforms.
>> Spanning Tree is supported only for IP-Regular and IP-Switch VLANs.
>> When working with STP in a redundant configuration, the VRRP redundancy mechanism
must be used, and the primary device must have the lowest Bridge ID.
2.
Parameter
Enable Spanning Tree
Description
Specifies whether the device enables STP.
Default: Disabled
Defaults
Bridge Priority
The default priority of bridge. The lower the value, the higher the priority.
Values: 061440The values are in multiples of 4096.
Default: 32768
The maximum time, in seconds, the device waits for a BPDU packet before
it tries to re-configure.
Values: 640
Default: 20
Forward Delay
The time, in seconds, that the device waits before changing the state of
the port.
Values: 430
Default: 15
Port Priority
The port priority. When two (or more) ports have the same value, the
device uses the port with the lowest MAC address.
Values: 0240
Default: 128
170
Note: Spanning Tree per VLAN is supported only when the VLANs do not share any physical
ports (each VLAN has its own physical ports).
Parameter
Description
VLAN ID
The VLAN to apply these settings to. Alternatively, you may apply the
settings to multiple VLANs.
Enable STP
Bridge Priority
Aging Time
The maximum time, in seconds, that the device waits for a BPDU packet
before it tries to re-configure.
Values: 640
Default: 20
The time, in seconds, the device waits before changing the state of the
port.
Values: 430
Default: 15
171
In the Configuration perspective Networking tab navigation pane, select STP > Ports.
2.
3.
Parameter
Description
Port ID
VLAN ID
Enable STP
Priority
The port priority. When two (or more) ports have the same value, the
device uses the port with the lowest MAC address.
Values: 0240The values are in multiples of 16.
Default: 128
Path Cost
The spanning tree path cost for this port. The values are defined according
to port speed, but you can also change the value.
Port speed versus path cost:
10Mbps100
1Gbps 4
100Mbps19
10Gbps2
Values: 165,535
Specifies whether the port changes its status to the forwarding state.
Default: Disabled
172
To configure NHRs
1. In the Configuration perspective Networking tab navigation pane, select IP Routing > NHRs.
2. Do one of the following:
(Add) button.
Parameter
Description
NHR IP Address
Enabled
Physical Port
Health Check
Method
Method that device uses to verify the NHRs health via the Path Health
Check IP, Ping or Disable.
Interval (sec.)
Number of Retries
Amount of checks that the device should perform without reply before
it acknowledges that the router is offline.
(Add) button.
173
Parameter
Description
Health Check
VIP Address
Load Sharing
Enable/disable load sharing between primary and backup next hop routers,
based on relative weights.
Values:
Layer 3 HashingTraffic sent through both configured and backup NHR.
Load sharing is based on Layer 3 information (IP address).
Layer 4 HashingTraffic sent through both configured and backup NHR.
Load sharing is based on Layer 4 information (IP address and port).
DisabledTraffic sent via configured NHR only.
Default: Disabled
No Route Action
Determines action if both primary and backup next hop routers are offline.
Values:
DiscardThe packets are discarded.
Use Regular RoutingPackets are forwarded using Routing Table.
Main NHR
IP Address
Weight
The relative amount of total traffic forwarded to the primary router when
Load Sharing is enabled.
Backup NHR
IP Address
Weight
The relative amount of total traffic forwarded to the backup router when Load
Sharing is enabled.
174
To configure RIP
1. In the Configuration perspective Networking tab navigation pane, select IP Routing > RIP.
2. Enable RIP and configure routes distribution.
3. To add or edit RIP interfaces, do one of the following:
(Add) button.
Parameter
Description
Enable RIP
Select to enable RIP in the router. When disabled, the process is not
active on any interface.
Routes Redistribution
Redistribute Static Routes
When enabled, all static routes learned via static are advertised into
RIP.
When enabled, all routes learned via OSPF are advertised into RIP.
Advertisement Interval
Parameter
Description
IP Address
Enabled
Outgoing RIP
Incoming RIP
Default Metric
175
Parameter
Description
Virtual Distance
Virtual number of hops assigned to the interface. This enables finetuning of the RIP routing algorithm.
Auto Send
To configure OSPF
1.
In the Configuration perspective Networking tab navigation pane, select IP Routing > OSPF.
2.
3.
To configure OSPF interfaces, select IP Routing > OSPF > OSPF Interfaces.
Parameter
Description
Enable OSPF
Select to enable OSPF in the router. When disabled, the process is not
active on any interface.
Router ID
Area ID
Route Redistribution
Redistribute RIP Routes
176
Parameter
Description
When enabled, all static routes learned via static are advertised into
RIP.
Redistribute External
Direct Routes
(Add) button.
Parameter
Description
Enabled
IP Address
Priority
Priority of the interface. Value 0 means that this router is not eligible to
become the designated router on the current network. If more than
one router has the same priority, then router ID is used.
Hello Interval
Number of seconds routers Hello packets have not been seen before
routers neighbors declare the router down. The Time Before Declare
Router Dead value must be a multiple of the Hello Interval. All routers
attached to a common network must have a Time Before Declare
Router Dead value.
Authentication Type
Authentication Key
Metric
The metric of using this type of service on this interface. The default
value of the TOS 0 Metric is 10.
177
To configure BGP
1.
In the Configuration perspective Networking tab navigation pane, select IP Routing > BGP.
2.
3.
Parameter
Enable BGP
Description
Enables or disables BGP.
Default: Disabled
AppDirector AS
Parameter
Description
Enabled
Peer IP Address
178
Parameter
Description
Hold Time
Parameter
Description
Port
IP Address
MAC Address
179
Parameter
Description
Type
State
Configuring Ports
You can change the physical attributes of each port on the managed devicefor example, speed
and duplex mode.
You can also configure port trunking to combine physical network links into a single logical link for
increased bandwidth.
To configure ports
1.
In the Configuration perspective Networking tab navigation pane, select Port Configuration.
2.
3.
Parameter
Description
Port
Speed
180
Parameter
Description
Duplex Mode
Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Note: According to standards, this parameter can be changed only for
copper ports with a speed lower than Gigabit Ethernet. After this
parameter is changed, auto-negotiation is disabled.
Auto Negotiation
Specifies whether the port automatically detects and configures the speed
and duplex mode for the interface.
Notes:
>> The same algorithm must be applied on the other switch in the trunk.
>> OnDemand Switch 1 and VL implement link aggregation via software and not at the
switch level, (these platforms do not include a Layer 2 switch hardware component).
Therefore, on these platforms, you cannot define trunks as port mirroring participants.
Link aggregation is supported only on links using the IEEE 802.3 MAC.
Link aggregation is permitted only among links with the same speed and direction. On the
device bandwidth, increments are provided in units of 100Mbps and 1Gbps respectively.
The failure or replacement of a single link within a Link Aggregation Group will not cause failure
from the perspective of a MAC client.
MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one conversation must be transmitted
through the same physical link. The algorithm for assigning frames to a conversation depends on the
application environment. Radware devices can define conversations on Layer 2, 3, or 4 information,
or on combined layers.
Using link aggregation, depending on the platform, you can define up to seven trunks. Up to eight
physical links can be aggregated into one trunk. AppDirector supports both static and dynamic
(LACP) trunks. In DefensePro, all trunk configurations are static. To provide optimal distribution for
181
Notes:
>> Only connected ports (Link Up) operating in Full Duplex mode can be attached to a
trunk.
>> You can define a management trunk (T-MNG) that includes only the management ports
(MNG-1 and MNG-2). The management ports cannot be a part of any other trunk. Using
the management trunk provides redundancy at the physical level for connectivity to the
management network. One link is active while the other is in backup mode. Failure of
the active link seamlessly activates the backup.
>> A port belonging to a trunk cannot be copied to another port (copy port).
>> In DefensePro, management ports that have preconfigured IP addresses cannot be
assigned to a trunk. Before attaching a physical port to a trunk, make sure that the port
is not used in any configuration (port mirroring, static forwarding).
>> In DefensePro, When a trunk is part of a protected segment definition, Port Operation in
the Port Pairs table must be set to Process mode for both directions of this segment.
>> In DefensePro, A trunk cannot be assigned with an IP address for management.
>> In DefensePro, Ports with internal bypass cannot be assigned into a trunk.
>> In DefensePro, It is not possible to set a port within a trunk as the Source or Destination
of SSL inspection.
You can also view the port-aggregation status of each physical port.
To configure link-distribution hash parameters and LACP parameters and view trunk
details
1.
In the Configuration perspective Networking tab navigation pane, select Link Aggregation. To
change a port assignment, double-click the corresponding row.
2.
182
Parameter
Description
Link Distribution Hash
Layer 2 Parameters
Layer 3 Parameters
Layer 4 Parameters
LACP
System ID
System Priority
183
In the Configuration perspective Networking tab navigation pane, select Link Aggregation. To
change a port assignment, double-click the corresponding row.
Note: The Trunks table can display a column for each of the trunk parameters. However,
by default, the Trunks table displays only some of the parameters. To display or hide
columns, right-click in the table heading row and select or clear the check mark next
to the relevant parameters.
2.
3.
Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.
Parameter
Description
Trunk Name
LACP Mode
Available Ports
Lists the physical, device ports that you can select for the trunk.
Selected Ports
Trunk Status
(Read-only)
Values:
IndividualNo port is attached to this trunk.
AggregateAt least one port is attached to this trunk.
184
(Read-only)
Parameter
Description
LACP
Timeout
The time that the device waits between LACP control messages
(LACPDUs). If three times the selected timeout elapses without any
new control message, the link-state changes.
Values:
Fast1 second
Slow30 seconds
Default: Fast
Wait Time
The time to wait after link negotiation before starting to send control
messages.
Values: 110
Default: 3
Actor Priority
The priority assigned to this trunk by the Actor (that is, the system
sending the data unit, assigned by management or administration
policy), encoded as an unsigned integer.
Values: 065,535
Default: 32767
System ID
System Priority
(Read-only) The LACP System Priority together with the LACP System
ID uniquely identify the system.
Values: 1256
Default: 256
Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.
Note: To select the columns that the Ports Aggregation Status table displays, right-click in
the table heading row and select or clear the check mark next to the relevant
parameters.
185
Parameter
Description
Port
Trunk Name
Operational Status
Values:
Default, Not-In-BundleThe LACP control is off (manual
aggregation), and this port is not bundled in a trunk.
Default, BundledThe LACP control is off (manual aggregation),
and this port is bundled in the specified trunk.
LACP Control, Not-In-BundleThe LACP control is on, but this
port is not bundled in a trunk.
LACP Control, BundledThe LACP control is off (manual
aggregation), and this port is bundled in the specified trunk.
Port Status
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.
Configuring Link Aggregation in AppDirector Versions Prior to 2.30 and Defense Pro
In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation.
You can view the MAC address of each trunk and the ports bound to it in the Link Aggregation
Ports table.
2.
3.
Configure the port assignment; and then, click OK. When a port is added into a trunk, it receives
the trunk operation status. When a port is removed from a trunk, it maintains its operational
status. When a trunk operational status is set to down, a port removed from the trunk keeps its
down status.
Parameter
Description
Port
186
Parameter
Description
Trunk Name
Port Status
(Read-only)
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.
187
Parameter
Description
Layer 2 Hash
Layer 3 Hash
Layer 4 Hash
Notes:
>> Port mirroring is not supported on devices that run on the OnDemand Switch VL
platform, for example DefensePro x06 models.
>> Port mirroring requires that the input port be configured to Static-Forwarding Process
mode. When the input port is configured to Static-Forwarding Forward mode, traffic is
not mirrored.
>> In Static Forwarding mode, traffic with the same destination MAC address as the device
is not mirrored (rare).
188
(Add) button.
Parameter
Description
Input Interface
Output Port
Traffic to Mirror
Enable Promiscuous
Mode
Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled
(Add) button.
189
Parameter
Description
Input Interface
Output Port
Traffic to Mirror
Enable Promiscuous
Mode
Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled
Backup Port
Mode
Threshold
The number of threshold units (PPS/Kbps) that can pass through the
specified input port (Input Interface) before the mirroring process starts.
Note: The Threshold Units parameter and the Threshold Interval parameter are defined
globally for each device and not for each pair of ports.
Parameter
Description
How long, in seconds, mirroring continues after the traffic rate falls below
the specified threshold.
Default: 30
Click to set the device to record the traffic that exceeds the predefined limit
within a new Threshold Interval.
190
Proprietary ARP (available only in AppDirector versions prior to 2.30)Working with Address
Resolution Protocol enables monitoring of the other device in a pair and checking its availability.
Using Proprietary ARP redundancy, at the failover time, the IP addresses of the main device are
managed by the backup device and are associated with the backup devices MAC address.
Notes:
>> Before starting a redundancy configuration, the role of each AppDirector must be set via
the relevant CLI command. For more information, see the AppDirector CLI Reference
Guide.
>> When managing an AppDirector cluster with APSolute Vision, if both devices are
connected using SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
Configure redundancy by performing the following tasks:
1. Configuring AppDirector Redundancy Global Settings, page 191
2. Configuring VRRP, page 195 or Configuring Proprietary Redundancy, page 204 (Proprietary
Redundancy is available only in AppDirector versions prior to 2.30)
3. Configuring Mirroring for Redundancy, page 205
191
In the Configuration perspective Networking tab navigation pane, select Redundancy > Global
Settings.
2.
Parameter
Description
IP Redundancy Admin
Status
Interface Grouping
Ensures that if one port fails, the others are also taken down. When it
is enabled, the backup device takes over only when all the interfaces
of the main device are down.
To configure interface grouping for specified ports only, enable this
option and configure selective interface grouping to define which
interfaces activate Interface Grouping when a port fails.
Specifies whether the device can send ARP requests while the
interface grouping is active.
Values: Send, Avoid
Default: Send
192
Parameter
Description
In networks with Layer 3 switches, the Fake ARP will confuse the
switch during the redundancy process. In this case, disable this
option.
Backup Interface Grouping When enabled, the backup device takes over only when the IP
interfaces defined in its Redundancy Table fail. Respectively, it will
release those interfaces only when all the main devices interfaces are
up.
VRRP Advertise Interval
VRRP Automated
Configuration Updates
193
Parameter
Description
Failure Action
Notes:
>> When a grouped port that has an IP address assigned to it, but no VRID, is
disconnected, it does not initiate failover.
>> When a non-grouped port that has an IP address and a VRID assigned to it is
disconnected, it will still initiate a failover.
In the Configuration perspective Networking tab navigation pane, select Redundancy > Global
Settings > Selective Interface Grouping.
The table displays the list of interfaces for which virtual routers (VRs) are defined, and whether
each interface is grouped, meaning whether it initiates interface grouping if the management
port is down.
2.
To change the interface grouping setting for an interface, double-click the row.
3.
194
Parameter
Description
Port
Grouped
Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the
static default routed environment. VRRP specifies an election protocol that dynamically assigns
responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling
the IP addresses associated with a virtual router is called the Master, and forwards packets sent to
these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility
should the Master become unavailable. Any of the virtual routers IP addresses on a LAN can then be
used as the default first hops router by end-hosts.
To achieve redundancy between pairs of devices, Radware recommends using VRRP. VRRP enables
you to maintain dynamic redundancy using a logical entity called virtual router (VRRP was initially
developed to provide high availability for routers).
A virtual router (VR), has a Virtual Router Identifier (VRID) with one or more associated IP
addresses. Each VR has a VRMAC, which is a MAC address associated with the VR. This saves the
need for a MAC address update in case of a failover. The VRMAC address is determined by the VRID
and does not need to be configured manually.
The same VR needs to be configured on multiple devices to achieve redundancy between them for
the VR. Each device has a priority for a VR, and the main device for the VR is the device with the
highest priority. Using VRRP, the main device constantly sends advertisements to other VRRP
devices to indicate that it is online. When the advertisements stop, the main device is assumed to be
inactive. A new main device is then selected for this VR; that is, the device with the next highest
priority for that VR. However this protocol can be supported by a wide range of devices that are not
routers. As it is not a routing protocol, it does not advertise IP routes or affect the routing table in
any way. With VRRP, IP Addresses are associated with the Virtual MAC Addresses that are owned by
the main device, and are taken over by the backup device at failover time.
With VRRP, redundant AppDirector devices can synchronize their configurations. For more
information, see Online Configuration Synchronization, page 206.
All DownSets the status of all VRs to Down, which shuts down the main device.
All UpSets the status of all VRs to Up, so that the main AppDirector device is immediately
activated and takes control from the backup device.
Default: No Change
Note: The VRRP Admin Status parameter is available only in AppDirector 2.14.03 and later.
195
(Add) button.
4.
5.
To configure associated IP addresses, in the navigation pane, select Redundancy > VRRP >
Associated IPs.
For more information, see Configuring Associated IPs for VRRP, page 199.
Parameter
Description
IP Version
VR ID
Port
Admin Status
Priority
You must assign the highest priority (255) to the VR that is associated with
the physical IP address of the device.
Values: 1255
Default: 100
Notes:
>> When two devices are configured with VRRP and the master device
has a priority of 255 set for its virtual routers, shutting down all
virtual routers causes the backup state to move to master but
causes the client connections to cease. This is because when Virtual
Routers go down, the port does not go down. The port will continue
functioning, and as soon as the virtual router goes down, the port
will broadcast its MAC as the owner of the device interface IP. It will
continue sending health checks with source IP and interface IP and
ARPs for IPs on the directly connected networks.
>> These ARPs will poison the ARP cache of all machines on this
network, and they will record the interface MAC of the main box as
the holder of the interface IP that the backup device tried to take
over via VRRP.
>> Therefore, all traffic sent to the main device interface IP as a
gateway (reply traffic from the servers) reaches the main device
and is routed straight to the default gateway of the device. This is
not where this traffic should be heading because traffic sent to a
VIP which was taken over by the backup device (the main device
will not fix the IP headers) will route the packet as it stands which
will break the session.
>> When you do not use VR priority of 255 on the main device, you
cannot place its interface IP in the associated IP table. This means
that the default gateway will be a different IP which has no
problems being poisoned but with the interface activities of the
main device.
196
Parameter
Description
Primary IP
This is used internally only, as the source IP of VRRP messages sent by the
device. It is recommended to use virtual IP interfaces. For more information
about using virtual IP interfaces for VRRP, see the AppDirector User Guide.
It is recommended to leave the default, which is the IP interface defined on
this port.
Advertise Interval
The interval, in centiseconds, at which advertisements are sent for this VR.
This setting overrides the default global parameter.
Default: 100
Preempt Mode
When a device with a certain priority fails, the device with the next highest
priority takes control of the VR. Preemption Mode defines takeover
procedure for the VR when the device with the higher priority resumes
functioning.
Values:
EnabledThe higher priority device takes over the VR.
DisabledThe device with lower priority maintains control of the VR.
This is only applicable when two or more devices share a VR.
Notes:
>> All defined VRs must have the same Preemption Mode setting
except for the router owning the IP address associated with the VR.
>> The router owning the IP address associated with the VR always
preempts independently of Preemption Mode setting.
Preferred State
The preferred state of the virtual router. This field affects the configuration
of the parallel VRRP entry on the peer device.
Values:
BackupThe peers VRRP entry should have a higher priority.
MasterThe peers VRRP entry should have a lower priority.
Default: Master
Parameter
Description
Port
VR ID
Enabled
197
Parameter
Description
Priority
You must assign the highest priority (255) to the VR that is associated with
the devices physical IP address (that is, the IP address that the device
owns).
Values: 1255
Default: 100
Notes:
>> When two devices are configured with VRRP and the master device
has a priority of 255 set for its virtual routers, shutting down all
virtual routers causes the backup state to move to master but
causes the client connections to cease. This is because when
Virtual Routers go down, the port does not go down. The port will
continue functioning, and as soon as the virtual router goes down,
the port will broadcast its MAC as the owner of the device interface
IP. It will continue sending health checks with source IP and
interface IP and ARPs for IPs on the directly connected networks.
>> These ARPs will poison the ARP cache of all machines on this
network, and they will record the interface MAC of the main box as
the holder of the interface IP that the backup device tried to take
over via VRRP.
>> Therefore, all traffic sent to the main device interface IP as a
gateway (reply traffic from the servers) reaches the main device
and is routed straight to the default gateway of the device. This is
not where this traffic should be heading because traffic sent to a
VIP which was taken over by the backup device (the main device
will not fix the IP headers) will route the packet as it stands which
will break the session.
>> When you do not use VR priority of 255 on the main device, you
cannot place its interface IP in the associated IP table. This means
that the default gateway will be a different IP which has no
problems being poisoned but with the interface activities of the
main device.
Primary IP
This is used internally only, as the source IP of VRRP messages sent by the
device. It is recommended to use virtual IP interfaces. For more
information about using virtual IP interfaces for VRRP, see the AppDirector
User Guide.
It is recommended to leave the default, which is the IP interface defined
on this port.
Authentication Type
Authentication Key
198
Parameter
Description
Enable Preemption
Mode
When a device with a certain priority fails, the device with the next highest
priority takes control of the VR. Preemption Mode defines takeover
procedure for the VR when the device with the higher priority resumes
functioning.
Values:
EnabledThe higher priority device takes over the VR.
DisabledThe device with lower priority maintains control of the VR.
This is only applicable when two or more devices share a VR.
Notes:
>> All defined VRs must have the same Preemption Mode setting
except for the router owning the IP address associated with the
VR.
>> The router owning the IP address associated with the VR always
preempts independently of Preemption Mode setting.
Advertise Interval
The interval, in seconds, at which advertisements are sent for this VR. This
setting overrides the default global parameter.
Default: 1
(Add) button.
Parameter
Description
VR ID
Associated IP Address
199
Note: A fully redundant network environment affects only the required inter-AppDirector
connectivity and Layer 2 configuration. All other redundancy configuration parameters
are affected by the factors mentioned above.
These guidelines are for redundancy configurations using VRRP for the following scenarios:
Parameters
Global Parameters
200
Main
Backup
IP Redundancy Admin
Status
VRRP
Same as main
Interface Grouping
Enable
Same as main
Backup Interface
Grouping
Enable
Same as main
Same as main
Same as main
N/Ruse default
Parameters
VRID Internet Side
VRID
Main
Backup
Same as main
If Index
Same as main
Primary IP
100.1.1.10
Same as main
Priority
200
100
Preempt Mode
Same as main
Associated IPs
100.1.1.100,
Same as main
100.1.1.10
Outbound NAT
addresses, if relevant
VRID Server Side
VRID
Same as main
Port
Same as main
Primary IP
20.1.1.10
Same as main
Priority
200
100
Preempt Mode
Same as main
Associated IPs
20.1.1.10
Same as main
Mirroring Status
Disabled (if
preemption is
enabled)
Enabled
Enabled (if
preemption is
disabled)
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as main
Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution
Note: Using the Active-Active setup, each server can provide service to Virtual IPs that are
active on one device. A server cannot provide service to multiple Virtual IPs where one
Virtual IP is active on one device, while another Virtual IP is active on another device.
201
Parameters
Global Parameters
AppDirector 1
AppDirector 2
IP Redundancy Admin
Status
VRRP
Same as AppDirector 1
Interface Grouping
Enable
Same as AppDirector 1
Backup Interface
Grouping
Enable
Same as AppDirector 1
Same as main
N/Ruse default
Same as main
VRID
Same as AppDirector 1
Port
G1
Same as AppDirector 1
Primary IP
100.1.1.10
Same as AppDirector 1
Priority
200
100
Preempt Mode
Same as AppDirector 1
Associated IPs
100.1.1.100,
Same as AppDirector 1
100.1.1.10
Outbound NAT
addresses (if relevant)
VRID Internet Side
for VIP active in
AppDirector 2
VRID
Same as AppDirector 1
Port
G1
Same as AppDirector 1
Primary IP
200.1.1.10
Same as AppDirector 1
Priority
100
200
Preempt Mode
Same as AppDirector 1
Associated IPs
200.1.1.100,
Same as AppDirector 1
200.1.1.10
Outbound NAT
addresses (if relevant)
VRID Server Side for
VIP active in
AppDirector 1
VRID
Same as AppDirector 1
Port
Same as AppDirector 1
Primary IP
20.1.1.10
Same as AppDirector 1
Priority
200
100
Preempt Mode
Same as AppDirector 1
Associated IPs
20.1.1.10
Same as AppDirector 1
202
Parameters
VRID Server Side for
VIP active in
AppDirector 2
AppDirector 1
AppDirector 2
VRID
Same as AppDirector 1
Port
Same as AppDirector 1
Primary IP
30.1.1.10
Same as AppDirector 1
Priority
100
200
Preempt Mode
Same as AppDirector 1
Associated IPs
30.1.1.10
Same as AppDirector 1
Mirroring Status
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as AppDirector 1
Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution
VRID
Main
Backup
IP Redundancy Admin
Status
VRRP
Same as main
Interface Grouping
Enable
Same as main
Backup Interface
Grouping
Enable
Same as main
Backup in VLAN
Enable
Same as main
Enable
Same as main
VRID
Same as main
Port
100001
Same as main
Primary IP
100.1.1.10
Same as main
Priority
200
100
Preempt Mode
Same as main
Associated IPs
100.1.1.100,
Same as main
100.1.1.10
203
Parameters
Mirroring
Mirroring Status
Main
Backup
Disabled (if
preemption is
enabled).
Enabled
Enabled (if
preemption is
disabled).
Mirror Device IP
1.1.1.12
Default
Mirrored Tables
Client Table
Same as main
Session ID Table
Note: To allow the backup device to poll the main device, it must be aware of the main device
IP interfaces that its IP interfaces are backing up.
In the Configuration perspective Networking tab navigation pane, select Redundancy >
Proprietary.
2.
(Add) button.
204
Parameter
Description
Interface IP Address
Poll Interval
Time Out
Provide a direct connection between the two devices. It is recommended to use a trunk (link
aggregation).
Configure an IP interface on each device for the direct connection port and address used as the
Mirroring Device Address for the other device.
Exclude the physical port used for inter-device communication from Interface grouping.
Mirroring can handle long and short sessions and support HTTP traffic.
The following can be mirrored:
Session ID Table
Notes:
>> Mirroring is not supported when delayed binding is used with Layer 7 Persistent
Switching Mode and configured to either overwrite or maintain.
>> Mirroring is supported for the Layer 7 Persistent Switching Mode named First.
>> When setting up Mirroring, Radware recommends using the same AppDirector software
version for the main and backup devices.
>> Setting up Mirroring affects the general device performance.
>> Radware recommends that mirroring is used for Stateful Failover with the VRRP
redundancy mechanism.
205
In the Configuration perspective Networking tab navigation pane, select Redundancy >
Mirroring.
2.
Parameter
Description
Main Device Mirroring Parameters
Dynamic DNS Persistency Enables Dynamic DNS Persistency Table Mirroring (AppDirector Global
Table Mirroring
Only).
Default: Disabled
Client Table Mirroring
Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
206
Device Name
OSPF Router ID
Online Configuration Synchronization does not synchronize the following actions, and you can
perform them on both master and slave devices even when Online Configuration Synchronization is
enabled:
Reset statistics
Troubleshooting operations (for example, filter Client table view, configure diagnostics, and
retrieve a support file)
207
The master device and the master device use the same hardware platform and have the same
memory size.
The master device and the master device have the same licensed features.
Note: License upgrade must be done manually on both the master and slave device, since
each license is associated with a specific machine.
The master device and the master device have the same software version.
Note: Any software upgrade must be performed manually on each device. During the
software upgrade, Online Configuration Synchronization must be disabled.
Parallel ports connected to the same subnets and the same IP addresses match crosswise.
There is at least one matching IP interface (with the same subnet and same interface) on the
master and slave devices.
Example
MasterIP: 1.1.1.1, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.2
SlaveIP: 1.1.1.2, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.1
In addition, you must ensure that parallel ports connected to the same subnets and the same IP
addresses match crosswise.
208
Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
>> For each IP interface configured on the master device, a Peer IP address must be
configured. This IP address is used as the IP interface on the slave device.
>> You can monitor synchronization state on the master device. The state should show InSync. For more information, see the APSolute Vision online help.
>> If a configuration change requires a reboot, the change will take effect on the slave
device only after you reboot the master device. (The master device automatically
reboots the slave device.)
209
Parameter
Description
Device Role
Synchronization Session
Password
Connection Preference
210
Parameter
Description
Reconnect Slave
(This option button is available
only in AppDirector 2.14.03.)
The interval, in seconds, at which the device attempts to reestablish a connection with a slave device that is not responding.
Values: 1600
Default: 15
211
Parameter
Description
The time, in seconds, after the slave device does not receive any
message from the master device that the slave considers the
master device to be disconnected.
Values: 5600
Default: 180
Parameter
Description
Device Role
Synchronization Session
Password
212
Parameter
Description
Specifies whether the master device its peer only via the
management IP interface or via any device interface.
Default: Enabled
The interval, in seconds, at which the device attempts to reestablish a connection with a slave device that is not responding.
Values: 1600
Default: 15
The time, in seconds, after the slave device does not receive any
message from the master device that the slave considers the
master device to be disconnected.
Values: 5600
Default: 180
213
Note: AppDirector devices support up to 64 regular or switched VLANs and up to 2048 VLAN
IDs.
To configure a VLAN
1.
2.
(Add) button.
3.
4.
To add ports to the VLAN, in the navigation pane, select VLANs > VLAN Ports.
For more information, see Configuring AppDirector VLAN Ports, page 216.
Parameter
Description
VLAN ID
Protocol
Required VLAN protocol. You can choose IP or Switch VLAN only when the
VLAN type is Switch. Otherwise, the protocol is IP or Other.
Default: Other
Type
214
Parameter
Description
Up Criterion
Down Criterion
IP ProtocolThe VLAN must be assigned an IP address. All the traffic between ports is
intercepted transparently by AppDirector. Packets that need intelligent intervention are checked
and modified by AppDirector and then forwarded to the relevant port. Other packets are simply
bridged by AppDirector as if they were on the same wire.
Other ProtocolAn Other Protocol VLAN cannot be assigned an IP address. This type of VLAN
is used to bridge non-IP traffic through AppDirector. To handle both packets that need intelligent
intervention and non-IP traffic, you can configure IP VLAN and Other VLAN on the same ports.
Switch VLAN
Switch VLAN is not available in OnDemand Switch 1 or OnDemand Switch VL.
Switch VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric
of the AppDirector device.
215
Switch VLAN ProtocolFrames arriving at the VLAN port are switched according to Layer 2
information. AppDirector does not intercept this traffic.
IP ProtocolFrames reaching the VLAN port are switched according to Layer 2 information,
except those whose Layer 2 address is the same as the AppDirector port Layer 2 address.
Frames with AppDirector Layer 2 destination are processed by AppDirector and then forwarded.
In the Configuration perspective Networking tab navigation pane, select VLANs > VLAN Port
Table.
2.
3.
4.
(Add) button.
Parameter
Description
Select VLAN
Port
The Layer 2 interface that you want to attach to the VLAN. The interface
can be a port index, trunk index, or Switch VLAN.
Include in Interface
Grouping
In the Configuration perspective Networking tab navigation pane, select VLANs > VLAN
Advanced Parameters.
2.
216
Parameter
Description
VLAN Ether_Type
Enable 802.1q
217
Notes:
>> You can also assign a backup gateway to each segment, similar to the way Next Hop
Routers can be associated with Virtual IPs.
>> AppDirector default gateway can only belong to the default segment.
For more information about segmentation configurations, see the AppDirector User Guide.
For information about configuring segmentation in AppDirector 2.11.x, see Segmentation in
AppDirector 2.11, page 220.
Before you configure a Server Cracking profile, ensure that you have configured the NHRs to use for
segmentation. For more information, see Configuring NHRs in AppDirector, page 172.
To configure segmentation
1.
2.
3.
(Add) button.
4.
5.
To associate an NHR to each segment, in the navigation pane, select Segmentation >
Segment NHR.
For more information, see Associating NHRs to Segments, page 221.
218
Parameter
Description
Segmentation Mode
Default Segment
Forwarding Mode
Physical ports, VLANs, Trunks, and 802.1q VLAN tags that are not part of
any segment are considered to be members of a default segment. The
default segment is a grouping of all the ports, VLANs, trunks and 802.1q
VLAN tags that do not belong to any segment.
Configure the behavior of traffic from a port or tag that is not a member of
any segment and is destined to a port or tag that is a segment member.
Values:
ForwardForwards traffic to destination (not via Firewall) as if
Segmentation is disabled.
DiscardDiscards the traffic.
Default GatewayForwards the traffic to the AppDirector default
gateway with Segmentation if necessary.
Default: Default Gateway
Segmentation Shared
Ports
Default Segment
Shared VIP
Parameter
Description
Segment Name
Available Ports
The list of Fast Ethernet ports, Gigabit Ethernet ports or Trunk Ports
that can be associated with the segment.
To associate a port, select the port and click
Selected Ports
The list of Ethernet ports, Gigabit Ethernet ports or Trunk Ports that
are associated with the segment.
To remove a port association, select the port and click
The list of VLAN tags to be associated with the segment. Use commas
(,) to separate VLAN tag entries.
Special Segmentation Flag When enabled, VIPs belonging to this segment can receive traffic from
any other segment directly (without passing via firewall).
219
Parameter
Description
Back-end Segmentation
The behavior when the Layer 4 policy (VIP) and the server that
provides the service to the VIP belong to different segments. Back-end
Segmentation is an override that should be used when the server is
not within the same segment that is associated with the Layer 4 policy
and the client sends traffic to the VIP (for load balancing).
(This parameter is
available only in
AppDirector 2.14.03 and
later.)
Values:
EnabledThe device performs segmentation (forwards traffic to
Layer 4 policy segment NHR).
DisabledThe device forwards traffic directly to server.
Default: Enabled
A configuration where farms associated with the same Layer 4 Policy VIP are associated with
different segments is not supported; therefore, ensure that such configuration conflicts are
avoided. Similarly, configurations where servers and the Virtual IP do not belong to the same
segment are not supported.
To configure segmentation
1.
2.
3.
(Add) button.
4.
5.
To associate an NHR to each segment, in the navigation pane, select Segmentation >
Segment NHR.
For more information, see Associating NHRs to Segments, page 221.
220
Parameter
Description
Segmentation Mode
Default Segment
Forwarding Mode
Physical ports, VLANs, Trunks, and 802.1q VLAN tags that are not part of
any segment are considered to be members of a default segment. The
default segment is a grouping of all the ports, VLANs, Trunks and 802.1q
VLAN tags that do not belong to any segment.
Configure the behavior of traffic from a port or tag that is not a member of
any segment and is destined to a port or tag that is a segment member.
Values:
Forward (Handling without Segmentation)Forwards traffic to
destination (not via Firewall) as if Segmentation is disabled.
DiscardDiscards the traffic.
Default Gateway (Handling with Segmentation if necessary)
Forwards the traffic to the AppDirector Default gateway with
Segmentation if necessary.
Default: Default Gateway
Parameter
Description
Segment Name
Available Ports
The list of Fast Ethernet ports, Gigabit Ethernet ports or Trunk Ports that
can be associated with the segment.
To associate a port, select the port and click
Selected Ports
The list of Ethernet ports, Gigabit Ethernet ports or Trunk Ports that are
associated with the segment.
To remove a port association, select the port and click
VLAN Tag
221
In the Configuration perspective Networking tab navigation pane, select Redundancy >
Segmentation > Segment NHR.
2.
3.
(Add) button.
Parameter
Description
Segment Name
The name of the segment for association of NHR. Select from the list.
Main NHR
IPv4 Address
IPv6 IP Address
Weight
Backup NHR
IPv4 IP Address
IPv6 IP Address
Weight
No Route Action
Configures AppDirector behavior when both the main and backup NHRs
are down.
Values:
DiscardDiscards the traffic.
Use Regular RoutingSends traffic according to the regular route.
When selected, outgoing traffic is sent through both NHRs at the same
time.
Parameter
Description
Segment Name
The name of the segment for association of NHR. Select from the list.
Main NHR
IP Address
Weight
222
Parameter
Description
Backup NHR
IP Address
Weight
No Route Action
Configures AppDirector behavior when both the main and backup NHRs
are down.
Values:
DiscardDiscards the traffic.
Use Regular RoutingSends traffic according to the regular route.
When selected, outgoing traffic is sent through both NHRs at the same
time.
Parameter
Description
Duplicate IPv6 Address Detection
Duplicate Address Detection (DAD) is the process by which a node determines that an IPv6 address
considered for use is not already in use by a neighboring node. (This is equivalent to the use of
gratuitous ARP frames in IPv4.) The DAD process consists of sending a neighbor discovery
whenever the device is assigned a new IP address, asking for a neighbor with the same address.
The device performs the DAD procedure for each newly configured IPv6 address: IP interface, VIP,
VIPIm, and client NAT addresses belonging to a subnet configured on the device (matching IP
interface). DAD is not performed for VIP, VIPIs, and client NAT addresses that do not have a
matching IP interface (that is, orphan addresses).
DAD is also performed for each configured IP addresses (IP interfaces, non-orphan VIPs, VIPIs and
client NAT addresses) on device startup.
Retransmits Number
Enables the DAD process and determines the number of times that the
DAD Neighbor discovery message is transmitted, where value of zero
means DAD is disabled.
223
Parameter
Description
IPv6 Router Advertisement
With IPv6, routers can be dynamically discovered and adopted as default gateways by the host
nodes on the same local link, rather than having to statically configure the default gateway and
change it on every network restructure. This process also allows the node to automatically assign
its own global unicast IP address, by having the router publish a prefix for the subnet to be
attached to the hosts link local address. This is called stateless auto-configuration and comes as an
alternative to DHCP, which is stateful, because it has to keep record of the assigned IP address.
Nevertheless, DNS server addresses must still be obtained from DHCP servers, but this does not
incur state maintenance.
The managed device can periodically send Router Advertisements (RAs) on each IP interface
according to a random interval, between specified minimum and maximum times. The managed
device also sends these messages in response to Router Solicitation messages.
To edit the IPv6 router advertisement, right-click the relevant row in the table, and select Edit
IPv6 Router Advertisement Entry.
Interface Index
Send Router
Advertisements (RA)
Max RA Interval
Min RA Interval
MTU
The Maximum Transmission Unit value the managed device puts in the
router advertisement message.
Values:
0Specifies that no MTU options are put in the message.
128065,536
Default: 0
Managed Address
Configuration
Other Stateful
Configuration
224
Parameter
Description
Reachable Time
The Reachable Time value, in milliseconds, that the managed device puts
in the router advertisement message. This value is for the use of the
nodes that receive it. The Reachable Time specifies the time, in
milliseconds, that a neighbor node on the network link is considered
reachable since the last reachability confirmation.
Values:
0The Reachable Time is not specified in the router advertisement
message.
13600000
Default: 0
Retransmit Time
The Retransmit Time value, in milliseconds, that the managed device puts
in the router advertisement message. This value is for the use of the
nodes that receive it.
Values:
0The Retransmit Time is not specified in the router advertisement
message.
1232
Default: 0
The Current Hop Limit value that the managed device puts in the router
advertisement message. This value is for the use of the nodes that receive
it.
Values:
0The Current Hop Limit is not specified in the router advertisement
message.
1255
Default: 64
Default Router Lifetime The Router Lifetime value, in seconds, that the managed device puts in
the router advertisement message. This value is for the use of the nodes
that receive it. The Router Lifetime specifies the time, in seconds, this
device should be used as a default router. Note that this is an expiration
interval only for the status of the device as a default router, not for other
information in the Router Advertisement message.
Values:
0Specifies that this device should not be used as a default router.
49000
Default: 1800
225
Specify whether jumbo frames bypass the device or are discardedavailable only on platforms
with the DoS Mitigation Engine (DME)
Specify whether to inspect jumbo frames or discard themavailable only in DefensePro 6.05
and later
Specifies whether the device passes through all traffic that matches no network policy
configured on the device
In DefensePro versions prior to 5.12, use the Basic pane to configure the following:
Enable/disable tunneling
Enable/disable MPLS-RD
Caution: When you enable tunneling, you must reboot the device before you can configure
MPLS RD groups.
Caution: Changing the configuration of this feature takes effect only after a device reset.
226
Blocking attacks
Security reporting
IP Fragmentation
This section is relevant only for DefensePro 5.12 and later.
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the managed device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments belong to same datagram, then classifies and forwards them
accordingly. The device does not reassemble the original IP packet, but forwards the fragmented
datagrams to their destination, even if the datagrams arrive at the device out of order.
Note: In DefensePro versions prior to 5.12, you configure the IP Fragmentation in the IP
Fragmentation pane in the Configuration perspective Advanced Parameters tab
navigation pane.
1. In the Configuration perspective Networking tab navigation pane, select Basic.
2. Configure the parameters; and then, click
Parameter
Description
Basic Parameters
IP Version Mode
227
Parameter
Description
Jumbo Frames
Values:
EnabledFrames of 15509216 bytes bypass the device without
any inspection or monitoring.
DisabledThe device discards frames that are larger than 1550
bytes.
Default: Disabled
Notes:
>> Changing the configuration of the option takes effect only
after a device reset.
>> When the option is enabled on an x412 platform, there may
be some negative effect on the following features: Packet
Anomalies, Black and White Lists, and BDoS real-time
signatures.
>> When the option is enabled on an x06 or x016 platform,
there may be some negative effect on Black and White lists.
>> When the option is enabled, TCP SYN Protection may not
behave as expected because the third packet in the TCP
three-way-handshake can include data and be in itself a
jumbo frame.
>> When the option is enabled, some protections that rely on
the DefensePro session table might produce false-negatives
and drop traffic when all the session traffic bypasses the
device in both directions for a period longer than Session
Aging Time.
IP Fragmentation
Enable IP Fragmentation
228
Parameter
Description
Queuing Limit
Aging Time
Traffic Exclusion
This group box is available only in DefensePro 6.02 and later on x412 platforms with the DME.
Traffic Exclusion
Specifies whether the device passes through all traffic that matches
no network policy configured on the deviceregardless of any other
protection configured.
Default: Enabled
Caution: If Traffic Exclusion is enabled, to inspect traffic that
matches a Server Protection policy, you must configure
the Server Protection policy as a subset of the Network
Protection Policy rule.
Note: When you enable tunneling, you must reboot the device before you can configure MPLS
RD groups.
Parameter
Description
Enable Tunneling
Enable MPLS-RD
IP Version Mode
229
In the Configuration perspective Networking tab navigation pane, select Port Pairs.
2.
3.
(Add) button.
Parameter
Description
Port Pairs
Source Port
Destination Port
Operation
230
Parameter
Description
Failure Mode
Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
When you configure Fail-Open for a port pair, you cannot:
Note: For more information, see Internal Bypass for RJ-45 Ports in
DefensePro, page 231.
In Port
Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.
Advanced Parameters
In DefensePro x06 models, this group box and the Enable Interface Grouping checkbox is not
displayed. In x06 models, Interface Grouping is always enabled.
Enable Interface
Grouping
Specifies whether the device groups the statuses of the port-pair interfaces.
When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also; so, a
remote device connected to the DefensePro device perceives the same
disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy. Interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled
231
By default, all the interfaces that support configurable failure modeexcept the last pairare
configured with the Process option for Port Operation with the failure mode set to Fail-Open.
For network debugging or testing purposes, using CLI, you can manually force a pair of ports into
the failure statewithout turning the power off or rebooting the device.
In high-availability, you can set the failure mode of a copper port on a primary device to fail-close.
Thus, when the primary device goes down, the data path will have to change to the secondary
device. On the secondary, device you should consider the fail-open configuration to ensure that
failure of both DefensePro devices will not result in traffic loss.
DefensePro sends appropriate notifications at the following times:
232
HTTPS
2
RST
HTTP
3
4 RST
1
HTTPS
Router
DefensePro
Web servers
Note: Bandwidth Management, DoS, SYN protection and other policies can also be applied to
the original SSL streams.
Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by
setting the operating mode to Process.
When you assign the same Destination Port to more than one Source Port, you must set the
Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with
Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the
Destination Port must be defined (1 or 2).
(Add) button.
233
Parameter
Description
Incoming Port
The scanning port that was configured for one of the traffic directions.
Port towards AppXcel The port that is used for SSL acceleration.
This port must be dedicated to the SSL acceleration and cannot be used for
other purposes, such as static forwarding or network interface.
In the Configuration perspective Networking tab navigation pane, select SSL Inspection >
L4 Ports.
2.
3.
(Add) button.
Parameter
Description
The corresponding service port that AppXcel uses for decrypted sessions.
This HTTP port is used after decryption.
234
Mixed (gateway):
Unless otherwise specified, the various IP objects in the AppDirector configuration can accept both
IPv4 and IPv6 addresses.
235
236
Note: When you specify the Alteon device for the AppShape instance the device can be
unlocked. However, to configure the parameters, submit, and apply the configuration,
the Alteon device must be locked (as with any configuration change to a device
managed in APSolute Vision).
To view the basic parameters of AppShape instances that the APSolute Vision is
managing
In the Configuration perspective system pane, select the AppShapes tab.
Table 135: Basic Parameters of AppShape Instances in APSolute Vision
Parameter
Description
Instance Name
Configuration Validation
Last Validation
The last time that the configuration of the device was synchronized with
the AppShape template.
Device Name
Virtual Address
237
In the Asset Management perspective system pane, select AppShape. The AppShape tab is
displayed.
2.
Select the row with the device whose configuration you want to view.
3.
Related Topics
SAP Message Server Automated Configuration Parameters, page 264
Figure 33: APSolute Vision Server, Alteon Device, and SAP Portal
APSolute Vision
Management
ADC
VIP 1.1.1.1
Client
ASL
R
SAP Portal
SAP Servers:
Host: 10.203 .100 .100
Ports: 50000
50200
SLB ConfigurationThe global parameters, slb on and direct enabled, are mandatory.
APSolute Vision automatically generates the server list. The logic removes or adds entries based
on the SAP servers listverifying the ports, the addresses, and the weights. APSolute Vision
creates a single group supporting both HTTP and HTTPS entries. Index 1 is the default, but the
device can use other indexes based on the HTTP service group index. The HTTP service redirects
to HTTPS. The user can remove the redirection flag. The HTTPS application service supports
HTTP compression and modification. The HTTPS SSL application service uses the user-defined
certificate and the generated SLL policy. Maintaining persistency, the pbind insert cookie is
activated (mandatory).
The Compression Policy configuration enables compression and creates a default policy.
The compression level is 1. The compression level is a recommendation; the user can set an
alternate value.
238
SSL Configuration.
The SSL configuration enables SSL offloading and creates the SSL policy accordingly. APSolute
Vision uses the SSL certificate that is specified in the configuration. The automated logic (that is,
the daemon) enforces convert to disabled.
The APSolute Vision mechanism enforces both the rules and the modification action, which are
required since Alteon replaces the service port (443) with the server port.
In the Configuration perspective system pane, AppShapes tab, select AppShape > SAP Portal.
2.
Click the
(Add) button.
In the Create AppShape dialog box, from the Device Name drop-down list, select the
device on which to instantiate the AppShape template. The Device Name drop-down list
contains all compatible Alteon devicesstandalone, VA, and vADC devices. However, the list
does not filter out the devices that are not locked. To configure the instance the device must
be locked.
c.
Click OK.
3.
4.
(Submit).
Parameter
Description
SAP Portal AppShape Instance
Last Validation
Name
Virtual Address
Application Servers
Message Server Auto-Discovery
Address/Port table
Click the
(Add) button to add a new server. For
information on configuring real servers, see
239
Parameter
Description
Message Server Connection Settings
(The group box and the parameters in it are displayed only when the Message Server AutoDiscovery checkbox is selected.)
Host Name
Port
Maximum characters: 30
Default: 8101
Health Check
HTTP
Compression
SSL
SSL Acceleration
Server Certificate
240
Click the
(Add) button.
In the Create AppShape dialog box, from the Device Name drop-down list, select the
device on which to instantiate the AppShape template. The Device Name drop-down list
contains all compatible Alteon devicesstandalone, VA, and vADC devices. However, the list
does not filter out the devices that are not locked. To configure the instance the device must
be locked.
c.
Click OK.
(Submit).
Parameter
Description
SharePoint AppShape Instance
Last Validation
Name
Virtual Address
Application Servers
Address/Port table
241
Parameter
Description
Health Check
HTTP
Caching
Compression
Connection Management
PIP
SSL
SSL Acceleration
Server Certificate
242
Downloading a Devices Log File to the APSolute Vision Client, page 246
Updating a Radware Signature File or RSA Signature File in DefensePro Devices, page 247
Downloading a Devices Technical Support File to the APSolute Vision Client, page 248
Note: You can schedule device reboots in the APSolute Vision scheduler. For more information,
see Managing Tasks in the Scheduler, page 256.
In the Monitoring perspective system pane, right-click the device name and select Reboot.
2.
243
In the Monitoring perspective system pane, right-click the device name and select Shutdown.
2.
The device icon in the system pane includes a small question mark (?)
AppDirector,
for Alteon,
for
for DefensePro.
The Alerts pane does not receive alerts from the device.
The device node in the sites tree does not include the device entities (for example, ports and
trunks).
244
Note: The date and time display is a snapshot only. It does not change if the dialog box is
left open.
245
In the Monitoring perspective system pane, right-click the device name and select Manage
Software Versions.
2.
3.
Parameter
Description
Upload Via
The protocol used to upload the software file from APSolute Vision to the
device.
Values: HTTP, HTTPS, TFTP
File Name
Software Version
Password
Enter the password received with the new software version, and verify.
The password is case sensitive.
In the Monitoring perspective system pane, right-click the device name and select Export Log
File.
2.
Parameter
Description
Download Via
File Name
246
Save the downloaded log file as a text file on the client system. Enter or
browse to the location of the saved log file, and select or enter a file
name.
Notes:
>> For AppDirector 2.30 and later, you can update a signature file, but only from you client
PC, and only manually (that is, not using a scheduled task).
>> RSA-signature support is available in DefensePro 5.10 and later.
You can upload an updated Radware signature file to a DefensePro device from the following
sources:
Radware.com or the proxy file server that is configured in the Vision Server
Connection configurationThe Alerts pane displays a success or failure notification and
whether the operation was performed using a proxy server.
APSolute Vision client systemThe name of the signature file on the must be DEVICE-MACADDRESS.sig.
Note: You can schedule Signature File updates in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.
For more information about using signature files, see the DefensePro User Guide.
Parameter
Description
Update From
Upload Via
File Name
247
Parameter
Description
Signature Type
Update From
Upload Via
File Name
(This parameter is
displayed only when
Update From Client is
selected)
Note: If you encounter problem with APSolute Vision server or APSolute Vision client (as
opposed to the managed device), see the APSolute Vision Administrator Guide.
In the Monitoring perspective system pane, right-click the device name and select Export Tech
Support File.
2.
248
Parameter
Description
Download Via
Save As
Save the downloaded technical support file as a text file on the client
system. Enter or browse to the location of the saved file, and select or
enter a file name.
Commands that do not require rebooting the deviceCopying and pasting a command
from this section takes effect immediately after pasting. The commands in the section are not
bound to SNMP. The section has the heading: The following commands take effect
249
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.
In the Monitoring perspective system pane, right-click the device name and select Export
Configuration File from Device.
2.
Parameter
Description
Download to
Download Via
Save As
Save the downloaded configuration file as a text file on the client system.
On the server, the default name is a combination of the device name and
backup date and time. You can change the default name.
Type
The passphrase.
(This parameter is
available only in Alteon
devices.)
Include Private Keys
(This parameter is
available only in Alteon
and AppDirector 2.11
and later.)
250
Parameter
Description
Upload from
Upload Via
When uploading from the client system, enter or browse to the name of
the configuration file to upload.
When uploading from the server, select the configuration to upload.
Passphrase
The passphrase.
(This parameter is
available only with
Alteon devices.)
Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
251
Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.
In the Monitoring perspective system pane, right-click a main device in the cluster and select
Synchronize Device Configuration.
2.
Parameter
Description
File Type
Backup Device
ACL policy
White list
Classes
In the Monitoring perspective system pane, right-click the device name and select Update
Policies.
2.
252
2. Click OK.
253
In the Monitoring perspective system pane, right-click the device name and select Reset DNS
Baseline.
2.
Select whether to reset the baseline for all network policy rules that contain a DNS profile, or for
a specific network-protection rule that contains a DNS profile, then click OK.
To enable an interface
1.
2.
3.
To disable an interface
1.
2.
3.
254
Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled
operations are called tasks.
The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be
performed next. When you configure a task for multiple devices, the task runs on each device
sequentially. After the task completes on one device, it begins on the next. If the task fails to
complete on a device, the Scheduler will activate the task on the next listed device.
Scheduled tasks run according to the time as configured on the APSolute Vision client.
Caution: If the APSolute Vision client timezone differs from the timezone of the APSolute Vision
server or the managed device, take the time offset into consideration.
When you define a task, you can choose whether to enable or disable the task. All configured tasks
are stored in the APSolute Vision database.
You can define the following types of scheduled tasks:
Reboot a device
Validate the AppShape SAP Portal configuration and poll the SAP Message Servers
Update the Radware signature file onto a DefensePro device from Radware.com or the proxy
server
Update the RSA signature file onto a DefensePro device from Radware.com or the proxy server
Update the APSolute Vision Attack Description file from Radware.com or the proxy server
Note: You can perform some of the operations manually, from the Monitoring perspective.
255
Parameter
Description
Name
Task Type
Enabled
Schedule
Whether the last task run was successful. When the task is disabled, or
has not yet started, the status is Never Executed.
The date and time of the last task run. When the task is disabled, or has
not yet started, this field is empty.
The date and time of the next task run. When the task is disabled, this
field is empty.
Description
2.
3.
Configure task parameters, and click OK. All task configurations include basic parameters and
scheduling parameters. Other parameters depend on the type of task selected.
2.
256
Task Parameters
Set the following parameters to configure tasks in the Scheduler:
The password of the radware user of the APSolute Vision server appliance
Attack data
The system stores up to five configuration-backup iterations. After the fifth configuration-backup,
the system deletes the oldest one.
Note: For information on managing the backups using CLI, see the APSolute Vision
Administrator Guide.
Parameter
Description
Basic Parameters
Name
Description
257
Parameter
Description
Enabled
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Parameters
Protocol
Destination
IP Address
Directory
258
User
The username.
Password
Verify Password
Note: For information on managing the backups using CLI, see the APSolute Vision
Administrator Guide.
Parameter
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
259
Parameter
Description
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Parameters
Protocol
Destination
IP Address
Directory
User
The username.
Password
Verify Password
260
Parameter
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the Alteon devices on which this task runs.
261
Parameter
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
262
The AppDirector device stores separate configuration files for itself, its
peer device (for an active-active configuration), and its backup device (for
(This parameter is not
available in AppDirector an active-backup configuration). Select which configuration file to back
up.
versions prior to 2.x.)
Values: Device, Peer, Backup
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the devices whose configurations this task
backs up.
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
263
Parameter
Description
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the devices that this task reboots.
Note: The frequency range for the SAP Message Server Automated Configuration task is 5
3600 minutes.
Parameter
Description
Basic Parameters
Name
Description
Enabled
264
Parameter
Description
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the Alteon devices that use the SAP Message
Server connection configured on them to update its configuration accordingly.
265
Parameter
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Synchronization Parameters
File Type
(This parameter is
available only in
AppDirector versions
later than 1.07.12.)
266
Cluster
Device
Communication Parameters
Protocol
Parameter
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
267
Parameter
Description
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
DefensePro devices with Fraud Protection enabled. The Selected Devices list displays the
DefensePro devices whose RSA signature files this task update.
Description
Basic Parameters
Name
Description
Enabled
268
Parameter
Description
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
Communication Parameters
Upload Protocol
The protocol used to upload the updated signature file from APSolute
Vision to the device.
Values: HTTPS, HTTP, TFTP
Default: HTTPS
Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the devices whose Radware signature files this
task updates.
269
Description
Basic Parameters
Name
Description
Enabled
Schedule
Frequency
Schedule Period
Run Always
Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled
Start Date
Start Time
End Date
The date and time after which the task no longer runs.
End Time
270
License Grant. Subject to Section 2 below (if applicable), Radware hereby grants to you, and
you accept, a nonexclusive, nontransferable license to install and use the Software in machinereadable, object code form only and solely for your internal purposes (Commercial License).
You further agree that you will not assign, sublicense, transfer, pledge, lease, rent or share your
rights under this License Agreement nor will you distribute copies of the Software.
2.
Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which You download the Software, as inferred from any timelimited evaluation license keys that You are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (Evaluation Use) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole
271
Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt, or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble, decompile,
reverse engineer or otherwise attempt to derive source code (or the underlying ideas,
algorithms, structure or organization) from the Software; or (c) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (d) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding Section
3(d), if you provide hosting or cloud computing services to your customers, you are entitled to
use and include the Software in your IT infrastructure on which you provide your services.
4.
Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.
5.
No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided AS IS by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. This disclaimer of warranty constitutes
an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radwares authorized service
personnel.
6.
272
273