Vous êtes sur la page 1sur 273

APSolute Vision User Guide

Software Version 1.30


Document ID: RDWR-APSV-V0130_UG1205
May, 2012

APSolute Vision User Guide

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Important Notices
The following important notices are presented in English, French, and German.

Important Notices
This guide is delivered subject to the following conditions and restrictions:
Copyright Radware Ltd. 20062012. All rights reserved.
The copyright and all other intellectual property rights and trade secrets included in this guide are
owned by Radware Ltd.
The guide is provided to Radware customers for the sole purpose of obtaining information with
respect to the installation and use of the Radware products described in this document, and may not
be used for any other purpose.
The information contained in this guide is proprietary to Radware and must be kept in strict
confidence.
It is strictly forbidden to copy, duplicate, reproduce or disclose this guide or any part thereof without
the prior written consent of Radware.

Notice importante
Ce guide est sujet aux conditions et restrictions suivantes:
Copyright Radware Ltd. 20062012. Tous droits rservs.
Le copyright ainsi que tout autre droit li la proprit intellectuelle et aux secrets industriels
contenus dans ce guide sont la proprit de Radware Ltd.
Ce guide dinformations est fourni nos clients dans le cadre de linstallation et de lusage des
produits de Radware dcrits dans ce document et ne pourra tre utilis dans un but autre que celui
pour lequel il a t conu.
Les informations rpertories dans ce document restent la proprit de Radware et doivent tre
conserves de manire confidentielle.
Il est strictement interdit de copier, reproduire ou divulguer des informations contenues dans ce
manuel sans avoir obtenu le consentement pralable crit de Radware.

Wichtige Anmerkung
Dieses Handbuch wird vorbehaltlich folgender Bedingungen und Einschrnkungen ausgeliefert:
Copyright Radware Ltd. 20062012. Alle Rechte vorbehalten.
Das Urheberrecht und alle anderen in diesem Handbuch enthaltenen Eigentumsrechte und
Geschftsgeheimnisse sind Eigentum von Radware Ltd.
Dieses Handbuch wird Kunden von Radware mit dem ausschlielichen Zweck ausgehndigt,
Informationen zu Montage und Benutzung der in diesem Dokument beschriebene Produkte von
Radware bereitzustellen. Es darf fr keinen anderen Zweck verwendet werden.
Die in diesem Handbuch enthaltenen Informationen sind Eigentum von Radware und mssen streng
vertraulich behandelt werden.
Es ist streng verboten, dieses Handbuch oder Teile daraus ohne vorherige schriftliche Zustimmung
von Radware zu kopieren, vervielfltigen, reproduzieren oder offen zu legen.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Copyright Notices
The following copyright notices are presented in English, French, and German.

Copyright Notices
This product contains code developed by the OpenSSL Project
This product includes software developed by the OpenSSL Project. For use in the OpenSSL Toolkit.
(http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. All rights reserved.
This product contains the Rijndael cipher
The Rijndael implementation by Vincent Rijmen, Antoon Bosselaers and Paulo Barreto is in the public
domain and distributed with the following license:
@version 3.0 (December 2000)
Optimized ANSI C code for the Rijndael cipher (now AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>
The OnDemand Switch may use software components licensed under the GNU General Public
License Agreement Version 2 (GPL v.2) including LinuxBios and Filo open source projects. The
source code of the LinuxBios and Filo is available from Radware upon request. A copy of the license
can be viewed at:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
This code is hereby placed in the public domain.
This product contains code developed by the OpenBSD Project
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1.

Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.

2.

Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.

3.

Neither the name of the University nor the names of its contributors may be used to endorse or
promote products derived from this software without specific prior written permission.

This product includes software developed by Markus Friedl


This product includes software developed by Theo de Raadt
This product includes software developed by Niels Provos
This product includes software developed by Dug Song
This product includes software developed by Aaron Campbell
This product includes software developed by Damien Miller
This product includes software developed by Kevin Steves
This product includes software developed by Daniel Kouril
This product includes software developed by Wesley Griffin
This product includes software developed by Per Allansson
This product includes software developed by Nils Nordman
This product includes software developed by Simon Wilkinson

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and
the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions
and the following disclaimer in the documentation and/or other materials provided with the
distribution.
ALL THE SOFTWARE MENTIONED ABOVE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS
OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT
OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT
OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product contains work derived from the RSA Data Security, Inc. MD5 Message-Digest
Algorithm. RSA Data Security, Inc. makes no representations concerning either the merchantability
of the MD5 Message - Digest Algorithm or the suitability of the MD5 Message - Digest Algorithm for
any particular purpose. It is provided as is without express or implied warranty of any kind.

Notice traitant du copyright


Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Ce produit inclut un logiciel dvelopp dans le cadre du projet OpenSSL. Pour un usage dans la bote
outils OpenSSL (http://www.openssl.org/).
Copyright (c) 1998-2005 Le projet OpenSSL. Tous droits rservs. Ce produit inclut la catgorie de
chiffre Rijndael.
Limplmentation de Rijindael par Vincent Rijmen, Antoon Bosselaers et Paulo Barreto est du
domaine public et distribue sous les termes de la licence suivante:
@version 3.0 (Dcembre 2000)
Code ANSI C code pour Rijndael (actuellement AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>.
Le commutateur OnDemand peut utiliser les composants logiciels sous licence, en vertu des termes
de la licence GNU General Public License Agreement Version 2 (GPL v.2), y compris les projets
source ouverte LinuxBios et Filo. Le code source de LinuxBios et Filo est disponible sur demande
auprs de Radware. Une copie de la licence est rpertorie sur:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Ce code est galement plac dans le domaine public.
Ce produit renferme des codes dvelopps dans le cadre du projet OpenSSL.
Copyright (c) 1983, 1990, 1992, 1993, 1995
Les membres du conseil de lUniversit de Californie. Tous droits rservs.
La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies:
1. La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.
2. La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

3.

Le nom de luniversit, ainsi que le nom des contributeurs ne seront en aucun cas utiliss pour
approuver ou promouvoir un produit driv de ce programme sans lobtention pralable dune
autorisation crite.

Ce produit inclut un logiciel dvelopp par Markus Friedl


Ce produit inclut un logiciel dvelopp par Theo de Raadt Ce produit inclut un logiciel dvelopp par
Niels Provos
Ce produit inclut un logiciel dvelopp par Dug Song
Ce produit inclut un logiciel dvelopp par Aaron Campbell Ce produit inclut un logiciel dvelopp
par Damien Miller
Ce produit inclut un logiciel dvelopp par Kevin Steves
Ce produit inclut un logiciel dvelopp par Daniel Kouril
Ce produit inclut un logiciel dvelopp par Wesley Griffin
Ce produit inclut un logiciel dvelopp par Per Allansson
Ce produit inclut un logiciel dvelopp par Nils Nordman
Ce produit inclut un logiciel dvelopp par Simon Wilkinson.
La distribution et lusage sous une forme source et binaire, avec ou sans modifications, est autorise
pour autant que les conditions suivantes soient remplies:
1.

La distribution dun code source doit inclure la notice de copyright mentionne ci-dessus, cette
liste de conditions et lavis de non-responsabilit suivant.

2.

La distribution, sous une forme binaire, doit reproduire dans la documentation et/ou dans tout
autre matriel fourni la notice de copyright mentionne ci-dessus, cette liste de conditions et
lavis de non-responsabilit suivant.

LE LOGICIEL MENTIONN CI-DESSUS EST FOURNI TEL QUEL PAR LE DVELOPPEUR ET TOUTE
GARANTIE, EXPLICITE OU IMPLICITE, Y COMPRIS, MAIS SANS SY LIMITER, TOUTE GARANTIE
IMPLICITE DE QUALIT MARCHANDE ET DADQUATION UN USAGE PARTICULIER EST EXCLUE.
EN AUCUN CAS LAUTEUR NE POURRA TRE TENU RESPONSABLE DES DOMMAGES DIRECTS,
INDIRECTS, ACCESSOIRES, SPCIAUX, EXEMPLAIRES OU CONSCUTIFS (Y COMPRIS, MAIS SANS
SY LIMITER, LACQUISITION DE BIENS OU DE SERVICES DE REMPLACEMENT, LA PERTE DUSAGE,
DE DONNES OU DE PROFITS OU LINTERRUPTION DES AFFAIRES), QUELLE QUEN SOIT LA CAUSE
ET LA THORIE DE RESPONSABILIT, QUIL SAGISSE DUN CONTRAT, DE RESPONSABILIT
STRICTE OU DUN ACTE DOMMAGEABLE (Y COMPRIS LA NGLIGENCE OU AUTRE), DCOULANT DE
QUELLE QUE FAON QUE CE SOIT DE LUSAGE DE CE LOGICIEL, MME SIL A T AVERTI DE LA
POSSIBILIT DUN TEL DOMMAGE.

Copyrightvermerke
Dieses Produkt enthlt einen vom OpenSSL-Projekt entwickelten Code
Dieses Produkt enthlt vom OpenSSL-Projekt entwickelte Software. Zur Verwendung im OpenSSL
Toolkit. (http://www.openssl.org/).
Copyright (c) 1998-2005 The OpenSSL Project. Alle Rechte vorbehalten. Dieses Produkt enthlt die
Rijndael cipher
Die Rijndael-Implementierung von Vincent Rijndael, Anton Bosselaers und Paulo Barreto ist
ffentlich zugnglich und wird unter folgender Lizenz vertrieben:
@version 3.0 (December 2000)
Optimierter ANSI C Code fr den Rijndael cipher (jetzt AES)
@author Vincent Rijmen <vincent.rijmen@esat.kuleuven.ac.be>
@author Antoon Bosselaers <antoon.bosselaers@esat.kuleuven.ac.be>
@author Paulo Barreto <paulo.barreto@terra.com.br>

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Der OnDemand Switch verwendet mglicherweise Software, die im Rahmen der DNU Allgemeine
ffentliche Lizenzvereinbarung Version 2 (GPL v.2) lizensiert sind, einschlielich LinuxBios und Filo
Open Source-Projekte. Der Quellcode von LinuxBios und Filo ist bei Radware auf Anfrage erhltlich.
Eine Kopie dieser Lizenz kann eingesehen werden unter:
http://www.gnu.org/licenses/old-licenses/gpl-2.0.html
Dieser Code wird hiermit allgemein zugnglich gemacht.
Dieses Produkt enthlt einen vom OpenBSD-Projekt entwickelten Code
Copyright (c) 1983, 1990, 1992, 1993, 1995
The Regents of the University of California. Alle Rechte vorbehalten.
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
3. Weder der Name der Universitt noch die Namen der Beitragenden drfen ohne ausdrckliche
vorherige schriftliche Genehmigung verwendet werden, um von dieser Software abgeleitete
Produkte zu empfehlen oder zu bewerben.
Dieses Produkt enthlt von Markus Friedl entwickelte Software Dieses Produkt enthlt von Theo de
Raadt entwickelte Software Dieses Produkt enthlt von Niels Provos entwickelte Software Dieses
Produkt enthlt von Dug Song entwickelte Software
Dieses Produkt enthlt von Aaron Campbell entwickelte Software Dieses Produkt enthlt von Damien
Miller entwickelte Software Dieses Produkt enthlt von Kevin Steves entwickelte Software Dieses
Produkt enthlt von Daniel Kouril entwickelte Software Dieses Produkt enthlt von Wesley Griffin
entwickelte Software Dieses Produkt enthlt von Per Allansson entwickelte Software Dieses Produkt
enthlt von Nils Nordman entwickelte Software
Dieses Produkt enthlt von Simon Wilkinson entwickelte Software
Die Verbreitung und Verwendung in Quell- und binrem Format, mit oder ohne Vernderungen, sind
unter folgenden Bedingungen erlaubt:
1. Die Verbreitung von Quellcodes muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss beibehalten.
2. Die Verbreitung in binrem Format muss den voranstehenden Copyrightvermerk, diese Liste von
Bedingungen und den folgenden Haftungsausschluss in der Dokumentation und/oder andere
Materialien, die mit verteilt werden, reproduzieren.
SMTLICHE VORGENANNTE SOFTWARE WIRD VOM AUTOR IM IST-ZUSTAND (AS IS)
BEREITGESTELLT. JEGLICHE AUSDRCKLICHEN ODER IMPLIZITEN GARANTIEN, EINSCHLIESSLICH,
DOCH NICHT BESCHRNKT AUF DIE IMPLIZIERTEN GARANTIEN DER MARKTGNGIGKEIT UND DER
ANWENDBARKEIT FR EINEN BESTIMMTEN ZWECK, SIND AUSGESCHLOSSEN.
UNTER KEINEN UMSTNDEN HAFTET DER AUTOR FR DIREKTE ODER INDIREKTE SCHDEN, FR
BEI VERTRAGSERFLLUNG ENTSTANDENE SCHDEN, FR BESONDERE SCHDEN, FR
SCHADENSERSATZ MIT STRAFCHARAKTER, ODER FR FOLGESCHDEN EINSCHLIESSLICH, DOCH
NICHT BESCHRNKT AUF, ERWERB VON ERSATZGTERN ODER ERSATZLEISTUNGEN; VERLUST AN
NUTZUNG, DATEN ODER GEWINN; ODER GESCHFTSUNTERBRECHUNGEN) GLEICH, WIE SIE
ENTSTANDEN SIND, UND FR JEGLICHE ART VON HAFTUNG, SEI ES VERTRGE,
GEFHRDUNGSHAFTUNG, ODER DELIKTISCHE HAFTUNG (EINSCHLIESSLICH FAHRLSSIGKEIT
ODER ANDERE), DIE IN JEGLICHER FORM FOLGE DER BENUTZUNG DIESER SOFTWARE IST, SELBST
WENN AUF DIE MGLICHKEIT EINES SOLCHEN SCHADENS HINGEWIESEN WURDE.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Safety Instructions
The following safety instructions are presented in English, French, and German.

Safety Instructions
CAUTION
A readily accessible disconnect device shall be incorporated in the building installation wiring.
Due to the risks of electrical shock, and energy, mechanical, and fire hazards, any procedures that
involve opening panels or changing components must be performed by qualified service personnel
only.
To reduce the risk of fire and electrical shock, disconnect the device from the power line before
removing cover or panels.
The following figure shows the caution label that is attached to Radware platforms with dual power
supplies.

Figure 1: Electrical Shock Hazard Label

DUAL-POWER-SUPPLY-SYSTEM SAFETY WARNING IN CHINESE


The following figure is the warning for Radware platforms with dual power supplies.

Figure 2: Dual-Power-Supply-System Safety Warning in Chinese

Translation of Dual-Power-Supply-System Safety Warning in Chinese:


This unit has more than one power supply. Disconnect all power supplies before maintenance to
avoid electric shock.
SERVICING
Do not perform any servicing other than that contained in the operating instructions unless you are
qualified to do so. There are no serviceable parts inside the unit.
HIGH VOLTAGE
Any adjustment, maintenance, and repair of the opened instrument under voltage must be avoided
as much as possible and, when inevitable, must be carried out only by a skilled person who is aware
of the hazard involved.
Capacitors inside the instrument may still be charged even if the instrument has been disconnected
from its source of supply.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

GROUNDING
Before connecting this device to the power line, the protective earth terminal screws of this device
must be connected to the protective earth in the building installation.
LASER
This equipment is a Class 1 Laser Product in accordance with IEC60825 - 1: 1993 + A1:1997 +
A2:2001 Standard.
FUSES
Make sure that only fuses with the required rated current and of the specified type are used for
replacement. The use of repaired fuses and the short-circuiting of fuse holders must be avoided.
Whenever it is likely that the protection offered by fuses has been impaired, the instrument must be
made inoperative and be secured against any unintended operation.
LINE VOLTAGE
Before connecting this instrument to the power line, make sure the voltage of the power source
matches the requirements of the instrument. Refer to the Specifications for information about the
correct power rating for the device.
48V DC-powered platforms have an input tolerance of 36-72V DC.
SPECIFICATION CHANGES
Specifications are subject to change without notice.

Note: This equipment has been tested and found to comply with the limits for a Class A digital
device pursuant to Part 15B of the FCC Rules and EN55022 Class A, EN 55024; EN
61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8 and IEC 61000-411For CE MARK Compliance. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial
environment. This equipment generates, uses and can radiate radio frequency energy
and, if not installed and used in accordance with the instruction manual, may cause
harmful interference to radio communications. Operation of this equipment in a
residential area is likely to cause harmful interference in which case the user is required
to correct the interference at his own expense.
VCCI ELECTROMAGNETIC-INTERFERENCE STATEMENTS

Figure 3: Statement for Class A VCCI-certified Equipment

Translation of Statement for Class A VCCI-certified Equipment:


This is a Class A product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this equipment is used in a domestic environment,
radio disturbance may occur, in which case, the user may be required to take corrective action.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Figure 4: Statement for Class B VCCI-certified Equipment

Translation of Statement for Class B VCCI-certified Equipment:


This is a Class B product based on the standard of the Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). If this is used near a radio or television receiver in a
domestic environment, it may cause radio interference.
Install and use the equipment according to the instruction manual.
KCC KOREA

Figure 5: KCCKorea Communications Commission Certificate of Broadcasting and


Communication Equipment

Figure 6: Statement For Class A KCC-certified Equipment in Korean

Translation of Statement For Class A KCC-certified Equipment in Korean:


This equipment is Industrial (Class A) electromagnetic wave suitability equipment and seller or user
should take notice of it, and this equipment is to be used in the places except for home.
SPECIAL NOTICE FOR NORTH AMERICAN USERS
For North American power connection, select a power supply cord that is UL Listed and CSA Certified
3 - conductor, [18 AWG], terminated in a molded on plug cap rated 125 V, [10 A], with a minimum
length of 1.5m [six feet] but no longer than 4.5m...For European connection, select a power supply
cord that is internationally harmonized and marked <HAR>, 3 - conductor, 0,75 mm2 minimum
mm2 wire, rated 300 V, with a PVC insulated jacket. The cord must have a molded on plug cap rated
250 V, 3 A.
RESTRICT AREA ACCESS
The DC powered equipment should only be installed in a Restricted Access Area.
INSTALLATION CODES
This device must be installed according to country national electrical codes. For North America,
equipment must be installed in accordance with the US National Electrical Code, Articles 110 - 16,
110 -17, and 110 -18 and the Canadian Electrical Code, Section 12.

10

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

INTERCONNECTION OF UNITS
Cables for connecting to the unit RS232 and Ethernet Interfaces must be UL certified type DP-1 or
DP-2. (Note- when residing in non LPS circuit)
OVERCURRENT PROTECTION
A readily accessible listed branch-circuit over current protective device rated 15 A must be
incorporated in the building wiring for each power input.
REPLACEABLE BATTERIES
If equipment is provided with a replaceable battery, and is replaced by an incorrect battery type,
then an explosion may occur. This is the case for some Lithium batteries and the following is
applicable:

If the battery is placed in an Operator Access Area, there is a marking close to the battery or
a statement in both the operating and service instructions.

If the battery is placed elsewhere in the equipment, there is a marking close to the battery or a
statement in the service instructions.

This marking or statement includes the following text warning:


CAUTION
RISK OF EXPLOSION IF BATTERY IS REPLACED BY AN INCORRECT BATTERY TYPE.
DISPOSE OF USED BATTERIES ACCORDING TO THE INSTRUCTIONS.
Caution To Reduce the Risk of Electrical Shock and Fire
1. This equipment is designed to permit connection between the earthed conductor of the DC
supply circuit and the earthing conductor equipment. See Installation Instructions.
2. All servicing must be undertaken only by qualified service personnel. There are not user
serviceable parts inside the unit.
3. DO NOT plug in, turn on or attempt to operate an obviously damaged unit.
4. Ensure that the chassis ventilation openings in the unit are NOT BLOCKED.
5. Replace a blown fuse ONLY with the same type and rating as is marked on the safety label
adjacent to the power inlet, housing the fuse.
6. Do not operate the device in a location where the maximum ambient temperature exceeds
40C/104F.
7. Be sure to unplug the power supply cord from the wall socket BEFORE attempting to remove
and/or check the main power fuse.
CLASS 1 LASER PRODUCT AND REFERENCE TO THE MOST RECENT LASER STANDARDS IEC 60
825-1:1993 + A1:1997 + A2:2001 AND EN 60825-1:1994+A1:1996+ A2:2001
AC units for Denmark, Finland, Norway, Sweden (marked on product):

Denmark - Unit is class I - unit to be used with an AC cord set suitable with Denmark
deviations. The cord includes an earthing conductor. The Unit is to be plugged into a wall socket
outlet which is connected to a protective earth. Socket outlets which are not connected to earth
are not to be used!

Finland - (Marking label and in manual) - Laite on liitettv suojamaadoituskoskettimilla


varustettuun pistorasiaan

Norway (Marking label and in manual) - Apparatet m tilkoples jordet stikkontakt

Unit is intended for connection to IT power systems for Norway only.

Sweden (Marking label and in manual) - Apparaten skall anslutas till jordat uttag.

To connect the power connection:


1. Connect the power cable to the main socket, located on the rear panel of the device.
2. Connect the power cable to the grounded AC outlet.

Document ID: RDWR-APSV-V0130_UG1205

11

APSolute Vision User Guide

CAUTION
Risk of electric shock and energy hazard. Disconnecting one power supply disconnects only one
power supply module. To isolate the unit completely, disconnect all power supplies.

Instructions de scurit
AVERTISSEMENT
Un dispositif de dconnexion facilement accessible sera incorpor au cblage du btiment.
En raison des risques de chocs lectriques et des dangers nergtiques, mcaniques et dincendie,
chaque procdure impliquant louverture des panneaux ou le remplacement de composants sera
excute par du personnel qualifi.
Pour rduire les risques dincendie et de chocs lectriques, dconnectez le dispositif du bloc
dalimentation avant de retirer le couvercle ou les panneaux.
La figure suivante montre ltiquette davertissement appose sur les plateformes Radware dotes
de plus dune source dalimentation lectrique.

Figure 7: tiquette davertissement de danger de chocs lectriques

AVERTISSEMENT DE SCURIT POUR LES SYSTMES DOTS DE DEUX SOURCES DALIMENTATION


LECTRIQUE (EN CHINOIS)
La figure suivante reprsente ltiquette davertissement pour les plateformes Radware dotes de
deux sources dalimentation lectrique.

Figure 8: Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois)

Traduction de la Avertissement de scurit pour les systmes dotes de deux sources dalimentation
lectrique (en chinois):
Cette unit est dote de plus dune source dalimentation lectrique. Dconnectez toutes les sources
dalimentation lectrique avant dentretenir lappareil ceci pour viter tout choc lectrique.
ENTRETIEN
Neffectuez aucun entretien autre que ceux rpertoris dans le manuel dinstructions, moins dtre
qualifi en la matire. Aucune pice lintrieur de lunit ne peut tre remplace ou rpare.
HAUTE TENSION
Tout rglage, opration dentretien et rparation de linstrument ouvert sous tension doit tre vit.
Si cela savre indispensable, confiez cette opration une personne qualifie et consciente des
dangers impliqus.

12

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Les condensateurs au sein de lunit risquent dtre chargs mme si lunit a t dconnecte de la
source dalimentation lectrique.
MISE A LA TERRE
Avant de connecter ce dispositif la ligne lectrique, les vis de protection de la borne de terre de
cette unit doivent tre relies au systme de mise la terre du btiment.
LASER
Cet quipement est un produit laser de classe 1, conforme la norme IEC60825 - 1: 1993 + A1:
1997 + A2: 2001.
FUSIBLES
Assurez-vous que, seuls les fusibles courant nominal requis et de type spcifi sont utiliss en
remplacement. Lusage de fusibles rpars et le court-circuitage des porte-fusibles doivent tre
vits. Lorsquil est pratiquement certain que la protection offerte par les fusibles a t dtriore,
linstrument doit tre dsactiv et scuris contre toute opration involontaire.
TENSION DE LIGNE
Avant de connecter cet instrument la ligne lectrique, vrifiez que la tension de la source
dalimentation correspond aux exigences de linstrument. Consultez les spcifications propres
lalimentation nominale correcte du dispositif.
Les plateformes alimentes en 48 CC ont une tolrance dentre comprise entre 36 et 72 V CC.
MODIFICATIONS DES SPCIFICATIONS
Les spcifications sont sujettes changement sans notice pralable.
Remarque: Cet quipement a t test et dclar conforme aux limites dfinies pour un appareil
numrique de classe A, conformment au paragraphe 15B de la rglementation FCC et EN55022
Classe A, EN 55024, EN 61000-3-2; EN 61000-3-3; IEC 61000 4-2 to 4-6, IEC 61000 4-8, et IEC
61000-4-11, pour la marque de conformit de la CE. Ces limites sont fixes pour fournir une
protection raisonnable contre les interfrences nuisibles, lorsque lquipement est utilis dans un
environnement commercial. Cet quipement gnre, utilise et peut mettre des frquences radio et,
sil nest pas install et utilis conformment au manuel dinstructions, peut entraner des
interfrences nuisibles aux communications radio. Le fonctionnement de cet quipement dans une
zone rsidentielle est susceptible de provoquer des interfrences nuisibles, auquel cas lutilisateur
devra corriger le problme ses propres frais.
DCLARATIONS SUR LES INTERFRENCES LECTROMAGNTIQUES VCCI

Figure 9: Dclaration pour lquipement de classe A certifi VCCI

Traduction de la Dclaration pour lquipement de classe A certifi VCCI:


Il sagit dun produit de classe A, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Si cet quipement est utilis dans un environnement
domestique, des perturbations radiolectriques sont susceptibles dapparatre. Si tel est le cas,
lutilisateur sera tenu de prendre des mesures correctives.

Document ID: RDWR-APSV-V0130_UG1205

13

APSolute Vision User Guide

Figure 10: Dclaration pour lquipement de classe B certifi VCCI

Traduction de la Dclaration pour lquipement de classe B certifi VCCI:


Il sagit dun produit de classe B, bas sur la norme du Voluntary Control Council for Interference by
Information Technology Equipment (VCCI). Sil est utilis proximit dun poste de radio ou dune
tlvision dans un environnement domestique, il peut entraner des interfrences radio.
Installez et utilisez lquipement selon le manuel dinstructions.
KCC Core

Figure 11: KCCCertificat de la commission des communications de Core pour les equipements de
radiodiffusion et communication.

Figure 12: Dclaration pour lquipement de classe A certifi KCC en langue corenne

Translation de la Dclaration pour lquipement de classe A certifi KCC en langue corenne:


Cet quipement est un matriel (classe A) en adquation aux ondes lectromagntiques et le
vendeur ou lutilisateur doit prendre cela en compte. Ce matriel est donc fait pour tre utilis
ailleurs qu la maison.
NOTICE SPCIALE POUR LES UTILISATEURS NORD-AMRICAINS
Pour un raccordement lectrique en Amrique du Nord, slectionnez un cordon dalimentation
homologu UL et certifi CSA 3 - conducteur, [18 AWG], muni dune prise moule son extrmit,
de 125 V, [10 A], dune longueur minimale de 1,5 m [six pieds] et maximale de 4,5m...Pour la
connexion europenne, choisissez un cordon dalimentation mondialement homologu et marqu
<HAR>, 3 - conducteur, cble de 0,75 mm2 minimum, de 300 V, avec une gaine en PVC isole. La
prise lextrmit du cordon, sera dote dun sceau moul indiquant: 250 V, 3 A.
ZONE A ACCS RESTREINT
Lquipement aliment en CC ne pourra tre install que dans une zone accs restreint. CODES
DINSTALLATION
Ce dispositif doit tre install en conformit avec les codes lectriques nationaux. En Amrique du
Nord, lquipement sera install en conformit avec le code lectrique national amricain, articles
110-16, 110 -17, et 110 -18 et le code lectrique canadien, Section 12. INTERCONNEXION DES
UNTES.

14

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

Les cbles de connexion lunit RS232 et aux interfaces Ethernet seront certifis UL, type DP-1 ou
DP-2. (Remarque- sils ne rsident pas dans un circuit LPS) PROTECTION CONTRE LES
SURCHARGES.
Un circuit de drivation, facilement accessible, sur le dispositif de protection du courant de 15 A doit
tre intgr au cblage du btiment pour chaque puissance consomme.
BATTERIES REMPLAABLES
Si lquipement est fourni avec une batterie, et quelle est remplace par un type de batterie
incorrect, elle est susceptible dexploser. Cest le cas pour certaines batteries au lithium, les
lments suivants sont donc applicables:

Si la batterie est place dans une zone daccs oprateur, une marque est indique sur la
batterie ou une remarque est insre, aussi bien dans les instructions dexploitation que
dentretien.

Si la batterie est place ailleurs dans lquipement, une marque est indique sur la batterie ou
une remarque est insre dans les instructions dentretien.

Cette marque ou remarque inclut lavertissement textuel suivant:


AVERTISSEMENT
RISQUE DEXPLOSION SI LA BATTERIE EST REMPLACE PAR UN MODLE INCORRECT. METTRE AU
REBUT LES BATTERIES CONFORMMENT AUX INSTRUCTIONS.
Attention - Pour rduire les risques de chocs lectriques et dincendie
1. Cet quipement est conu pour permettre la connexion entre le conducteur de mise la terre du
circuit lectrique CC et lquipement de mise la terre. Voir les instructions dinstallation.
2. Tout entretien sera entrepris par du personnel qualifi. Aucune pice lintrieur de lunit ne
peut tre remplace ou rpare.
3. NE branchez pas, nallumez pas ou nessayez pas dutiliser une unit manifestement
endommage.
4. Vrifiez que lorifice de ventilation du chssis dans lunit nest PAS OBSTRUE.
5. Remplacez le fusible endommag par un modle similaire de mme puissance, tel quindiqu sur
ltiquette de scurit adjacente larrive lectrique hbergeant le fusible.
6. Ne faites pas fonctionner lappareil dans un endroit, o la temprature ambiante dpasse la
valeur maximale autorise. 40C/104F.
7. Dbranchez le cordon lectrique de la prise murale AVANT dessayer de retirer et/ou de vrifier
le fusible dalimentation principal.
PRODUIT LASER DE CLASSE 1 ET RFRENCE AUX NORMES LASER LES PLUS RCENTES: IEC 60
825-1: 1993 + A1: 1997 + A2: 2001 ET EN 60825-1: 1994+A1: 1996+ A2: 2001
Units CA pour le Danemark, la Finlande, la Norvge, la Sude (indiqu sur le produit):

Danemark - Unit de classe 1 - qui doit tre utilise avec un cordon CA compatible avec les
dviations du Danemark. Le cordon inclut un conducteur de mise la terre. Lunit sera
branche une prise murale, mise la terre. Les prises non-mises la terre ne seront pas
utilises!

Finlande (tiquette et inscription dans le manuel) - Laite on liitettv


suojamaadoituskoskettimilla varustettuun pistorasiaan

Norvge (tiquette et inscription dans le manuel) - Apparatet m tilkoples jordet stikkontakt

Lunit peut tre connecte un systme lectrique IT (en Norvge uniquement).

Sude (tiquette et inscription dans le manuel) - Apparaten skall anslutas till jordat uttag.

Pour brancher lalimentation lectrique:


1. Branchez le cble dalimentation la prise principale, situe sur le panneau arrire de lunit.
2. Connectez le cble dalimentation la prise CA mise la terre.

Document ID: RDWR-APSV-V0130_UG1205

15

APSolute Vision User Guide

AVERTISSEMENT
Risque de choc lectrique et danger nergtique. La dconnexion dune source dalimentation
lectrique ne dbranche quun seul module lectrique. Pour isoler compltement lunit, dbranchez
toutes les sources dalimentation lectrique.
ATTENTION
Risque de choc et de danger lectriques. Le dbranchement dune seule alimentation stabilise ne
dbranche quun module Alimentation Stabilise. Pour Isoler compltement le module en cause, il
faut dbrancher toutes les alimentations stabilises.
Attention: Pour Rduire Les Risques dlectrocution et dIncendie
1.

Toutes les oprations dentretien seront effectues UNIQUEMENT par du personnel dentretien
qualifi. Aucun composant ne peut tre entretenu ou remplace par lutilisateur.

2.

NE PAS connecter, mettre sous tension ou essayer dutiliser une unit visiblement dfectueuse.

3.

Assurez-vous que les ouvertures de ventilation du chssis NE SONT PAS OBSTRUES.

4.

Remplacez un fusible qui a saut SEULEMENT par un fusible du mme type et de mme
capacit, comme indiqu sur ltiquette de scurit proche de lentre de lalimentation qui
contient le fusible.

5.

NE PAS UTILISER lquipement dans des locaux dont la temprature maximale dpasse 40
degrs Centigrades.

6.

Assurez vous que le cordon dalimentation a t dconnect AVANT dessayer de lenlever et/ou
vrifier le fusible de lalimentation gnrale.

Sicherheitsanweisungen
VORSICHT
Die Elektroinstallation des Gebudes muss ein unverzglich zugngliches Stromunterbrechungsgert
integrieren.
Aufgrund des Stromschlagrisikos und der Energie-, mechanische und Feuergefahr drfen Vorgnge,
in deren Verlauf Abdeckungen entfernt oder Elemente ausgetauscht werden, ausschlielich von
qualifiziertem Servicepersonal durchgefhrt werden.
Zur Reduzierung der Feuer- und Stromschlaggefahr muss das Gert vor der Entfernung der
Abdeckung oder der Paneele von der Stromversorgung getrennt werden.
Folgende Abbildung zeigt das VORSICHT-Etikett, das auf die Radware-Plattformen mit
Doppelspeisung angebracht ist.

Figure 13: Warnetikett Stromschlaggefahr

16

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

SICHERHEITSHINWEIS IN CHINESISCHER SPRACHE FR SYSTEME MIT DOPPELSPEISUNG


Die folgende Abbildung ist die Warnung fr Radware-Plattformen mit Doppelspeisung.

Figure 14: Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung

bersetzung von Sicherheitshinweis in chinesischer Sprache fr Systeme mit Doppelspeisung:


Die Einheit verfgt ber mehr als eine Stromversorgungsquelle. Ziehen Sie zur Verhinderung von
Stromschlag vor Wartungsarbeiten smtliche Stromversorgungsleitungen ab.
WARTUNG
Fhren Sie keinerlei Wartungsarbeiten aus, die nicht in der Betriebsanleitung angefhrt sind, es sei
denn, Sie sind dafr qualifiziert. Es gibt innerhalb des Gertes keine wartungsfhigen Teile.
HOCHSPANNUNG
Jegliche Einstellungs-, Instandhaltungs- und Reparaturarbeiten am geffneten Gert unter
Spannung mssen so weit wie mglich vermieden werden. Sind sie nicht vermeidbar, drfen sie
ausschlielich von qualifizierten Personen ausgefhrt werden, die sich der Gefahr bewusst sind.
Innerhalb des Gertes befindliche Kondensatoren knnen auch dann noch Ladung enthalten, wenn
das Gert von der Stromversorgung abgeschnitten wurde.
ERDUNG
Bevor das Gert an die Stromversorgung angeschlossen wird, mssen die Schrauben der
Erdungsleitung des Gertes an die Erdung der Gebudeverkabelung angeschlossen werden.
LASER
Dieses Gert ist ein Laser-Produkt der Klasse 1 in bereinstimmung mit IEC60825 - 1: 1993 +
A1:1997 + A2:2001 Standard.
SICHERUNGEN
Vergewissern Sie sich, dass nur Sicherungen mit der erforderlichen Stromstrke und der
angefhrten Art verwendet werden. Die Verwendung reparierter Sicherungen sowie die
Kurzschlieung von Sicherungsfassungen muss vermieden werden. In Fllen, in denen
wahrscheinlich ist, dass der von den Sicherungen gebotene Schutz beeintrchtigt ist, muss das
Gert abgeschaltet und gegen unbeabsichtigten Betrieb gesichert werden.
LEITUNGSSPANNUNG
Vor Anschluss dieses Gertes an die Stromversorgung ist zu gewhrleisten, dass die Spannung der
Stromquelle den Anforderungen des Gertes entspricht. Beachten Sie die technischen Angaben
bezglich der korrekten elektrischen Werte des Gertes.
Plattformen mit 48 V DC verfgen ber eine Eingangstoleranz von 36-72 V DC. NDERUNGEN DER
TECHNISCHEN ANGABEN
nderungen der technischen Spezifikationen bleiben vorbehalten.
Hinweis: Dieses Gert wurde geprft und entspricht den Beschrnkungen von digitalen Gerten der
Klasse 1 gem Teil 15B FCC-Vorschriften und EN55022 Klasse A, EN55024; EN 61000-3-2; EN; IEC
61000 4-2 to 4-6, IEC 61000 4-8 und IEC 61000-4- 11 fr Konformitt mit der CE-Bezeichnung.
Diese Beschrnkungen dienen dem angemessenen Schutz vor schdlichen Interferenzen bei Betrieb
des Gertes in kommerziellem Umfeld. Dieses Gert erzeugt, verwendet und strahlt
elektromagnetische Hochfrequenzstrahlung aus. Wird es nicht entsprechend den Anweisungen im
Handbuch montiert und benutzt, knnte es mit dem Funkverkehr interferieren und ihn
beeintrchtigen. Der Betrieb dieses Gertes in Wohnbereichen wird hchstwahrscheinlich zu
schdlichen Interferenzen fhren. In einem solchen Fall wre der Benutzer verpflichtet, diese
Interferenzen auf eigene Kosten zu korrigieren.

Document ID: RDWR-APSV-V0130_UG1205

17

APSolute Vision User Guide

ERKLRUNG DER VCCI ZU ELEKTROMAGNETISCHER INTERFERENZ

Figure 15: Erklrung zu VCCI-zertifizierten Gerten der Klasse A

bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse A:


Dies ist ein Produkt der Klasse A gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten. In einem solchen Fall wre der Benutzer
verpflichtet, korrigierend einzugreifen.

Figure 16: Erklrung zu VCCI-zertifizierten Gerten der Klasse B

bersetzung von Erklrung zu VCCI-zertifizierten Gerten der Klasse B:


Dies ist ein Produkt der Klasse B gem den Normen des Voluntary Control Council for Interference
by Information Technology Equipment (VCCI). Wird dieses Gert in einem Wohnbereich benutzt,
knnen elektromagnetische Strungen auftreten.
Montieren und benutzen Sie das Gert laut Anweisungen im Benutzerhandbuch.
KCC KOREA

Figure 17: KCCKorea Communications Commission Zertifikat fr Rundfunk-und


Nachrichtentechnik

Figure 18: Erklrung zu KCC-zertifizierten Gerten der Klasse A

18

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide

bersetzung von Erklrung zu KCC-zertifizierten Gerten der Klasse A:


Verkufer oder Nutzer sollten davon Kenntnis nehmen, da dieses Gert der Klasse A fr industriell
elektromagnetische Wellen geeignete Gerten angehrt und dass diese Gerte nicht fr den
heimischen Gebrauch bestimmt sind.
BESONDERER HINWEIS FR BENUTZER IN NORDAMERIKA
Whlen Sie fr den Netzstromanschluss in Nordamerika ein Stromkabel, das in der UL aufgefhrt
und CSA-zertifiziert ist 3 Leiter, [18 AWG], endend in einem gegossenen Stecker, fr 125 V, [10 A],
mit einer Mindestlnge von 1,5 m [sechs Fu], doch nicht lnger als 4,5 m. Fr europische
Anschlsse verwenden Sie ein international harmonisiertes, mit <HAR> markiertes Stromkabel,
mit 3 Leitern von mindestens 0,75 mm2, fr 300 V, mit PVC-Umkleidung. Das Kabel muss in einem
gegossenen Stecker fr 250 V, 3 A enden.
BEREICH MIT EINGESCHRNKTEM ZUGANG
Das mit Gleichstrom betriebene Gert darf nur in einem Bereich mit eingeschrnktem Zugang
montiert werden.
INSTALLATIONSCODES
Dieses Gert muss gem der landesspezifischen elektrischen Codes montiert werden. In
Nordamerika mssen Gerte entsprechend dem US National Electrical Code, Artikel 110 - 16, 110 17 und 110 - 18, sowie dem Canadian Electrical Code, Abschnitt 12, montiert werden.
VERKOPPLUNG VON GERTEN Kabel fr die Verbindung des Gertes mit RS232- und Ethernetmssen UL-zertifiziert und vom Typ DP-1 oder DP-2 sein. (Anmerkung: bei Aufenthalt in einem
nicht-LPS-Stromkreis)
BERSTROMSCHUTZ
Ein gut zugnglicher aufgefhrter berstromschutz mit Abzweigstromkreis und 15 A Strke muss fr
jede Stromeingabe in der Gebudeverkabelung integriert sein.
AUSTAUSCHBARE BATTERIEN
Wird ein Gert mit einer austauschbaren Batterie geliefert und fr diese Batterie durch einen
falschen Batterietyp ersetzt, knnte dies zu einer Explosion fhren. Dies trifft zu fr manche Arten
von Lithiumsbatterien zu, und das folgende gilt es zu beachten:

Wird die Batterie in einem Bereich fr Bediener eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder Erklrung sowohl im Betriebshandbuch als auch in der Wartungsanleitung.

Ist die Batterie an einer anderen Stelle im Gert eingesetzt, findet sich in der Nhe der Batterie
eine Markierung oder einer Erklrung in der Wartungsanleitung.

Diese Markierung oder Erklrung enthlt den folgenden Warntext: VORSICHT


EXPLOSIONSGEFAHR, FALLS BATTERIE DURCH EINEN FALSCHEN BATTERIETYP ERSETZT WIRD.
GEBRAUCHTE BATTERIEN DEN ANWEISUNGEN ENTSPRECHEND ENTSORGEN.

Denmark - Unit is class I - mit Wechselstromkabel benutzen, dass fr die Abweichungen in


Dnemark eingestellt ist. Das Kabel ist mit einem Erdungsdraht versehen. Das Kabel wird in eine
geerdete Wandsteckdose angeschlossen. Keine Steckdosen ohne Erdungsleitung verwenden!

Finland - (Markierungsetikett und im Handbuch) - Laite on liitettv


suojamaadoituskoskettimilla varustettuun pistorasiaan

Norway - (Markierungsetikett und im Handbuch) - Apparatet m tilkoples jordet stikkontakt


Ausschlielich fr Anschluss an IT-Netzstromsysteme in Norwegen vorgesehen

Sweden - (Markierungsetikett und im Handbuch) - Apparaten skall anslutas till jordat uttag.

Anschluss des Stromkabels:


1. Schlieen Sie das Stromkabel an den Hauptanschluss auf der Rckseite des Gertes an.
2. Schlieen Sie das Stromkabel an den geerdeten Wechselstromanschluss an.
VORSICHT
Stromschlag- und Energiegefahr Die Trennung einer Stromquelle trennt nur ein
Stromversorgungsmodul von der Stromversorgung. Um das Gert komplett zu isolieren, muss es
von der gesamten Stromversorgung getrennt werden.

Document ID: RDWR-APSV-V0130_UG1205

19

APSolute Vision User Guide

Vorsicht - Zur Reduzierung der Stromschlag- und Feuergefahr


1.

Dieses Gert ist dazu ausgelegt, die Verbindung zwischen der geerdeten Leitung des
Gleichstromkreises und dem Erdungsleiter des Gertes zu ermglichen. Siehe
Montageanleitung.

2.

Wartungsarbeiten jeglicher Art drfen nur von qualifiziertem Servicepersonal ausgefhrt


werden. Es gibt innerhalb des Gertes keine vom Benutzer zu wartenden Teile.

3.

Versuchen Sie nicht, ein offensichtlich beschdigtes Gert an den Stromkreis anzuschlieen,
einzuschalten oder zu betreiben.

4.

Vergewissern Sie sich, dass sie Lftungsffnungen im Gehuse des Gertes NICHT BLOCKIERT
SIND.

5.

Ersetzen Sie eine durchgebrannte Sicherung ausschlielich mit dem selben Typ und von der
selben Strke, die auf dem Sicherheitsetikett angefhrt sind, das sich neben dem
Stromkabelanschluss, am Sicherungsgehuse.

6.

Betreiben Sie das Gert nicht an einem Standort, an dem die Hchsttemperatur der Umgebung
40C berschreitet.

7.

Vergewissern Sie sich, das Stromkabel aus dem Wandstecker zu ziehen, BEVOR Sie die
Hauptsicherung entfernen und/oder prfen.

Document Conventions
The following describes the conventions and symbols that this guide uses:

Item

Description

Description (French)

Beschreibung (German)

An example scenario

Un scnario dexemple

Ein Beispielszenarium

Possible damage to
equipment, software, or
data

Endommagement
Mgliche Schden an
possible de lquipement, Gert, Software oder
des donnes ou du
Daten
logiciel

Additional information

Informations
complmentaires

Zustzliche
Informationen

A statement and
instructions

Rfrences et
instructions

Eine Erklrung und


Anweisungen

A suggestion or
workaround

Une suggestion ou
solution

Ein Vorschlag oder eine


Umgehung

Example

Caution:

Note:

To

Tip:
Possible physical harm to Blessure possible de
the operator
loprateur

Verletzungsgefahr des
Bedieners

Warning:

20

Document ID: RDWR-APSV-V0130_UG1205

Table of Contents
Important Notices .......................................................................................................... 3
Copyright Notices .......................................................................................................... 4
Safety Instructions ......................................................................................................... 8
Document Conventions ............................................................................................... 20

Chapter 1 Introduction to APSolute Vision ....................................................... 27


What is APSolute Vision? ............................................................................................ 27
APSolute Vision Three-Tier Architecture ..................................................................... 29
Overview of APSolute Vision Features ........................................................................ 29
Online Device Configuration ................................................................................................ 30
Monitoring of Managed Devices and Services .................................................................... 30
Operation Control and Maintenance .................................................................................... 30
Device Drivers ..................................................................................................................... 31
Scheduling ........................................................................................................................... 31
Auditing and Alerts ............................................................................................................... 31
User Management and Role-based Access Control (RBAC) .............................................. 32
APSolute Vision Platform Security ....................................................................................... 32
APSolute Vision Platform Management ............................................................................... 32
Supported Alteon Environments .......................................................................................... 32
DefensePro Security Groups ............................................................................................... 33
Real-Time Security Reporting .............................................................................................. 33
Historical Security ReportingAPSolute Vision Reporter .................................................. 33
Online Help .......................................................................................................................... 33

APSolute Vision Interface Navigation .......................................................................... 34


Configuration Perspective .................................................................................................... 34
Monitoring Perspective ........................................................................................................ 38
Security Monitoring Perspective .......................................................................................... 42
Asset Management Perspective .......................................................................................... 43
APSolute Vision Sites .......................................................................................................... 43

Chapter 2 Getting Started with APSolute Vision............................................... 45


APSolute Vision Client Installation .............................................................................. 45
APSolute Vision Client Requirements ................................................................................. 45
APSolute Vision Reporter Requirements ............................................................................. 46
Installing the APSolute Vision Client .................................................................................... 47

Logging into APSolute Vision ...................................................................................... 47


Changing a Password for a Local User ....................................................................... 48
Filtering the Display of Tree Elements in the System Tabs ......................................... 49

Document ID: RDWR-APSV-V0130_UG1205

21

APSolute Vision User Guide


Table of Contents

Chapter 3 Monitoring and Controlling the APSolute Vision System .............. 53


Monitoring APSolute Vision ........................................................................................ 53
Monitoring APSolute Vision Basic, Version, and Hardware Information .................... 53
Managing Device Drivers ........................................................................................... 54
Managing Stored Device Configuration/Backup Files ................................................ 57
Managing Configuration Templates ............................................................................ 58
Managing DefensePro Security Groups ..................................................................... 60
Controlling APSolute Vision Operations ..................................................................... 63

Chapter 4 Managing Auditing and Alerts .......................................................... 65


APSolute Vision Auditing ............................................................................................ 65
Enabling Configuration Auditing for Managed Devices .............................................. 66
Managing Alerts .......................................................................................................... 66
Events Handled in the Alerts Pane .....................................................................................
Alert Information ..................................................................................................................
Displaying Alert Information ................................................................................................
Filtering Alerts .....................................................................................................................
Configuring Preferences for the Alerts Pane .......................................................................

67
67
69
71
72

Chapter 5 Basic Device Configuration............................................................... 73


Locking and Unlocking Devices .................................................................................. 73
Configuring and Using Configuration Templates ........................................................ 74
Alteon Configuration ManagementGlobal Commands ........................................... 76
AppDirector Setup ...................................................................................................... 78
Configuring AppDirector Global Parameters .......................................................................
Configuring AppDirector Date and Time Synchronization ...................................................
Configuring AppDirector Daylight Savings ..........................................................................
Configuring AppDirector E-mail Settings .............................................................................
Configuring AppDirector Syslog Settings ............................................................................
Configuring AppDirector DNS Client ...................................................................................
Configuring AppDirector BOOTP ........................................................................................
Configuring AppDirector Session Table Settings ................................................................
Configuring AppDirector Suspend Settings .........................................................................
Configuring AppDirector Threshold Warning Levels ...........................................................
Configuring AppDirector Statistics Monitoring .....................................................................
Configuring AppDirector Static Forwarding Table ...............................................................

78
79
80
82
83
85
87
87
88
89
91
92

DefensePro Setup ...................................................................................................... 93


Configuring DefensePro Global Parameters ....................................................................... 94
Configuring DefensePro Date and Time Synchronization ................................................... 94
Configuring DefensePro Daylight Saving ............................................................................ 95
Configuring DefensePro E-mail Settings ............................................................................. 96
Configuring DefensePro Syslog Settings ............................................................................ 97
Configuring DefensePro BOOTP ...................................................................................... 100

22

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Table of Contents

Configuring DefensePro High Availability .........................................................................


Configuring Dynamic Protocols for DefensePro ...............................................................
Configuring IP Fragmentation for DefensePro ..................................................................
Configuring Security Reporting Settings ...........................................................................
Configuring Out-of-Path Settings for DefensePro .............................................................
Configuring DefensePro Session Table Settings ..............................................................
Configuring DefensePro Suspend Settings ......................................................................
Configuring DefensePro Advanced Settings ....................................................................
Configuring Tunneling Inspection .....................................................................................

101
106
108
108
112
112
119
120
121

General Device Setup .............................................................................................. 122


Configuring Access Protocols ...........................................................................................
Configuring SNMP Supported Versions ...........................................................................
Configuring RADIUS Authentication for Device Management ..........................................
Configuring the Device Event Scheduler ..........................................................................

122
124
124
126

Upgrading a License for a Managed Device ............................................................ 127


Managing Certificates ............................................................................................... 131
Certificates ........................................................................................................................
Keys ..................................................................................................................................
Self-Signed Certificates ....................................................................................................
Modifying Certificate Information for a Selected Device ...................................................
Configuring Certificates ....................................................................................................
Configuring Default Certificate Attributes ..........................................................................
Importing Certificates ........................................................................................................
Exporting Certificates ........................................................................................................
Showing Certificate Content .............................................................................................

131
131
131
132
132
133
134
135
136

Configuring SNMP .................................................................................................... 136


Configuring SNMP Users ..................................................................................................
Configuring SNMP Community Settings ...........................................................................
Configuring the SNMP Group Table .................................................................................
Configuring SNMP Access Settings .................................................................................
Configuring SNMP Notify Settings ....................................................................................
Configuring SNMP View Settings .....................................................................................
Configuring the SNMP Target Parameters Table .............................................................
Configuring SNMP Target Addresses ...............................................................................

137
138
139
140
141
142
142
144

Configuring Device Users ......................................................................................... 144


Configuring Access Permissions on Physical Ports ................................................. 146
Configuring Port Pinging ........................................................................................... 147
Configuring Tuning Parameters ................................................................................ 147
Configuring Tuning Parameters for AppDirector ...............................................................
Configuring Tuning Parameters for DefensePro ...............................................................
Configuring Classifier Tuning ............................................................................................
Configuring BWM Tuning ..................................................................................................

Document ID: RDWR-APSV-V0130_UG1205

147
150
157
159

23

APSolute Vision User Guide


Table of Contents

Chapter 6 Device Network Configuration ........................................................ 161


Configuring Device IP Interfaces .............................................................................. 161
Managing IP Routing ................................................................................................ 164
Configuring IP Routing in AppDirector ..............................................................................
Configuring IP Routing in DefensePro ..............................................................................
Configuring ICMP ..............................................................................................................
Configuring the ARP Table ...............................................................................................
Configuring Spanning Tree Protocol in AppDirector .........................................................
Configuring NHRs in AppDirector ......................................................................................
Configuring VIP-NHR Interfaces in AppDirector ................................................................
Configuring RIP in AppDirector .........................................................................................
Configuring OSPF in AppDirector .....................................................................................
Configuring Border Gateway Protocol in AppDirector .......................................................
Configuring the Neighbor Cache in AppDirector ...............................................................

164
166
167
168
169
172
173
174
176
178
179

Configuring Ports ...................................................................................................... 180


Configuring Link Aggregation ............................................................................................ 181
Configuring Port Mirroring ................................................................................................. 188

Configuring AppDirector Redundancy ...................................................................... 190


Configuring AppDirector Redundancy Global Settings .....................................................
Configuring VRRP .............................................................................................................
Configuration Guidelines for AppDirector Redundancy Using VRRP ...............................
Configuring Proprietary Redundancy ................................................................................
Configuring Mirroring for Redundancy ..............................................................................
Online Configuration Synchronization ...............................................................................

191
195
200
204
205
206

Configuring AppDirector VLANs ............................................................................... 214


AppDirector Regular and Switch VLANs ........................................................................... 215
Configuring AppDirector VLAN Ports ................................................................................ 216
Configuring AppDirector VLAN Advanced Parameters ..................................................... 216

Configuring Segmentation for AppDirector ............................................................... 218


Segmentation in AppDirector 2.11 .................................................................................... 220
Associating NHRs to Segments ........................................................................................ 221

Configuring AppDirector Advanced Networking Parameters .................................... 223


Configuring DefensePro Redundancy ...................................................................... 225
Configuring Basic Networking Parameters in DefensePro ....................................... 226
Configuring Port Pairs for DefensePro ..................................................................... 230
Internal Bypass for RJ-45 Ports in DefensePro ................................................................. 231

Configuring SSL Inspection for DefensePro ............................................................. 232


Configuring SSL Inspection Layer 4 Ports for DefensePro ...................................... 234
IPv6 Support in AppDirector ..................................................................................... 234

Chapter 7 Managing AppShape-Template Instances ..................................... 237


Configuring an SAP Portal AppShape Instance ....................................................... 238
Configuring a SharePoint AppShape Instance ......................................................... 241

24

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Table of Contents

Chapter 8 Managing Device Operations and Maintenance ............................ 243


Rebooting a Managed Device .................................................................................. 243
Shutting Down a Managed Device ........................................................................... 244
Enabling and Disabling APSolute Vision Monitoring ................................................ 244
Viewing and Setting Device Date and Time ............................................................. 245
Upgrading Device Software ...................................................................................... 245
Downloading a Devices Log File to the APSolute Vision Client .............................. 246
Updating a Radware Signature File or RSA Signature File in DefensePro Devices

247

Downloading a Devices Technical Support File to the APSolute Vision Client ....... 248
Managing Device Configurations .............................................................................. 249
Configuration File Content ................................................................................................
Downloading a Devices Configuration File ......................................................................
Restoring a Devices Configuration ..................................................................................
Synchronizing AppDirector Configurations .......................................................................

249
249
251
251

Updating Policy Configurations ................................................................................ 252


Checking Device Memory Availability ....................................................................... 253
Purging AppDirector HTTP and OCPF Caches ........................................................ 253
Resetting the Baseline for DefensePro Devices ....................................................... 253
Enabling and Disabling Interfaces ............................................................................ 254

Chapter 9 Scheduling APSolute Vision and Device Tasks ............................ 255


Overview of Scheduling ............................................................................................ 255
Managing Tasks in the Scheduler ............................................................................ 256
Task Parameters ...................................................................................................... 257
APSolute Vision Configuration Backup .............................................................................
APSolute Vision Reporter Backup ....................................................................................
AppShape SharePoint Configuration Validation ...............................................................
Device Configuration Backup Parameters ........................................................................
Device Reboot Parameters ...............................................................................................
SAP Message Server Automated Configuration Parameters ...........................................
Synchronize Active Device Configuration Parameters .....................................................
Update RSA Signatures File Parameters .........................................................................
Update Radware Security Signatures Files for a Device ..................................................
Update APSolute Vision Attack Description File Parameters ...........................................

257
259
260
262
263
264
265
267
268
270

Radware Ltd. End User License Agreement....................................................... 271

Document ID: RDWR-APSV-V0130_UG1205

25

APSolute Vision User Guide


Table of Contents

26

Document ID: RDWR-APSV-V0130_UG1205

Chapter 1 Introduction to APSolute Vision


This guide is intended for general users of APSolute Vision. The guide describes the relevant aspects
of APSolute Vision and how to use it.

Notes:
>> For information about installing the APSolute Vision server and client, initial settings on
the APSolute Vision platform, and connecting the client to the server, see the Radware
Installation and Maintenance Guide and the APSolute Vision Administrator Guide.
>> For information about administrator operations, see the APSolute Vision Administrator
Guide.
>> For information about the required workflows for configuring application delivery with
Alteon, see the Alteon Application Switch Operating System Application Guide.
>> For information about the required workflows for configuring application delivery with
AppDirector, see the AppDirector User Guide.
>> For information about the required workflows for configuring network security with
DefensePro, see the DefensePro User Guide.
>> For information about APSolute Vision Reporter and how to use it, see its online help and
the APSolute Vision Reporter User Guide.
The following topics introduce APSolute Vision:

What is APSolute Vision?, page 27

APSolute Vision Three-Tier Architecture, page 29

Overview of APSolute Vision Features, page 29

APSolute Vision Interface Navigation, page 34

What is APSolute Vision?


APSolute Vision is Radwares next-generation management system. APSolute Vision simplifies and
standardizes the management of Radware application delivery control (ADC) and security solutions.
Use APSolute Vision to manage and track Radware hardware devices, virtual devices, and software
components in IP-based enterprise networks.
APSolute Vision provides:

Online configuration per device, including support for templates as well as AppShape, which
automates/streamlines ADC configuration for common applications, such as SAP Portal and
Microsoft SharePoint Server.

Monitoring and control of multiple devices, including enabling and disabling entities within a
device. APSolute Vision can monitor multiple devices in a single view.

DefensePro Security Groups, which enable DefensePro devices to share threat information and
block malicious sources as a group.

Reporting and statistics at the device level, and on logical entities within a device. For real-time
and historical security reporting, APSolute Vision can also provide site and network-level reports
for immediate problem isolation, convenient attack and status visibility and information drilldown.

Document ID: RDWR-APSV-V0130_UG1205

27

APSolute Vision User Guide


Introduction to APSolute Vision

A highly customized Role-Based Access Control system that allows granular control and
monitoring of various security aspects for different users.

Management capabilities, including:

Scheduling device control and maintenance tasks, such as, backup and restore, and so on.

Auditing

Viewing alerts and Alteon configuration messages (Alerts pane)

Device software management

APSolute Vision includes a database for administrative, operational, and security events to facilitate
the creation of long and short-term reports.
APSolute Vision provides stability, capacity, and usability, due to its:

Scalable, three-tier architecture

Optimized device access

Reduced client-to-server traffic

Operational use cases focus

Figure 19: APSolute Vision Solution Model


Email/Syslog/SQL client

APSolute Vision clients

SSL

LAN/WAN

hb
or t

ou

nd

Firewall
APSolute Vision Server
(physical appliance or virtual appliance)

Customer Management Network

Alteon devices

28

AppDirector devices

SNMP V1/V2c/V3
IRP real-time statistics
HTTP(S)/TFTP

DefensePro devices

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

APSolute Vision Three-Tier Architecture


APSolute Vision is a three-tier management system with client, server and device tiers. APSolute
Vision server can run as a standalone physical appliance or as a virtual appliance (VA). The client
tier does not connect to devices directly.
The client tier does the following:

Runs as a Windows application on a PC and provides a Windows-based graphical user interface


with separate perspectives for configuration, monitoring and control, and reports.

Transmits user requests to the server tier and displays the results in the APSolute Vision
interface in an intuitive and easy-to-read format.

The server tier does the following:

Runs on the APSolute Vision platform

Processes user commands

Transmits and stores data from other tiers

Makes logical decisions and performs calculations

Performs user authentication and authorization

Collects statistics and generates reports

Collects alerts from the devices

Communicates with the managed devices

The network physical device tier enables management of the collection of network elements
connected to APSolute Vision. This includes devices that provide server load-balancing, security,
intrusion prevention and denial-of-service (DoS) protection.

Overview of APSolute Vision Features


This section provides an overview of APSolute Visions main features:

Online Device Configuration, page 30

Monitoring of Managed Devices and Services, page 30

Operation Control and Maintenance, page 30

Device Drivers, page 31

Scheduling, page 31

Auditing and Alerts, page 31

User Management and Role-based Access Control (RBAC), page 32

APSolute Vision Platform Security, page 32

APSolute Vision Platform Management, page 32

Supported Alteon Environments, page 32

DefensePro Security Groups, page 33

Real-Time Security Reporting, page 33

Historical Security ReportingAPSolute Vision Reporter, page 33

Online Help, page 33

Document ID: RDWR-APSV-V0130_UG1205

29

APSolute Vision User Guide


Introduction to APSolute Vision

Online Device Configuration


Online device configuration supports the following:

Easy access for all device configuration topics

Hierarchical logical element grouping

Graphical change notation

Drill-down configuration topics

Inline filtering

Online configuration per device, including support for templates as well as AppShape, which
automates/streamlines ADC configuration for common applications, such as SAP Portal and
Microsoft SharePoint Server.

Configuration and propagation of templates for specific configuration elements in supported


AppDirector and DefensePro device versions

Monitoring of Managed Devices and Services


Monitoring of managed devices and services in APSolute Vision supports the following:

Easy access for device monitoring topics

Logical-element grouping

Hierarchical browsing

Propertiesstatus, management IP address, software version, device-driver version, hardware


platform, license information, and the time of the last configuration change

Routing table

IP Statisticsreceived and discarded

Information on ports, VLANs, and trunks, such as:

General status

Statistics

Presents device statistics tables for device level and logical level

Operation Control and Maintenance


Control and maintenance operations include:

Enabling and disabling all relevant entities on a device

Managing configuration templates for AppDirector and DefensePro devices. These configuration
templates

Managing DefensePro Security Groups, which enable DefensePro devices to share threat
information and block malicious sources as a group. Managing DefensePro Security Groups is
done in the Asset Management perspective.

Managing pairs of devices for high availability (HA)

Performing file transfers

Managing configuration backups

Rebooting devices

30

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

Device Drivers
APSolute Vision device drivers enable you to install or upgrade Radware devices without the need to
upgrade your APSolute Vision server.
A device driver in APSolute Vision defines the graphical user interface and configuration for the
software version of a managed device. The software version of a managed device defines the
baseline driver version. You can install a newer version of the device driver, and you can revert to
the baseline version.
You can have only one device-driver version in use on any single APSolute Vision server (but, there
may be multiple device-driver versions released for a single software version of a device). Typically,
subsequent versions of device drivers for a particular software version of a managed device only
includes very minor changes and/or bug fixes.

Notes:
>> When you upgrade device software, you need to reboot the device. However, when you
install a new version of a device driver or revert to the baseline version, you do not need
to reboot the device.
>> Device drivers do not include the online help. If the APSolute Vision server is configure
so that the clients get help from the server (the default option), the APSolute Vision
administrator should make sure that the APSolute Vision server has the latest version of
the online-help package.
>> The Properties pane that is displayed for a device of includes the name of the device
driver.

Scheduling
Scheduling in APSolute Vision supports various operations for the APSolute Vision server and
managed devices, which enable you to automate the tasks and to run repeated tasks.
Scheduled tasks run according to the time as configured on the APSolute Vision client.

Auditing and Alerts


Auditing and alerts in APSolute Vision logs all alerts and actions for APSolute Vision and, optionally,
for the managed devices. You can view auditing information and other alerts in the APSolute Vision
Alerts pane.
Alerts are created with the time at which the APSolute Vision server processed them, but the time
displayed in the Alerts pane is the time of the APSolute Vision client with the proper time offset.
APSolute Vision provides the audit trail for system messages and modifications to the configuration
of managed devices.
APSolute Vision can forward alarms and notifications. System Alarms can be forwarded via APSolute
Vision. Security service alarms can be forwarded via APSolute Vision Reporter. E-mail notifications
can be sent via SMTP. Notifications can be sent to a syslog server.
The Alerts tab in the Alerts pane provides fault management by supporting the following system and
audit alarms:

APSolute Vision server alarms

General device alarms (fan, CPU, and so on)

Audit trail messages

Document ID: RDWR-APSV-V0130_UG1205

31

APSolute Vision User Guide


Introduction to APSolute Vision

User Management and Role-based Access Control (RBAC)


The APSolute Vision server supports multi-user access and role-based access control (RBAC).
RBAC provides the following:

Predefined basic roles and permissions

Customized permissions per role and device

Access-control configuration and management in a local user table or using an external RADIUS
server (using RADIUS vendor attributes)

Note: For more information on RBAC, see the APSolute Vision Administrator Guide.

APSolute Vision Platform Security


APSolute Vision supports user security with user-account options for the following parameters:

Password expirationspecified in days

Inactivity timeoutauto logout

Forbidding use of old passwords

Password challenge configuration

Password constraints

Administrative actions to create users, reset user passwords, and locking out users

Tracking user statistics for successful logins, failed logins, account locks, and so on

APSolute Vision Platform Management


The APSolute Vision Server supports the following management interfaces:

CLI shell commandsFor installation, first-time configuration, and special maintenance


activities

APSolute Vision clientFor APSolute Vision server options, such as, timeouts, connectivity,
event forwarding, and so on, and for server monitoring

Supported Alteon Environments


APSolute Vision supports the following Alteon environments (or modes):

StandaloneThe traditional Alteon hardware Application Delivery Controller (ADC).

Alteon VAA software-based ADC supporting AlteonOS functionality and running on the
VMware virtual infrastructure.

ADC-VXA specialized ADC hypervisor that runs multiple virtual ADC instances on dedicated
ADC hardware, Radwares OnDemand Switch platforms.

vADCA virtualized instance of the Alteon operating system (AlteonOS).

32

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

Notes:
>> For more information, see the Alteon Application Switch Operating System Application
Guide.
>> The Messages tab in the Alerts pane displays Alteon configuration messages. A message
is displayed in the Messages tab after each Alteon configuration-management action
(Apply, Save, Diff, Diff Flash, Revert, Revert Apply, and Dump). If the Alerts pane is
collapsed, it automatically expands immediately after the configuration-management
action. When you double-click a message, APSolute Vision opens an autonomous
window. The window contains the full message text, which you can copy to the
clipboard.

DefensePro Security Groups


APSolute Vision enables DefensePro devices to share and act upon detected security threats.

Real-Time Security Reporting


APSolute Vision provides real-time attack views and security service alarms for managed devices.

Historical Security ReportingAPSolute Vision Reporter


APSolute Vision Reporter is a historical security reporting engine, which provides the following:

Customizable dashboards, reports, and notifications

Advanced incident handling for security operating centers (SOCs) and network operating centers
(NOCs)

Standard security reports

In-depth forensics capabilities

Ticket workflow management

Note: For information on the products and versions that APSolute Vision Reporter supports,
see the APSolute Vision Release Notes.

Online Help
By default, APSolute Vision clients get online help from the APSolute Vision server. Installation of the
APSolute Vision server includes online-help files.
Depending on the APSolute Vision server configuration, the clients get online help from one of the
following locations:

An internal, hard-coded, location on the serverInstallation of the APSolute Vision server


includes online-help files, but if managed devices are somehow upgraded later (with a new
device, new device version, or new device driver), the online-help files on the server should be
updated. It is the responsibility of the APSolute Vision administrator to make sure that the help
files on the server are updated as necessary.

radware.comThe online-help files at radware.com are always the most up-to-date, but
clients may encounter latency or connectivity problems.

Document ID: RDWR-APSV-V0130_UG1205

33

APSolute Vision User Guide


Introduction to APSolute Vision

APSolute Vision Interface Navigation


The APSolute Vision interface follows a consistent hierarchical structure, organized functionally to
enable easy access to options. You start at a high functional level and drill down to a specific
module, function, or object.
Each high-level function, such as device configuration, monitoring, or viewing real-time reports, is
accessible from a separate perspective.
APSolute Vision supports the following perspectives:

Configuration Perspective, page 34

Monitoring Perspective, page 38

Security Monitoring Perspective, page 42

Asset Management Perspective, page 43

Note: You can configure which perspective is displayed by default when you start an APSolute
Vision client session.

Configuration Perspective
Use the Configuration perspective to configure Radware devices. Typically, you choose the device to
configure in the Configuration perspective system pane Organization tab. You can view and modify
device settings in the content pane tabs, which have their own navigation panes for easier
navigation through configuration tasks.
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.
The Configuration perspective also includes the Properties pane, which displays information about
the currently selected device.
When APSolute Vision manages Alteon, you choose the standalone, vADC or VA device to configure
in the Configuration perspective system pane Organization tab. You manage ADC-VXs and the
hosted vADCs in the Configuration perspective system pane Physical tab.

34

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

Figure 20: Configuration PerspectiveAlteon


System pane Organization tabDisplays, according to your filter, the
configured sites and Alteon standalone, vADC, and VA devices
System pane Physical tabDisplays, according to your filter,
configured sites and Alteon ADC-VXs with the hosted vADCs
AppShape tab
Alteon configurationmanagement buttons

Configuration buttonOpens
the Configuration perspective

Navigation area for the tab

Content area

Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab displays Alteon configuration messages.

Document ID: RDWR-APSV-V0130_UG1205

35

APSolute Vision User Guide


Introduction to APSolute Vision

Figure 21: Configuration PerspectiveAppDirector


System pane Organization tabDisplays,
according to your filter, the site tree,
configured sites, and configured devices
Button that
opens the
APSolute Vision
Reporter

Configuration buttonOpens
the Configuration perspective

Navigation are for the tab

Content area

Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for AppDirector.

36

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

Figure 22: Configuration PerspectiveDefensePro


System pane Organization tabDisplays,
according to your filter, the site tree,
configured sites, and configured devices
Button that opens
the APSolute
Vision Reporter

Configuration buttonOpens
the Configuration perspective
Navigation area for the tab
Content area

Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.

Document ID: RDWR-APSV-V0130_UG1205

37

APSolute Vision User Guide


Introduction to APSolute Vision
The following points apply to all configuration tasks in the Configuration perspective:

To configure a device, you must lock it. For more information, see Locking and Unlocking
Devices, page 73.

When you change a field value, the field label is displayed in italics.

Mandatory fields are displayed in red. You must enter data, or select an option in these fields.
After setting a mandatory field, the field label changes to black.

By default, tables display up to 20 rows per table page. You can change the number of rows per
table up to a maximum of 100 rows.

You can perform one or more of the following operations on table entries:

Add a new entry to the table, and define its parameters.

Edit one or more parameters of an existing table entry.

Delete a table entry.

Device configuration information is saved only on the managed device, not in the APSolute
Vision database. To commit information to the device, you must do the following:

Click OK when you modify settings in a configuration dialog box.

Click

Some configuration changes require an immediate device reboot. When you submit the
configuration change the device will reboot immediately.

Some configuration changes require a device reboot to take effect, but you can save the
change without an immediate reboot. When you submit a change without a reboot, the
Properties pane displays a Reboot Required notification until you reboot the device.

For AppDirector and DefensePro, click Update Policies to implement policy-configuration


changes if necessary. Policy-configuration changes for a device are saved on the managed
device, but the device does not apply the changes until you perform a device configuration
update.

For Alteon, APSolute Vision supports the configuration-management options: Apply, Save,
Diff, Diff Flash, Revert, Revert Apply, and Dump.

(Submit) when you modify settings in a configuration page.

Example Device selection in the Configuration perspective


The following example shows the selections you would make to view or change configuration
parameters for a Radware device:
1.

Open the Configuration perspective by clicking

at the top of the window.

2.

Select the required device in the system pane by drilling down through the sites and subsites.

3.

Right-click the device name, and select Lock Device.

4.

Select the required configuration tab in the content pane. Each tab displays a tab navigation
pane and configuration options.

5.

Select an option in the navigation pane.

6.

You can now view and change configuration parameters.

Monitoring Perspective
In the Monitoring perspective, you can monitor physical devices and interfaces, and logical objects,
such as farms and servers. The Monitoring perspective navigation pane contains two navigation
tabs. The System tab contains the physical devices and interfaces. The Application Delivery tab
contains the logical entities for AppDirector. The Properties pane displays information about the
currently selected device. The content pane for each type of entity contains tabs in which you can
view different types of information. Some tabs contain a navigation pane.

38

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.

Figure 23: Monitoring PerspectiveAlteon


System paneIncludes the Organization,
Application Delivery, and Physical tabs

Monitoring buttonOpens the


Monitoring perspective

Navigation area for tab


Content area

Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab. The
Alerts tab displays APSolute Vision and device alerts. The
Messages tab displays Alteon configuration messages.

Document ID: RDWR-APSV-V0130_UG1205

39

APSolute Vision User Guide


Introduction to APSolute Vision

Figure 24: Monitoring PerspectiveAppDirector


System paneIncludes the Organization,
Application Delivery, and Physical tabs. The
Organization and Application Delivery tabs are
relevant for AppDirector.
Navigation area for tab

Monitoring buttonOpens the


Monitoring perspective

Content area

Alerts paneDisplays the Alerts tab and the Messages tab.


The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for AppDirector.

40

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

Figure 25: Monitoring PerspectiveDefensePro


System paneIncludes the Organization,
Application Delivery, and Physical tabs. The
Organization tabs is relevant for DefensePro.

Monitoring buttonopens
Monitoring perspective
Content area

Navigation area for tab

Properties pane
Alerts paneDisplays the Alerts tab and the Messages tab.
The Alerts tab displays APSolute Vision and device alerts.
The Messages tab is not relevant for DefensePro.

Document ID: RDWR-APSV-V0130_UG1205

41

APSolute Vision User Guide


Introduction to APSolute Vision

Security Monitoring Perspective


The Security Monitoring perspective is displayed only for devices that support the relevant Security
module.
You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you.
In the Security Monitoring perspective, you can access a collection of real-time security-monitoring
tools that provide visibility regarding current attacks that the managed device has detected. The
Properties pane displays information about the currently selected device.
The Security Monitoring perspective includes the following tabs:

Security DashboardA graphical summary view of all current active attacks in the network
with color-coded attack-category identification, graphical threat-level indication, and instant
drill-down to attack details.

Current AttacksA view of the current attacks in a tabular format with graphical notations of
attack categories, threat-level indication, drill-down to attack details, and easy access to the
protecting rules for immediate fine-tuning.

Traffic MonitoringA real-time graph and table displaying network information, with the
attack traffic and legitimate traffic filtered according to specified traffic direction and protocol.

Geo MapA graphical map view that displays threats by origin with hierarchical drill-down to IP
level.

Protection MonitoringReal-time graphs and tables with statistics on rules, protections


according to specified traffic direction and protocol, along with learned traffic baselines.

HTTP ReportsReal-time graphs and tables with statistics on rules, protections according to
specified traffic direction and protocol, along with learned traffic baselines.

Figure 26: Security Monitoring PerspectiveShowing the Security Dashboard

42

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Introduction to APSolute Vision

Asset Management Perspective


The Asset Management perspective is displayed only to users with the Administrator or User
Administrator role. A user with the User Administrator role can only view and configure local users.
For more information about roles and the Asset Management perspective, see the APSolute Vision
Administrator Guide.

APSolute Vision Sites


You can organize the Radware devices that APSolute Vision manages according to sites. APSolute
Vision displays the sites and managed devices in the system tab. Typically, a site is a group of
devices that share properties, such as location, services, or device type. You can nest sites; that is,
each site can contain subsites and devices.
In the context of RBAC, sites enable administrators to define the scope of each user.
Sites also play a role in the context of vADCs and ADC-VXs. When you manage a vADC hosted by an
ADC-VX in the Physical tab, you specify the site under which that vADC is displayed in the
Organization tab.

Document ID: RDWR-APSV-V0130_UG1205

43

APSolute Vision User Guide


Introduction to APSolute Vision

44

Document ID: RDWR-APSV-V0130_UG1205

Chapter 2 Getting Started with APSolute


Vision
The following topics describe how to get started and set up APSolute Vision before configuring and
monitoring your Radware devices:

APSolute Vision Client Installation, page 45

Logging into APSolute Vision, page 47

Changing a Password for a Local User, page 48

Filtering the Display of Tree Elements in the System Tabs, page 49

Note: For information about installing the APSolute Vision server and client, and connecting
the client to the server, see the Radware Installation and Maintenance Guide.

APSolute Vision Client Installation


The APSolute Vision client is installed on a PC.
This section includes the following topics:

APSolute Vision Client Requirements, page 45

APSolute Vision Reporter Requirements, page 46

Installing the APSolute Vision Client, page 47

APSolute Vision Client Requirements


Before you install the APSolute Vision client, ensure your computer meets the hardware and
software requirements.

Caution: You install the APSolute Vision client by first accessing the APSolute Vision appliance
using a Web browser. Therefore, APSolute Vision appliance must have a proper IP
address installed already. For information on configuring the IP address of the
APSolute Vision appliance, see the APSolute Vision Administrator Guide.
This section includes the following topics:

APSolute Vision Client Hardware Requirements, page 46

APSolute Vision Client Supported Operating Systems, page 46

APSolute Vision Client Software Requirements, page 46

Document ID: RDWR-APSV-V0130_UG1205

45

APSolute Vision User Guide


Getting Started with APSolute Vision

APSolute Vision Client Hardware Requirements


The PC on which APSolute Vision client runs requires the following hardware:

2.66 GHz or faster

2 GB RAM or more recommended

300 MB free disk space

CD-ROM

Network interface card (NIC)

768X1024 minimum recommended screen resolution

APSolute Vision Client Supported Operating Systems


The following operating systems support APSolute Vision client:

Windows XP SP3 32-bit

Windows Server 2008R2 64-bit

Windows 7 32-bit and 64-bit

Windows 7 SP1 32-bit and 64-bit

Caution: There are certain compatibility issues with Windows 7. For more information, see
the APSolute Vision Release Notes.

APSolute Vision Client Software Requirements


The PC that APSolute Vision client runs on requires the following:

Any Web browser that has a Java plug-in installed. The browser is needed only for downloading
the APSolute Vision client to the PC.

Java client version 1.6.0_17 or later must be installed to run the APSolute Vision Reporter.

APSolute Vision Reporter Requirements


APSolute Vision Reporter is a separate process that runs with the APSolute Vision client. After
installing the APSolute Vision client, you can connect to APSolute Vision Reporter.
You can run APSolute Vision Reporter on the following browsers:

Windows Internet Explorer 6 and 7.x and later

Mozilla Firefox 3.5 and 3.6

Google Chrome unofficially supported

46

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Getting Started with APSolute Vision

Installing the APSolute Vision Client

To install APSolute Vision client


1. Open your browser and enter the IP address of the APSolute Vision server. An Authentication
Required dialog box is displayed.
2. Do the following:

In the User Name field, type, visionweb.

In the Password field, type the password. Use the password that you receive from your
system administrator. The initial default password is radware.

3. Click OK. The following Web page opens.

4. Click the Download Client icon.


5. Save the EXE file to a directory on your hard drive.
6. Start the startup EXE file. The startup EXE file is named in the format

APSoluteVision_<major version>.<minor version>_Setup.exe.


7. Follow the instructions, enter the appropriate information, and accept the terms of the license
agreement.

Logging into APSolute Vision


To start working with APSolute Vision, you log into the APSolute Vision client.
After successfully logging in with a username and authenticated password, the APSolute Vision client
application opens. The APSolute Vision client connects to the specified APSolute Vision server. This
means that you always works online with APSolute Vision and its managed network elements.
Up to 10 users can access the APSolute Vision server simultaneously.

Document ID: RDWR-APSV-V0130_UG1205

47

APSolute Vision User Guide


Getting Started with APSolute Vision
APSolute Vision supports role-based access control (RBAC) to manage user privileges. Your
credentials and privileges may be managed through a RADIUS Authentication server or through the
local APSolute Vision user database.
For RBAC users, after successful authentication of your username and password, your role is
determined together with the devices that you are authorized to manage. The assigned role remains
fixed throughout your user session, and you can access only the content panes, menus, and
operations that the role allows.
Depending on the configuration of the APSolute Vision server, you may be prompted to change your
user password when you log in for the first time.
If you enter the credentials incorrectly, you are is prompted to re-enter the information. After a
globally defined number of consecutive failures, the APSolute Vision server locks you out of the
system. If you use local user credentials, a user administrator can release the lockout by resetting
the password to the global default password. If you use RADIUS credentials, you must contact the
RADIUS administrator.

To log into APSolute Vision as an existing user


1.

Click the APSolute Vision Client program icon.

2.

In the login dialog box, specify the following:

3.

User NameThe name of the user.

PasswordThe password for the user. Depending on the configuration of the server, you
may be required to change your password immediately. Default: radware.

Vision ServerThe name or IP address of the APSolute Vision server. This parameter is
displayed if you click Options. Otherwise, the login procedure tries to connect to the
APSolute Vision server that was specified previously.

AuthenticationThe method to authenticate the user: Local or RADIUS. That is, select
whether to use the credential stored in the APSolute Vision server or the credentials
managed by the specified RADIUS Authentication server. This parameter is displayed if you
click Options. Otherwise, the login procedure tries to connect to the APSolute Vision server
using the authentication method that was specified previously.

Click OK.

Changing a Password for a Local User


If your user credentials are managed through the local APSolute Vision Users table (not RADIUS),
you can change your user password at the login.

To change a password for a local user


1.

Click the APSolute Vision Client program icon.

2.

Click Options.

3.

Click Change Password.

4.

In the Change Password dialog box, enter your username, old password, new password, and
confirm the new password.

5.

Click OK. Your new password is saved and the APSolute Vision dialog box is displayed.

48

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Getting Started with APSolute Vision

Filtering the Display of Tree Elements in the System Tabs


You can filter the sites and devices that APSolute Vision displays. The filter does not change the
contents of the tree, only how APSolute Vision displays the tree to you. By default, APSolute Vision
displays all the sites and devices that you have permission to view. The selected filter configuration
applies across all relevant perspectives and trees. The filters and/or filter categories that APSolute
Vision displays are contextual. That is, which filters and/or filter categories APSolute Vision displays
is based on whether the Organization, Physical, or Application Delivery tab is displayed.
APSolute Vision can store and display up to 10 filter configurations. The Filter label includes the filter
criteria. When you open an APSolute Vision client session, APSolute Vision displays the last filter
configuration that you applied.
To each node in the tree, APSolute Vision appends the number of elements (that is, sites and/or
devices) matching the filter at that level and the total number of elements at that level. The total
number of elements is the number of elements that you can see according to your RBAC
permissions.

Example Filter Result Showing Two Sites


Figure 27 - Filter Result Showing Two Sites, page 49 shows a small portion of a tree in the
Organization tab on which you have applied a filter named MyFilter2. The root of the tree is
named MyRootSite. APSolute Vision has appended (1/5) to the label MyRootSite. This
indicates that there is only one element (in this case, the element is a site) that matches the
filter at the level immediately below MyRootSite; and MyRootSite contains five child elements for
which you have permission to view. APSolute Vision has appended (13/28) to the label
MyDeviceSite1. This indicates that there are 13 elements that match the filter at the level
immediately below MyDeviceSite1; and MyDeviceSite1 contains 28 child elements for which you
have permission to view.

Figure 27: Filter Result Showing Two Sites

Document ID: RDWR-APSV-V0130_UG1205

49

APSolute Vision User Guide


Getting Started with APSolute Vision

To create a new filter


1.

Click Filter to expand the Filter group box.

2.

From the Filter drop-down list, select New. The contents of Filter Name drop-down list
disappear.

3.

In the Filter drop-down list, specify a name for the filter.

4.

Configure the filter criteria.

5.

Click Save.

To modify a filter
1.

Click Filter to expand the Filter group box.

2.

From the Filter drop-down list, select the filter.

3.

Configure the filter criteria.

4.

Click Save.

To apply an existing filter


1.

Click Filter to expand the Filter group box.

2.

From the Filter drop-down list, select the filter.

Note: To disable filtering (that is, show all the elements in the tree), select None.
3.

Click Apply.

To display all the sites and devices


Click Reset.

To delete a filter
From the Filter drop-down list, select the filter; and then, click Delete.

50

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Getting Started with APSolute Vision

Table 1: Filter Criteria Parameters

Category

Description

Device Name

The name of device or regular expression. This criterion is useful if


device names indicate device features, organizational location, or
geographical location.
This field supports a wildcard (*) character.

Device IP Address

The device IP address, IP range, or IP mask.

Device Type

The type of device.

Property

Values:

Values: Alteon, AppDirector, DefensePro


StatusExposes the Up and Down checkboxes. You can
specify whether the filter displays only devices that are up or
only devices that are down.
Software VersionExposes the Software Version drop-down
list with the options corresponding to the selected Device Type.
Device Driver VersionExposes the Device Driver Version
drop-down list with the options corresponding to the selected
Device Type.
Form FactorWhen the selected Device Type is Alteon,
exposes Standalone, VX, vADC, and VA checkboxes.
Licensing InformationExposes the Licensing Information
drop-down list with the options corresponding to the selected
Device Type.
Last Configuration Backup
Date

The timestamp, in yyyy-MM-dd hh:mm:ss format, of the last


APSolute Vision configuration backup.
This field supports a wildcard (*) character.

Last Software Version


Upgrade Date

The timestamp, in yyyy-MM-dd hh:mm:ss format, of the last


device software upgrade. This criterion is useful to help you plan an
upgrade process. For example, with the Alteon vADC form factor,
you can filter all the vADCs whose software was updated at same
time.
This field supports a wildcard (*) character.

AppShape

The Alteon devices with the specified AppShape deployed.

Organization Site

The site in the Organization tab.


Note: This filter criterion applies only in the Organization tab.

Physical Container

Values:
Physical ContainerThe ADC-VX in the Physical tab.
Payload BladeSpecifies a specific payload blade, or any
payload blade when the field is empty.
Enabled vADCsSpecifies whether the enabled vADCs are
displayed.
Disabled vADCsSpecifies whether the disabled vADCs are
displayed.
Note: This filter criterion applies only in the Physical tab.

Document ID: RDWR-APSV-V0130_UG1205

51

APSolute Vision User Guide


Getting Started with APSolute Vision

52

Document ID: RDWR-APSV-V0130_UG1205

Chapter 3 Monitoring and Controlling the


APSolute Vision System
APSolute Vision monitors and controls the APSolute Vision server and platform, and the associated
database.
This chapter contains the following sections:

Monitoring APSolute Vision, page 53

Monitoring APSolute Vision Basic, Version, and Hardware Information, page 53

Managing Device Drivers, page 54

Managing Stored Device Configuration/Backup Files, page 57

Managing Configuration Templates, page 58

Managing DefensePro Security Groups, page 60

Controlling APSolute Vision Operations, page 63

Monitoring APSolute Vision


APSolute Vision monitors the APSolute Vision server and platform, and the associated database. The
system monitors performance and operational status, and stores the processed monitoring
information in the APSolute Vision database. When a problem is identified, an alert is issued, and
displayed in the Alerts pane.

Monitoring APSolute Vision Basic, Version, and Hardware


Information
You can view the version number and build details of the management software on the APSolute
Vision server.

To display APSolute Vision basic, version, and hardware information


1.

In the Asset Management perspective system pane, select General Settings.

2.

In the content pane, select the Overview tab.

Table 2: APSolute Vision Server Basic, Version, and Hardware Information

Parameter

Description
Basic Parameters

Operational Status

Specifies whether the of the APSolute Vision server is currently up or


down.

Management IP Address

The IP address of the of the APSolute Vision server used for


management.

Hardware Platform

The type of hardware platform of the APSolute Vision server.

Document ID: RDWR-APSV-V0130_UG1205

53

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

Table 2: APSolute Vision Server Basic, Version, and Hardware Information

Parameter

Description

Vision Server Uptime

The up time of the APSolute Vision server, in days, hours, minutes, and
seconds.

MAC Address of Port G1

The MAC address of the APSolute Vision server G1 management port.1

MAC Address of Port G2

The MAC address of the APSolute Vision server G2 management port.1

MAC Address of Port G3

The MAC address of the APSolute Vision server G3 management port.1, 2

Software
Software Version

The version of the APSolute Vision server.

Build

The date and build number of the current software version.

Hardware
RAM Size

The amount of RAM, in megabytes.

Attack Description
Attack Descriptions Last
Update

The time of the latest update of the Attack Description file on the
APSolute Vision server.

1 If the port is down, the field is empty.


2 If the port is not supported, the field displays the value Unsupported.

Managing Device Drivers


A device driver in APSolute Vision defines the GUI and configuration of the software version of a
managed device. The software version of a managed device defines the baseline driver version.
There may be multiple device-driver versions for a single software version of a device, but there can
be only one device-driver version in use on any single APSolute Vision server. That is, each device
driver applies to all devices in the system that use the same device-software version. That is, each
device driver applies to all devices in the system that use the same device-software version. That is,
each device driver applies to all devices in the system that use the same device-software version.
Typically, subsequent versions of device drivers include only fixes for GUI and configuration bugs.
You can install a newer version of the device driver, and you can revert to the baseline version.
When you upgrade device software, you need to reboot the device. However, when you install a new
version of a device driver or revert to the baseline version, you do not need to reboot the device.

Caution: Device drivers do not include changes to the online help. Depending on the
configuration of the APSolute Vision server, the APSolute Vision clients get online help
either from the APSolute Vision server (the default option) or radware.com. The
online-help files at radware.com are always the most up-to-date; but clients may
encounter latency or connectivity problems. If the APSolute Vision clients get online
help from the APSolute Vision server, after updating a device driver, the online-help
files on the server should be updated. It is the responsibility of the APSolute Vision
administrator to make sure that the help files on the server are updated as necessary.

54

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

Notes:
>> For device software versions that were released prior to the release of APSolute Vision
1.10, all the baseline versions of the device drivers reside on the APSolute Vision server.
>> For device software versions that were released after the release of APSolute Vision
1.10, the baseline versions of the device drivers reside on the devices themselves.
>> The device driver includes the minimum APSolute Vision version.
When an APSolute Vision server detects that a new device has been installed or that a new device
software version has been installed on an existing device, the server does the following:
1. Retrieves the driver version from the device.
2. Checks whether it already has a driver version that corresponds to the device software version,
and uses the newest device driver.
3. If the driver version on the device is newer than the device version on the server, the server
downloads the new driver from the device, but does not apply it. The table in the Device Drivers
tab (in the Asset Management perspective) displays the device-version row shaded gray.
4. If the device driver is incompatible or not found, APSolute Vision behaves as follows:

Issues an appropriate error message, but displays the device in the tree of the System pane
with a special icon (?) on top of it.

When you click the device in the tree, no screen is displayed, but the following information is
displayed is the Properties pane: Device Name (from Vision), Device Type (if known),
Status: Unsupported, and Software Version: <SW_version>

The Properties pane includes the name of the device driver.


You can update the drivers of the devices of a particular software version, you can update all the
device drivers that are not updated in the APSolute Vision server, and you can revert the driver to
the baseline driver version.
If one or more of the relevant devices is locked, APSolute Vision prompts you whether to continue or
not. If you change the driver version when a device is locked by other users, you may lose the
changes for those users.

Table 3: Driver Parameters

Column

Description

Product Name

The device type.


Values: Alteon, AppDirector, DefensePro

Product Version

The device software version.

No. of Devices

The number of devices that use the same device software version.

Driver Baseline

The baseline version of the driver used for this device software version.

Driver in Use

The driver version in use for this device software version.

Latest Driver

The latest driver version for this device software version that is stored in
the APSolute Vision server.

Document ID: RDWR-APSV-V0130_UG1205

55

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

To update a device driver


1.

In the Asset Management perspective system pane, select General Settings > Device
Drivers.

2.

Right-click in the row with the relevant device and device version.

3.

Select Update Driver.

4.

Browse to the driver and click Open. APSolute Vision verifies that the device driver version is
relevant for the device software.

5.

Read the confirmation message; and then, accept or abort the action.
The version of the driver that you install cannot be the same version or an older version of the
driver baseline version. If the driver version that you install is newer than the baseline version
but older than the driver version in use, APSolute Vision prompts you for confirmation to
downgrade the current driver. If the driver version that you install is newer than the baseline
version and new than the driver version in use, APSolute Vision prompts you for confirmation to
downgrade the current driver.

To revert to baseline driver version that resides on the APSolute Vision server
1.

In the Asset Management perspective system pane, select General Settings > Device
Drivers.

2.

Right-click in the row with the relevant device and device version.

3.

Select Revert to Baseline Version.

Note: This option is displayed only when the driver version in use is different from the
baseline driver release.

To update all the device drivers to the latest ones that are stored in the APSolute
Vision server
1.

In the Asset Management perspective system pane, select General Settings > Device
Drivers.

2.

Click Update All Drivers to Latest.

Note: This command is available only when the APSolute Vision server has device driver
version that is later than one of the device drivers in use.

56

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

Managing Stored Device Configuration/Backup Files


You can manage configuration files of managed devices that are stored on the APSolute Vision
server.
You can do the following:

View details of the configuration files of managed devices

Save configuration files from the server to your PC

Delete configuration files from the server

Edit configuration file descriptions

For information about configuring the maximum number of configuration files per device that can be
stored, see the APSolute Vision Administrator Guide.

To manage stored configuration file information


1. In the Asset Management perspective system pane, select Device Backups.
2. From the Device drop-down list, select the relevant device and click Go. Details of the stored
configuration files for the selected device are displayed in the table.
3. To delete a displayed configuration file from the server:
a.
b.

Right-click the entry and select Delete File.


Click OK in the confirmation message.

4. To edit the description of a configuration file:


a.
b.

Right-click the Description cell for the file and select Edit Description.
In the Description cell, add or edit the text, up to 50 characters.

5. To get the configuration file of the device from the APSolute Vision server and download the file
to the local PC:
a.

Right-click the entry and select Get Device Configuration File.

a.
b.

In the Save As text box, enter the path of the file or browse to the file.
Click Save.

Table 4: Device Configuration File Parameters

Parameter

Description

File Name

The name of the stored configuration file.

File Type

An Alteon or AppDirector device can have configuration files for itself, its
peer device, and its backup device.

(This parameter is not


available for
AppDirector 1.07.12.)

For all other devices, this field is set to Device.

SW Version

The software version of the device.

Backup Date

The date and time that the file was saved on the APSolute Vision server.

Description

A description of the file. You can enter and edit text in this field.

Document ID: RDWR-APSV-V0130_UG1205

57

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

Managing Configuration Templates


Only certain device versions and device drivers support this feature. For the list of supported device
versions and device drivers, refer to the release notes.
The Configuration Template feature enables you to configure an object with multiple parameters
with just a few actions. You create a configuration template in the relevant area of any managed
device that supports the Configuration Template feature. You can apply (that is, propagate) the
template on the same device or another device that supports that template. You can manage the
existing configuration templates stored on the APSolute Vision server in the Asset Management
perspective Templates tab.
Examples of configuration objects that support configuration templates:

AppDirector Farm

DefensePro BDoS Profile

For information about configuring configuration templates, see Configuring and Using Configuration
Templates, page 74.
Use the Templates tab (Asset Management perspective, Configuration Templates) to do the
following:

Filter the display of the list of the configuration templates

View and modify details of the configuration templates of managed devices

Edit configuration-template descriptions

Delete configuration templates

The Templates tab (Asset Management perspective, Configuration Templates) comprises a filter
and the Templates table, which displays data on each template.
The Templates table, supports the following columns:

EnabledSpecifies whether the template is enabled. When a template is enabled, you can use
it to create new configuration objects and propagate the values of the template onto existing
configuration objects. If the template is disabled, you cannot use it or edit it; the template is
only stored in APSolute Vision.

NameThe user-defined name of the template.

DescriptionThe user-defined description of the template.

Screen IDThe internal identifier of the user-interface that supports the template.

TypeThe configuration-object type of the template.

Device TypeThe type of the device that supports the template.

Software VersionThe software version of the device that supports the template.

Modified OnThe timestamp, in dd MMM hh:mm:ss format when the template was last
modified.

Modified ByThe APSolute Vision user who last modified the template.

Device Driver IDThe device driver filename.

Created OnThe timestamp, in dd MMM hh:mm:ss format when the template was created.

Created ByThe APSolute Vision user who created the template.

Total PropagationsThe total number of propagations of the template.

Successful PropagationsThe number of successful propagations of the template.

Failed PropagationsThe number of failed propagations of the template.

58

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

To filter the templates that the Templates table shows


1. In the Asset Management perspective system pane, select Configuration Templates.
2. In the Template Filter group box, configure the parameters; and then, click Go.

Table 5: Template Filter Parameters

Parameter

Description

Enabled

The status of the templates.


Values:
AllThe Templates table shows enabled and disabled templates.
trueThe Templates table shows enabled templates.
falseThe Templates table shows disabled templates.

Device Type

The device type of the templates.


Values:
AllThe Templates table shows templates of all relevant device types.
AppDirectorThe Templates table shows the templates of AppDirector
devices. templates.
DefenseProThe Templates table shows the templates of DefensePro
devices.

Software Version

The software version of the devices with templates.


Values:
AllThe Templates table shows templates of all software versions with
templates.
Software versionThe Templates table shows the templates of the
selected version.

Type

The configuration-object type with templates.


Values:
AllThe Templates table shows all configuration-object type with
templates.
Configuration-object typeThe Templates table shows the templates of
the selected configuration-object type.

To edit template properties and view read-only data


1. In the Asset Management perspective system pane, select Configuration Templates.
2. In the Templates group box, right-click in the row and select Edit Row.
3. Configure or view the parameters; and then, click Save.

Document ID: RDWR-APSV-V0130_UG1205

59

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

Table 6: Template Parameters

Parameter

Description
Template

Enabled

Specifies whether the template is enabled. When a template is enabled,


you can use it to create new configuration objects and propagate the
values of the template onto existing configuration objects. If the template
is disabled, you cannot use it; it is only stored in APSolute Vision.
Values: true, false

Name

The user-defined name of the template.


Maximum characters: 255

Description

The user-defined description of the template.


Maximum characters: 255

Type

(Read-only) The configuration-object type of the template.

Template Statistics
The values in this group box are read-only.
Screen ID

The internal identifier of the user-interface that supports the template.

Device Driver ID

The device driver filename.

Software Version

The software version of the device that supports the template.

Device Type

The type of the device that supports the template.

Created On

The timestamp, in dd MMM hh:mm:ss format when the template was


created.

Created By

The APSolute Vision user who created the template.

Modified On

The timestamp, in dd MMM hh:mm:ss format when the template was last
modified.

Modified By

The APSolute Vision user who last modified the template.

Total Propagations

The total number of propagations of the template.

To delete a configuration template


1.

In the Asset Management perspective system pane, select Configuration Templates.

2.

In the Templates group box, right-click in the row and select Delete Row.

Managing DefensePro Security Groups


APSolute Vision can manage Security Groups, which are groups of DefensePro devices that share
security-threat information. The configuration of a Security Group includes senders and receivers.
Senders send security-threat information detected by the Anti-Scanning and/or Server Cracking
modules to APSolute Vision. Receivers receive security-threat information from APSolute Vision as
Dynamic Black List rules. A device can be both a sender and a receiver in the same group. When a
sender detects an attack and sends the information to APSolute Vision, APSolute Vision configures
each receiver with a Dynamic Black List rule that corresponds to the detected threat information.

60

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System
DefensePro devices running version 6.05 and later can be senders and/or receivers. DefensePro
devices running versions prior to 6.05 can be senders only.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
Security Groups reduce false-negatives in various environments and enhance DefensePros proactive
approach to security. Especially in asymmetrical network environments, there are cases where a
DefensePro device inspects only one direction of the traffic while other DefensePro devices inspect
the rest of the traffic. In such cases, without a Security Group to share information, when a
DefensePro device identifies a source as a threat and suspends it (blocks it), other DefensePro
devices can continue to forward traffic from the same source. In an extreme example of an
asymmetric (stateful) environment, a DefensePro device may identify a malicious source based on
server responses, though the DefensePro device cannot block the source because the sources
originated traffic passes through another DefensePro device. In such cases, with a Security Group to
share the information, all the receiver DefensePro devices can block the malicious traffic.

Caution: The Security Groups feature does not support redundant APSolute Vision servers.
Unexpected results may occur if more than one APSolute Vision server manages the
DefensePro devices that are members of a Security Group.

Note: APSolute Vision does not limit the number of Security Groups, the number of senders, or
the number of receivers. Radware has tested the feature with five Security Groups, each
with five senders and five receivers.
Security Group behavior:
1. The Anti-Scanning or Server Cracking module of a sender detects an attack. The configuration of
the Security Group includes the modules (Anti-Scanning and/or Server Cracking) that
participate in the group.
2. The sender notifies APSolute Vision using the regular security-event traps.
3. APSolute Vision configures each receiver with a Dynamic Black List rule.
The rule name is in the following format:

<SecurityGroupName> hhmm $$$$


where:

hhmm is the time (hour and minutes) that the Security Group configured the rule. This is the
time set in the APSolute Vision server (and not on the DefensePro receiver or sender).

$$$$ is a four-character hexadecimal hash of the event ID in the security-event trap.


The configuration of the black-list rule (in the receiver) exposes the Detector Module and the
Detector IP Address (in the Detector Security Module and Detector text boxes), which
identify the protection module (for example, Anti-Scanning) and the sender that detected the
attack.
APSolute Vision does not configure a sender with a black-list rule based on its own security
events. That is, if a DefensePro device is a sender and a receiver in a Security Group, when the
device sends a security-event trap to the Security Group, APSolute Vision does not configure
that same device with the corresponding black-list rule.

Document ID: RDWR-APSV-V0130_UG1205

61

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System
The configuration of the Security Group determines the blocking period and whether the rule
blocks all the traffic from the source or only combination of the following:

Attacked address

Attacked port

Protocol

To configure a DefensePro Security Group


1.

In the Asset Management perspective Networking tab navigation pane, select Security Groups.

2.

Do one of the following:

3.

To add an entry, click the

(Add) button.

To edit an entry, double-click the row.

Configure the parameters; and then, click OK.

Table 7: Security Group Parameters

Parameter

Description

Enabled

Specifies whether the Security Group is enabled. This enables you to keep
a Security Group configuration even when it is not in use.
Default: Disabled

Group Name

The name of the Security Group.

Blocking Period

The time, in minutes, that the receivers block traffic. This is the value of
the Expiration Timer in the black-list rule with which APSolute Vision
configures the receivers. The Expiration Timer fields display the time
remaining.
Values: 1120
Note: For information on black lists, see Configuring Black Lists,
page 651.

Blocking Rule Parameters


The Security Group uses a Boolean AND operator to determine which packets to block. That is, the
more parameters enabled here, the more specific the blocked traffic.
Source

(Read-only always enabled) Specifies that the receivers always block all the
traffic from the IP address of the source of the attack.

Destination IP Address Specifies that the receivers block the IP address of the attacked machine.
Default: Disabled
Destination Port

Specifies that the receivers block the attacked port of the attacked
machine.
Default: Disabled

Protocol

Specifies that the receivers block the protocol used in the attack.
Default: Disabled

Security Modules
Anti-Scanning

Specifies that the receivers block malicious traffic detected by the AntiScanning module of the senders.
Default: Enabled

62

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

Table 7: Security Group Parameters

Parameter

Description

Server Cracking

Specifies that the receivers block malicious traffic detected by the Server
Cracking module of the senders.
Default: Enabled

Senders
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the senders of the Security Group.

Receivers
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available DefensePro devices. The Selected Devices list displays the receivers of the Security
Group.

Controlling APSolute Vision Operations


You can perform the following operations on APSolute Vision:

Backing up the APSolute Vision dataYou can back up the configuration tables and other
APSolute Vision data. Backup operations run by means of CLI commands. For more information
about APSolute Vision CLI commands, see the APSolute Vision Administrator Guide.

Note: APSolute Vision backs up the Audit table at regular intervals.

Updating the Attack Description file. For information about updating the Attack Description file,
see the APSolute Vision Administrator Guide.

You can perform the following operations using APSolute Vision CLI:

Restoring the appliance configuration.

Restoring the server configuration.

Management upgrade of appliance and server software.

Restarting the APSolute Vision server.

For more information about APSolute Vision CLI commands, see the APSolute Vision Administrator
Guide.

Document ID: RDWR-APSV-V0130_UG1205

63

APSolute Vision User Guide


Monitoring and Controlling the APSolute Vision System

64

Document ID: RDWR-APSV-V0130_UG1205

Chapter 4 Managing Auditing and Alerts


APSolute Vision logs all alerts and actions for APSolute Vision and, optionally, for the managed
devices. You can view auditing information and other alerts in the Alerts pane.
The following topics describe APSolute Vision auditing and the Alerts pane:

APSolute Vision Auditing, page 65

Enabling Configuration Auditing for Managed Devices, page 66

Managing Alerts, page 66

APSolute Vision Auditing


APSolute Vision auditing meets compliance requirements by automatically logging:

All APSolute Vision alerts and user actions.

All configuration changes made to managed devices via APSolute Vision.

This meets Sarbanes-Oxley requirements to audit any configuration change that might affect the
network. In APSolute Vision, you can also configure the managed devices to log all configuration
changes on the device.
The Auditing log is stored in the APSolute Vision database. All audit logs are sent to the Alerts pane,
and can be displayed in the Alerts pane depending on the alerts filter configuration.
The following information is logged to the audit log:

All user management events and user activities (for example, successful login, password change
by user, password reset by admin, and so on).

Actions performed on the device (for example, uploading or downloading a file to a device,
device reboot and shutdown, log file retrieval, and so on).

APSolute Vision activities (including appliance activities, APSolute Vision upgrade, and so on).

Device changes through CLI or WBM (if device auditing is enabled).

Alarms received from the device (if device auditing is enabled).

Device configuration activities (if device auditing is enabled). The audit log records all
configuration changes applied to the managed devices.

Device addition and deletion.

To manage APSolute Vision auditing

Enable or disable configuration auditing for devices. For more information, see Enabling
Configuration Auditing for Managed Devices, page 66.

Enable and configure syslog and e-mail settings for sending audit information from the Alerts
pane. For more information, see the APSolute Vision Administrator Guide.

Document ID: RDWR-APSV-V0130_UG1205

65

APSolute Vision User Guide


Managing Auditing and Alerts

Enabling Configuration Auditing for Managed Devices


When configuration auditing for devices is enabled on the APSolute Vision server and on the device,
any configuration change on a device using APSolute Vision creates two records in the Audit
database, one from the APSolute Vision server, and one from the device audit message.

Note: To prevent overloading the managed device and prevent degraded performance, the
feature is disabled by default.

To enable configuration auditing for a managed device


1.

In the Configuration perspective system pane, select the device for which you want to configure
auditing.

2.

In the Advanced Parameters tab navigation pane, select Configuration Audit.

3.

To enable configuration auditing, select the Enable Configuration Auditing checkbox.

4.

Click

(Submit) to submit changes.

Managing Alerts
The Alerts tab in the Alerts pane stores and displays alerts.

Note: The Alerts pane includes the Messages tab, which displays Alteon configuration
messages.
The alerts are based on events that are received from:

SNMP traps sent by managed Radware devices.

Auditing messages from all APSolute Vision modules.

APSolute Vision server events.

Configuration auditing messages for managed devices, if enabled on the device.

All alert information is stored in the APSolute Vision database in a separate table from the audit
information. Alert information can be sent to a central audit repository via syslog, and to a
configured recipient via e-mail.

66

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Auditing and Alerts

Events Handled in the Alerts Pane


The following types of events are handled by the Alerts pane:

SNMP Traps, page 67

Auditing Messages, page 67

APSolute Vision Server Events, page 67

SNMP Traps
The Alerts pane handles all error traps generated by APSolute Vision and the managed devices,
including:

Generic traps, such as, Cold Start, Link Down, Link Up, Authentication Failure, and so on

Radware traps common to all Radware devices

Device-specific Radware traps

Auditing Messages
APSolute Vision forwards all logged audit events from all APSolute Vision modules and managed
devices to the Alerts pane, including:

Successful and failed login attempts

Backup and restore operations

Configuration changes to APSolute Vision and the managed devices

Monitoring and control changes

Successful and failed task scheduling changes

User management configuration changes

APSolute Vision Server Events


APSolute Vision server events include events from:

Server and database monitoring processes

The APSolute Vision appliance

The watchdog process, which monitors APSolute Vision server processes

Alert Information
All alert information is stored in the APSolute Vision database.
Double-click on a an alert in the Alerts tab to open the Alert Details dialog box, which displays all the
information with the expanded alert message.
Each alert in APSolute Vision contains the following information:

Document ID: RDWR-APSV-V0130_UG1205

67

APSolute Vision User Guide


Managing Auditing and Alerts

Alert Information

Description

Ack

A check box indicating whether the alert has been


Yes, by default
acknowledged. Alerts of Info severity are acknowledged
automatically when raised. Alerts of severity higher than
Info require user acknowledgement. Acknowledging an
alert indicates that it has been seen by the user and
remains in the Alerts pane display. You can select or
clear the check box to acknowledge or un-acknowledge
alerts.

Severity

The APSolute Vision severity of the event: Critical, Major, Yes, by default
Minor, Warning, Info. SNMP trap severities are mapped
as shown in SNMP Trap to APSolute Vision Severity
Mappings, page 69.

Time

Displayed in
Alerts Pane?

The date and GMT time at which the event occurred.

Yes, by default

In the Alert Details dialog box, this value is displayed


with the label Raised Time.
Device Name

The values differ according to the alert type, as follows: Yes, by default
SNMP trapsThe value is the name of the device
that generated them.
APSolute Vision auditing events, which have device
context (configuration, monitoring). The value is the
name of the device to which the event relates.
When the alert is generated by the APSolute Vision
server, no device name is displayed.

Device IP

The IP address of the device to which the message


relates. No value is provided for alerts generated by
APSolute Vision.

Yes, by default

Message

The description of the event.

Yes, by default

Module

The source module of the event.

Yes, by default

Values:
Device SecurityFor network security alerts
Device GeneralFor all other device alerts
Vision ConfigurationAPSolute Vision configuration
auditing messages
Vision ControlAPSolute Vision Monitoring auditing
messages
Vision GeneralIncludes general APSolute Vision
auditing messages and APSolute Vision server
events
User Name

68

For APSolute Vision auditing, the name of the user


whose action was audited.

Yes, if
configured

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Auditing and Alerts

Alert Information

Description

Displayed in
Alerts Pane?

Device Type

The type of device that generated the alert:

Yes, by default

Any Alteon device


Any AppDirector device
Any DefensePro device
The APSolute Vision serverfor auditing, appliance,
server and database monitoring, and watchdog
alerts
Trap SID

The trap SID for SNMP traps. There is no value for


events that are not SNMP traps.

Yes, if
configured

Port

The port number included in the alert information, if it


Yes, by default
exists (for example, when a port link goes up or down).

The Raised Time, Device Name, and Message uniquely identify an alert, and are together considered
the Alert key.

Table 8: SNMP Trap to APSolute Vision Severity Mappings

Trap Severity

APSolute Vision Severity Severity Description

Fatal

Critical

Indicates a severe problem, which prevents or


disrupts normal use of the object.

Error

Major

Indicates a problem of relatively high severity,


which is likely to prevent normal use of the
object.

Minor

Indicates a problem of relatively low severity,


which should not prevent normal use of the
object.

Warning

While the managed object is functioning as it


is intended to function, conditions exist that
could potentially cause a problem.

(APSolute Vision uses


predefined criteria to
assign Major or Minor
severity)
Warning

Info

Info

Information only. There are no problems and


the object is functioning normally.

Displaying Alert Information


Alert information is displayed in the Alerts pane, which, by default, is below the content pane. For
more information about the information displayed, see Alert Information, page 67.
By default, alert information is displayed for one hour after the alert is raised. The information is
then cleared from the display, but remains in the Alerts database. You can change the default in the
Filtering dialog box. For more information, see Filtering Alerts, page 71.
The configured number of most recent critical alerts are always displayed at the top of the table on
a colored background.
You can maximize and minimize the Alerts pane. For more information about Alerts pane navigation
features, see APSolute Vision Interface Navigation, page 34.
The number of unacknowledged alerts for each severity are displayed in the bar above the table.
The information in the alert table is refreshed according to your configured preferences.

Document ID: RDWR-APSV-V0130_UG1205

69

APSolute Vision User Guide


Managing Auditing and Alerts
In the Alerts pane, you can:

Show and hide columns.

Acknowledge and unacknowledge displayed alerts. Alerts of severity higher than Info require
user acknowledgement to indicate that they have been seen by the user. The alert remains in
the Alerts pane display.

Filter the alerts in the alert table to display a subset of alerts. For more information, see Filtering
Alerts, page 71.

Clear individual alerts from the alert table display.

Clear all the alerts in APSolute Vision database that match the current filter, whether or not the
alerts are visible in the Alerts pane.

Turn off automatic refresh of alert information.

To view details of an alert


Double-click the alert row that you want to view. The alert details are displayed in the Alert
Details dialog box.
For more information about the information displayed, see Alert Information, page 67.

To show and hide columns in the alert table


To show or hide a column, right-click in the header row and select the required column from the
list.
Displayed columns are indicated by a

next to their name in the list.

To clear all the alerts in APSolute Vision database that match the current filter,
whether or not the alerts are visible in the Alerts pane
Click the

(Clear All Alerts) button.

To acknowledge alerts
Do one of the following:

70

To acknowledge an alert, right-click the alert row in the table and select Acknowledge
Alert.

To acknowledge several alerts, select the corresponding rows, then right-click and select
Acknowledge Alert.

To acknowledge all alerts in the alert table, click the

(Acknowledge All Alerts) button.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Auditing and Alerts

To unacknowledge alerts
Do one of the following:

To unacknowledge an alert, right-click the alert row in the table and select Unacknowledge Alert.

To unacknowledge multiple alerts, select the corresponding rows, then right-click and select
Un-acknowledge Alert.

To clear alerts from display


To clear alerts, do one of the following:

To clear an alert, right-click the alert row in the table and select Clear Alert.

To clear several alerts, select the corresponding rows, then right-click and select Clear
Alert.

Notes:
>> Cleared alerts remain in the database, but cannot be viewed.
>> Clearing an unacknowledged alert automatically acknowledges the alert.
Automatic refresh is indicated by the selected

(Refresh) button.

To turn off automatic refresh of alert information


Click the

(Refresh) button to deselect it.

Note: Radware recommends turning off automatic refresh while you are analyzing alert
information to prevent alerts disappearing from the display.

Filtering Alerts
You can display a subset of the currently displayed alerts by filtering the alerts according to various
alert information criteria.
The criteria are organized according to categories, for example, alert severity, device module, and
so on. Criteria from the same category are combined with logical OR. Criteria from different
categories are combined with logical AND.
The default filter settings include all criteria in all categories, meaning, by default, all alerts raised in
the last hour are displayed.

Document ID: RDWR-APSV-V0130_UG1205

71

APSolute Vision User Guide


Managing Auditing and Alerts
Use the filtering criteria to define how long an alert is displayed in the Alerts Browser.

Note: Regardless of the filter defined, the configured number of most recent critical alerts are
always displayed at the top of the table on a colored background. This means that
critical alerts that match the filter criteria are displayed twice.

To filter alerts in the alert table


1.

In the Alerts pane, click the

(Filter) button.

2.

Set filtering criteria parameters and click OK. The table is updated at the next automatic
refresh.

3.

To restore the default filtering criteria, click Restore Defaults, then click OK.

For more information about the filtering criteria, see Alert Information, page 67.

Table 9: Filtering Criteria Parameters

Parameter
Select Devices

Description
Click to select a subset of managed devices for which to display alerts.
In the Select Devices dialog box, move the required devices from the
Available list to the Selected list.

Select All Devices

When selected, matching alerts for all devices are displayed.

Raised Time

Alerts raised within the defined time period are displayed. For
example, if you define 1 hour, alerts raised in the last hour are
displayed. After the defined time, alerts are cleared from the display
(not from the Alerts database).
Values: 124 hours
Default: 1 hour

Severity

Alerts of the selected severities are displayed.

Module

Alerts for the selected modules are displayed.

Device Type

Alerts for the selected device types are displayed.

Acknowledgment

Specifies whether to display acknowledged alerts, unacknowledged


alerts, or both.

Configuring Preferences for the Alerts Pane


You can configure the following preferences for the Alerts pane:

Client preferencesDefine how many critical alerts to display and how often the client polls the
server for alert information. For more information, see the APSolute Vision Administrator Guide.

Server preferencesDefine how the APSolute Vision server handles alerts. You can enable and
configure reporting and logging events from the Alerts browser to a syslog server. You can
configure sending alert information via e-mail to a defined recipient. For more information, see
the APSolute Vision Administrator Guide.

72

Document ID: RDWR-APSV-V0130_UG1205

Chapter 5 Basic Device Configuration


Users with the proper permissions can add devices to the site tree and configure them.
The following topics describe basic device configuration tasks:

Locking and Unlocking Devices, page 73

Configuring and Using Configuration Templates, page 74

Alteon Configuration ManagementGlobal Commands, page 76

AppDirector Setup, page 78

DefensePro Setup, page 93

General Device Setup, page 122

Upgrading a License for a Managed Device, page 127

Managing Certificates, page 131

Configuring SNMP, page 136

Configuring Device Users, page 144

Configuring Access Permissions on Physical Ports, page 146

Configuring Port Pinging, page 147

Configuring Tuning Parameters, page 147

Locking and Unlocking Devices


When you have permissions to perform device configuration on a specific device, you must lock the
device before you can configure it. Locking the device ensures that other users cannot make
configuration changes at the same time. The device remains locked until you unlock the device, you
disconnect, until the Device Lock Timeout elapses, or an Administrator unlocks it.
Locking a device does not apply to the same device that is configured on another APSolute Vision
server, using Web Based Management, or using CLI.

Note: Only one APSolute Vision server should manage any one Radware device. For more
information, see the APSolute Vision Administrator Guide.
While the device is locked:

The device icon in the system pane includes a small lock symbol
AppDirector,

for Alteon,

for

for DefensePro.

Configuration panes are displayed in read-only mode to other users with configuration
permissions for the device.

If applicable, the

(Submit) button is displayed.

If applicable, the

(Add) button is displayed.

Document ID: RDWR-APSV-V0130_UG1205

73

APSolute Vision User Guide


Basic Device Configuration

To lock a device
In the Configuration perspective system pane, right-click the device name, and select Lock
Device.

To unlock a device
In the Configuration perspective system pane, right-click the device name, and select Unlock
Device.

Configuring and Using Configuration Templates


Only certain device versions and device drivers support this feature. For the list of supported device
versions and device drivers, refer to the release notes.

Notes:
>> This section describes configuration templates and how to configure and use them. For
information about managing configuration templates, see Managing Configuration
Templates, page 58.
>> For information on the parameters of the configuration object itself, refer to section on
the specific configuration object.
>> The device must be locked to configure and use configuration templates.
The Configuration Template feature enables you to configure a configuration object with multiple
parameters with just a few actions. For example, AppDirector Farm and DefensePro BDoS Profile are
configuration objects that supports the Configuration Template feature.
The APSolute Vision server stores and manages configuration templates, so you can use them on
any managed device of the same type and supported version.
With the Configuration Template feature, you can:

Create a new configuration object based on a template.

Propagate the values of a specified configuration template onto an existing configuration object.

Configuring Configuration Templates


You create a configuration template in the relevant area of a locked managed device that supports
the Configuration Template feature.
When you are in the configuration area of a configuration object that supports the Configuration
Template feature, the right-click menu supports following actions:

Create New <Configuration Object Type> TemplateCreates a new configuration


template from scratch based on the parameters of the configuration object but with no
existing user-defined values.

Create Template from <Configuration Object Type>Creates a new configuration


template from an existing configuration objectwith existing user-defined values. If no instance
of the configuration object exists in the device, this option is not exposed.

Edit <Configuration Object Type> TemplateOpens the Edit <Configuration Object Type>
Configuration Template dialog box. The dialog box comprises a table with the corresponding

74

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration
configuration templates and template statistics. Double-click the required template to open the
Edit Template dialog box. There, you can modify the values of the configuration template. If no
instance of the configuration object exists in the device, this option is not exposed.
When you configure a configuration template, the parameters displayed in the dialog box that opens
are identical to that of the corresponding configuration object except for the following:

You configure the following fields:

EnabledSpecifies whether you can use the template to create new configuration objects
or propagate the template onto existing configuration objects. If the template is disabled,
you cannot use it or edit it; the template is only stored in APSolute Vision.

NameThe user-defined name of the template. Maximum characters: 255.

DescriptionThe user-defined description of the template. Maximum characters: 255.

The type of the configuration object is displayed read-only.

The read-only template statistics are displayed in the Template Statistics group box.

Certain parameters expose the following two, additional values:

Existing ValueThe propagation process preserves the existing value of the parameter.

Use Default Value The propagation process changes the existing value of the parameter
to the default value for the parameter.

Table 10: Template Statistics

Parameter

Description

Screen ID

The internal identifier of the user-interface that supports the template.

Device Driver ID

The device driver filename.

Software Version

The software version of the device that supports the template.

Device Type

The type of the device that supports the template.

Created On

The timestamp, in dd MMM hh:mm:ss format when the template was


created.

Created By

The APSolute Vision user who created the template.

Modified On

The timestamp, in dd MMM hh:mm:ss format when the template was last
modified.

Modified By

The APSolute Vision user who last modified the template.

Total Propagations

The total number of propagations of the template.

Using Configuration Templates


If you are in a configuration area of a locked device and there is a configuration template of the
corresponding type, the following actions are available from the right-click menu:

Add New <Configuration Object> from TemplateCreates a new configuration object from
a template. This option is available only if the configuration option supports manually adding a
new parameter.

Propagate <Configuration Object> TemplatePropagates the values from a specified


configuration template onto the selected values. This option is available only if the configuration
object supports changing the value of parameters.

Document ID: RDWR-APSV-V0130_UG1205

75

APSolute Vision User Guide


Basic Device Configuration

Configuration-Template Behavior
The Configuration Template feature supports the following:

APSolute Vision applies configuration templates sequentially for all selected configuration
objects within a device.

APSolute Vision logs changes in the audit trail (like other configuration changes): SuccessIf
the change was successfully applied; FailedIf something failed during the update.

APSolute Vision issues success and failure alerts for propagations of configuration templates.

Managed devices issue alerts on changed parameter values caused by template-propagation


action (that is, audit alerts on success, error alerts on error).

APSolute Vision logs propagation information in the propagate.log files, which you can access
via the Web interface of the APSolute Vision server. APSolute Vision cyclically stores up to 10
propagate.log files of 5 MB each, appending the appropriate number to the .log extension.

To download the propagate.log file


1.

Open your browser and enter the IP address of the APSolute Vision server. An Authentication
Required dialog box is displayed.

2.

Enter the User Name and password, type the password. Use the username and password that
you receive from your system administrator. The initial default user name is visionweb. The
initial default password is radware.

3.

Click OK. The Radware Web page opens.

4.

Click the Maintenance Files icon. The maintenance page opens.

5.

Click the link to the required propagate.log file.

Alteon Configuration ManagementGlobal Commands


Alteon devices support the following configuration-management actionsalso referred to as global
commands.

Table 11: Alteon Device Configuration Management Actions

Action

Description

Apply

Applies any changes that have been made to the device configuration.
This option is available only if the device is locked.

Save

Saves the current configuration in backup memory and saves the active
configuration by overwriting the current configuration.
This option is available only if the device is locked.

Revert

Reverts the device to the current active configuration.


This option is available only if the device is locked and the new
configuration settings were not applied.

Revert Apply

Reverts the device to the current saved configuration.


This option is available only if the device is locked and the new
configuration settings were applied but not saved.

76

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 11: Alteon Device Configuration Management Actions

Action

Description

Diff

Collects the pending configuration changes. You can view, save, and
copy the text when you double-click the associated message in the
Messages tab in the Alerts pane.

Diff Flash

Collects the pending configuration changes and the affected


configuration stored in flash memory on the device. You can view, save,
and copy the text when you double-click the associated message in the
Messages tab in the Alerts pane.

Dump

Collects a dump of the current device configuration. You can view, save,
and copy the text when you double-click the associated message in the
Messages tab in the Alerts pane.

When an Alteon device is selected in the site tree, APSolute Vision exposes the configurationmanagement options in the device shortcut menu and in the main toolbar.

To perform an Alteon configuration-management action


Do one of the following:

In the Configuration perspective system pane, right-click the device name; and then, select
the required option.

In the Configuration perspective system pane, select the device name, and; and then, from
main toolbar, click the required button. The Diff Flash button is displayed when you click
the arrow of the Diff button. The Revert Apply button is displayed when you click the
arrow of the Revert button.

Figure 28: Alteon Configuration Management Options in the Shortcut MenuDevice Is Locked

Figure 29: Alteon Configuration Management Options in the Shortcut MenuDevice Is Not Locked

Document ID: RDWR-APSV-V0130_UG1205

77

APSolute Vision User Guide


Basic Device Configuration

Figure 30: Alteon Configuration Management Options in the ToolbarDevice Is Locked

Figure 31: Alteon Configuration Management Options in the Toolbar MenuDevice Is Locked

AppDirector Setup
You can configure the following setup parameters for a selected AppDirector device:

Configuring AppDirector Global Parameters, page 78

Configuring AppDirector Date and Time Synchronization, page 79

Configuring AppDirector Daylight Savings, page 80

Configuring AppDirector E-mail Settings, page 82

Configuring AppDirector Syslog Settings, page 83

Configuring AppDirector DNS Client, page 85

Configuring AppDirector BOOTP, page 87

Configuring AppDirector Session Table Settings, page 87

Configuring AppDirector Threshold Warning Levels, page 89

Configuring AppDirector Statistics Monitoring, page 91

Configuring AppDirector Static Forwarding Table, page 92

Configuring AppDirector Global Parameters


You can view the following device information:

Basic device parameters

The time and date settings on the device

Device hardware and software versions

To view and configure AppDirector global parameters


1.

In the Configuration perspective Setup tab, select Global Parameters.

2.

Configure location and contact information, if required.

3.

Click

78

(Submit) to submit the changes.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 12: AppDirector Global Parameters

Parameter

Description
Basic Parameters

Device Description

(Read-only) The description configured on the device.

Device Name

(Read-only) The device name configured in APSolute Vision.

Peer Device Name

The name of the peer device. This parameter is required for


configuration synchronization between this device and its peer.

(This parameter is available


only in AppDirector 2.30 and
later.)
Location

Enter the device location, if required.

Contact Information

Enter contact information, if required.

System Up Time

(Read-only) The length of time that the device has been up since last
device reboot.

Date and Time


Device Time

(Read-only) The time setting on the device.

Device Date

(Read-only) The date setting on the device.

Version Information
Software Version

(Read-only) The version of the product software on the device.

Hardware Version

(Read-only) The version of device hardware.

Serial Number

(Read-only) The serial number of the device hardware.

Configuring AppDirector Date and Time Synchronization


AppDirector uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device
synchronization by distributing an accurate clock across the network. At predefined intervals, a
device sends time query messages to the NTP Server. The server sends the date and time to the
device.
Enabling or disabling the NTP capability results in different levels of accuracy.

Note: When NTP is disabled, the time and date must be set manually for the device.

To configure AppDirector date and time synchronization


1. In the Configuration perspective Setup tab, select Time Settings.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

79

APSolute Vision User Guide


Basic Device Configuration

Table 13: NTP Parameters

Parameter

Description

Enable NTP

Enables or disables the NTP feature.


Default: disabled
Note: The NTP Server Address must be configured to enable the
NTP feature.

Server IP Address

The address of the NTP server.

L4 Port

The NTP server port.


Default: 123

Polling Interval

The interval, in seconds, between time query messages sent to the


NTP server.
Default: 172,800

Time Zone

The timezone offset from GMT (-12:00 to + 12:00 hours).


Default: 00:00

Configuring AppDirector Daylight Savings


AppDirector supports daylight savings time. You can configure the daylight savings time by defining
the start and end date or by defining recurring daylight savings using day and week or the month
parameters.
During daylight savings time, the device automatically adds one hour to the system clock. The
device also indicates whether it is on standard time or daylight saving time.

Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.

To configure AppDirector daylight saving


1.

In the Configuration perspective Setup tab, select Time Settings > Daylight Saving.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 14: AppDirector Daylight Savings Parameters

Parameter

Description
Daylight Saving Time Parameters

Enabled

Enables or disables daylight saving time.


Default: Disabled

Current Mode

80

(Read-only) Indicates whether the device is on standard time or


daylight saving time.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 14: AppDirector Daylight Savings Parameters

Parameter

Description

Delta

The difference, in hours, between Daylight Savings Time and


Standard Time. This is the number of hours by which the clock is to
be adjusted.
Default: 1

Daylight Saving Time Begins


Mode

The mode of defining when daylight saving begins.


Values:
DateSelect to define the exact date on which daylight savings
begins.
RecurringSelect to define the conditions for the recurring start
of daylight saving, for example, first Sunday in April.

Month

The month in which daylight saving begins.

Day

Day of the month when daylight saving begins.

(Date mode only)

Values: 131

Week Day (Recurring mode


only)

The day of the week on which daylight saving begins.

Instance
(Recurring mode only)

The instance of the day in the month when daylight saving begins.
For example, if daylight saving begins on the first Sunday in April,
the value is 1.

Hour

The hour at which daylight saving begins.


Values: 024

Begin Date and Time

(Read-only) Displays the date and time at which daylight savings will
take effect.

Daylight Saving Time Ends


Mode

The mode of defining when daylight saving ends.


Values:
DateSelect to define the exact date on which daylight savings
ends.
RecurringSelect to define the conditions for the recurring end
of daylight saving, for example, last Sunday in October.

Month

The month in which daylight saving ends.

Day

Day of the month when daylight saving ends.

(Date mode only)

Values: 131

Week Day

The day of the week on which daylight saving ends.

(Recurring mode only)


Instance
(Recurring mode only)

The instance of the day in the month when daylight saving ends. For
example, if daylight saving ends on the last Sunday in October, the
value is 4.

Hour

The hour at which daylight saving ends.


Values: 024

End Date and Time

(Read-only) Displays the date and time at which daylight saving


ends.

Document ID: RDWR-APSV-V0130_UG1205

81

APSolute Vision User Guide


Basic Device Configuration

Configuring AppDirector E-mail Settings


You can configure the device to send information messages via e-mail to device users. This feature
can be used for sending trap information via e-mail. When you configure device users, you can
specify whether an individual user should receive notifications via e-mail and the minimal event
severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity
and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the device.

Note: The device optimizes the mailing process by gathering reports and sending them in a
single notification message once the buffer is full or once a timeout of 60 seconds
expires.

To configure AppDirector e-mail settings


1.

In the Configuration perspective Setup tab navigation pane, select Email Settings.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 144.

Table 15: AppDirector E-mail Parameters

Parameter

Description
Basic SMTP Parameters

Enable Email Client

Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled

Enable Sending Email upon Enables sending notifications via e-mail.


Errors
Default: Disabled

SMTP Server Parameters


Primary Server Address

IP address of the SMTP Server.

Alternative Server Address

An IP address of an alternative SMTP Server. The alternate SMTP


server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP server
closed the connection. The device tries to establish connection to the
main SMTP server, and starts re-using it when available.

SMTP Client Parameters


Email Address

82

Mail address that is displayed in the Sender field of e-mail messages


generated by the device, for example device1@domain.com.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 15: AppDirector E-mail Parameters

Parameter

Description

Name in To Field

The text that is displayed in the Recipient field of e-mail messages


generated by the device.

Backup Device Email


Address

The e-mail address of the Backup AppDirector device.

(This parameter is not


available in AppDirector
1.07.12.)

Configuring AppDirector Syslog Settings


In AppDirector 2.14.03, event traps can be mirrored to one or more syslog servers. For each
managed device, you can configure the appropriate information. Any traps generated by the device
will be mirrored to specified syslog servers.
In AppDirector versions other than 2.14.03, event traps can be mirrored to one syslog server. For
each managed device, you can configure the appropriate information. Any traps generated by the
device will be mirrored to the specified syslog server.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the
type of device of the sender. Severity indicates the importance or impact of the reported event. The
user-defined Facility value is used when the device sends syslog. The Severity value is determined
dynamically by the device for each message that is sent.

Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.

To configure syslog in AppDirector 2.14.03


1. In the Configuration perspective Setup tab, select Syslog.
2. Do one of the following:

To enable the syslog feature, select the Enable Syslog checkbox.

To disable the syslog feature, clear the Enable Syslog checkbox.

Default: Enabled
3. Do one of the following:

To add an entry, click the

(Add) button.

To modify an entry, double-click the entry in the table.

4. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

83

APSolute Vision User Guide


Basic Device Configuration

Table 16: Syslog Parameters for AppDirector 2.14.03

Parameter

Description

Address or Hostname

The IP address or hostname of the device running the syslog


service (syslogd).

Source Port

The syslog source port.


Default: 514

Destination Port

The syslog destination port.


Default: 514

Facility

The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages

Local 6

Clock Daemon

Local 7

Clock Daemon2

Log Alerts

FTP Daemon

Log Audit

Kernel Messages

Mail System

Line Printer Subsystem

Network New Subsystem

Local 0

NTP Daemon

Local 1

Security Messages

Local 2

Syslogd Messages

Local 3

System Daemons

Local 4

User Level Messages

Local 5

UUCP

Default: Local Use 6


Operational Status

Specifies whether the syslog server is enabled.


Default: Enabled

To configure syslog in AppDirector versions other than 2.14.03


1.

In the Configuration perspective Setup tab, select Syslog.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 17: Syslog Parameters for AppDirector Versions Other Than 2.14.03

Parameter

Description

Enable Syslog

Enables or disables syslog reporting.

Server Address

IP address of the device running the syslog service (syslogd).

84

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 17: Syslog Parameters for AppDirector Versions Other Than 2.14.03

Parameter

Description

Facility

The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages

Local 6

Clock Daemon

Local 7

Clock Daemon2

Log Alerts

FTP Daemon

Log Audit

Kernel Messages

Mail System

Line Printer Subsystem

Network New Subsystem

Local 0

NTP Daemon

Local 1

Security Messages

Local 2

Syslogd Messages

Local 3

System Daemons

Local 4

User Level Messages

Local 5

UUCP

Default: Local Use 6

Configuring AppDirector DNS Client


You can configure AppDirector to operate as a Domain Name Service (DNS) client. When the DNS
client is disabled, IP addresses cannot be resolved. When the DNS client is enabled, you must
configure servers for which AppDirector will send out queries for host name resolving.
You can set the DNS parameters and define the primary and the alternate DNS servers for dynamic
DNS. In addition you can set static DNS parameters.
For a detailed description of how DNS works, see the AppDirector User Guide.

To configure DNS client settings


1. In the Configuration perspective Setup tab, select DNS Client.
2. Configure basic DNS client parameters; and then, click

(Submit) to submit the changes.

3. To add or modify static DNS entries, do one of the following:

To add an entry, click the

(Add) button.

To modify an entry, double-click the entry in the table.

4. Configure the static DNS parameters and click OK.

Document ID: RDWR-APSV-V0130_UG1205

85

APSolute Vision User Guide


Basic Device Configuration

Table 18: DNS Client Parameters in AppDirector 2.30 and Later

Parameter

Description

Enable DNS Client

Enables AppDirector to operate as a DNS client to resolve IP


addresses.

Primary Network Type

The network type of the primary DNS server.


Values: IPv4, IPv6
Default: IPv6

Primary DNS Server Address The IP address of the primary DNS server to which AppDirector sends
queries.
Alternative Network Type

The network type of the alternate DNS server.


Values: IPv4, IPv6
Default: IPv6

Alternative DNS Server


Address

The IP address of the alternative DNS server to which AppDirector


sends queries.

Table 19: Static DNS Parameters in AppDirector 2.30 and Later

Parameter

Description

Host Name

The domain name for the specified IP address.

IPv4 Address

The IPv4 address for the specified domain name.

IPv6 Address

The IPv6 address for the specified domain name.

Table 20: DNS Client Parameters in AppDirector Versions Prior to 2.30

Parameter

Description

Enable DNS Client

Enables AppDirector to operate as a DNS client to resolve IP


addresses.

Primary DNS Server Address The IP address of the primary DNS server to which AppDirector sends
queries.
Alternative DNS Server
Address

The IP address of the alternative DNS server to which AppDirector


sends queries.

Table 21: Static DNS Parameters in AppDirector Versions Prior to 2.30

Parameter

Description

Host Name

The domain name for the specified IP address.

IP Address

The IP address for the specified domain name.

86

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Configuring AppDirector BOOTP


BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.

To configure BOOTP settings


1. In the Configuration perspective Setup tab navigation pane, select BootP.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 22: BootP Parameters for AppDirector

Parameter

Description

Server Address

The IP address of the BootP server. The device forwards BootP requests
to the BootP server and acts as a BootP relay.

Relay Threshold

The time, in seconds, that the device waits before relaying requests to
the BootP server. This delay allows local BootP servers to answer first.

Configuring AppDirector Session Table Settings


AppDirector devices include a Session table, which tracks sessions bridged and forwarded by the
device.
For information about monitoring the session table, see the APSolute Vision online help.

To configure session table settings


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 23: AppDirector Session Table Parameters

Parameter

Description

Enable Session Table

When enabled, the device uses the Session table.


Default: Enabled

Remove Session Entry at


Session End

When enabled, the device removes sessions from the Session


Table five seconds after receiving a FIN or RST packet if no
additional packets are received on the same session within the
five seconds. This option is available only for Full Layer 4 Lookup
Mode. When enabled, Radware recommends that you free
resources when the Aging Time of the Session Table is set at a
high value. However, this can cause a slight performance
degradation.
Default: Enabled

Document ID: RDWR-APSV-V0130_UG1205

87

APSolute Vision User Guide


Basic Device Configuration

Table 23: AppDirector Session Table Parameters

Parameter

Description

Send Reset to Server When No


Data is Received

When enabled, the device sends a TCP RST packet to the server
if no data is transmitted through the session because it may be a
SYN attack.
Default: Disabled

Lookup Mode

The layer of address information that is used to categorize


packets in the Session Table.
Values:
Full Layer 4An entry exists in the Session Table for each
source IP, source port, destination IP, and destination port
combination of packets passing through the device. This is
the default mode for the Session Table. Radware
recommends selecting this option when traffic classification
on Layer 4 or 7 is required.
Dest Layer 4 PortEnables traffic to be recorded based only
on the TCP/UDP destination port. This mode uses minimal
Session Table resources (only one entry for each port that is
secured).

Aging Time

The time, in seconds, that the device keeps a non-active session


in the Session Table.
Default: 100

Configuring AppDirector Suspend Settings


A managed device can suspend traffic from an IP address that was the source of an attack, for a
defined period of time.
Dynamic blocking duration is implemented by the Anti-Scanning and Server Cracking protections
based on the suspend settings that you configure. (Although connection-rate limits and intrusion
signatures can be set manually to suspend the source, they do not support dynamic duration.)
The dynamic blocking duration is usually set by the managed devices Anti-Scanning and Server
Cracking protections:

The initial suspend time period cannot be lower than the Minimal Aging Timeout.

Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.

When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.

To configure Suspend-table settings


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.

2.

Configure the parameters; and then, click

88

(Submit) to submit the changes.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 24: Suspend Table Parameters

Parameter

Description

Minimal Aging Timeout

The time, in seconds, for which the managed device suspends firsttime offending source IP addresses.
Default: 10

Maximal Aging Timeout

The maximal time, in seconds, for which the managed device


suspends a specific source. Each time the managed device suspends
the same source, the suspension length doubles until it reaches the
Maximal Aging Timeout.
Default: 600

Maximum Entries with Same The number of times the managed device suspends the same source
Source IP
IP address before the managed device suspends all traffic from that
source IP addressregardless of the specified Suspend Action. For
example, if the value for this parameter is 4 and the specified
Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the managed device
suspends all traffic from a source IP address that had an entry in the
Suspend list more than four times, even if the destination IP address,
source port, and destination ports were different for the previous
updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0

Configuring AppDirector Threshold Warning Levels


To optimize AppDirector configuration and resource thresholds, AppDirector can indicate and alert
usage of various tables and other parameters. AppDirector continuously monitors this usage and can
notify you when usage thresholds are exceeded.

To configure threshold warning levels


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Threshold
Warning Levels.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

89

APSolute Vision User Guide


Basic Device Configuration

Table 25: Threshold Warning Parameters

Parameter

Description

Send Threshold Warnings

Enables the threshold warning traps mechanism.


Default: Enabled

Minimum Time Between


Warnings

Minimum time, in seconds, between consecutive warnings


AppDirector sends about the same resource.
Default: 60
Note: 0 specifies that traps are sent continuously.

Client Table

The percentage of Client Table use above which a warning is


issued.
Statistics are kept as follows:
Current number of entries
Average value for last 5 seconds
Average value for the last 60 seconds
Default: 85

L3 Client Table

The percentage of L3 Client Table use above which a warning is


issued.
Default: 85

Application Servers Connection


Limit Threshold

The percentage of L3 Client Table use above which a warning is


issued.
Default: 85

Physical Servers Connection


Limit Threshold

The percentage of Physical Servers Connection Limit use above


which a warning is issued.
Default: 85

Farms Capacity Threshold

The percentage of farm capacity use above which a warning is


issued.
Default: 85

Client NAT Threshold

The percentage of Client NAT ports use above which a warning is


issued.
Default: 85

Outbound NAT Threshold

The percentage of Outbound NAT ports use above which a


warning is issued.
Default: 85

Session ID Threshold

The percentage of Session ID table use above which a warning is


issued.
Values: 199
Default: 85

Requests Threshold

The percentage of Request table use above which a warning is


issued.
Default: 85

90

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 25: Threshold Warning Parameters

Parameter

Description

CPU Utilization Threshold

The percentage of CPU use above which a warning is issued.


High CPU usage on the device is caused by many reasons. A
device should actively notify its status, if this status is suspected
to be a non-valid status. To do this, a trap can be sent if for a
period of 30 seconds the average CPU usage in the device is
higher than a specified threshold. Another trap can be sent if the
device had 30 seconds of CPU usage lower than the specified
threshold.
You can configure the threshold using CLI, or WBM and SNMP.
Default: 95

Throughput Utilization
Threshold

The percentage of the licensed throughput use above which a


warning is issued.

(This parameter is not available Default: 95


in AppDirector 1.07.)
SSL CPS Utilization Threshold

The percentage of licensed SSL CPS use above which a warning is


(This parameter is not available issued.
in AppDirector 1.07.12.)
Default: 95
Compression Utilization
Threshold

The percentage of licensed compression use above which a


warning is issued.

(This parameter is not available Default: 95


in AppDirector 1.07.12.)

Configuring AppDirector Statistics Monitoring


You can configure polling and reporting of statistics. The statistics are sent from the device to the
APSolute Vision server via Statistics Reporting Protocol (SRP), a private Radware protocol.

To configure statistics monitoring


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Statistics
Monitoring.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Note: Since the statistics files are cumulative, you must ensure that you disable the Statistics
Reporting Mode before you create files larger than you desire. Failure to do so can result
in creating files that fill all available memory.

Document ID: RDWR-APSV-V0130_UG1205

91

APSolute Vision User Guide


Basic Device Configuration

Table 26: Statistics Monitoring Parameters

Parameter

Description
Basic Parameters

Statistics Reporting
Mode

Enables the creation of statistics files. Select the type of statistics to send:
FullSends all statistics.
DisabledDisables creation and sending of statistics files.
FlowSends statistics concerning flow.
Health MonitoringSends statistics concerning health.
Default: Disabled

Flow Statistics Polling


Time

How often, in seconds, to update the statistics file with new flow rate data.
The file is cumulative, and new data is added to existing data.
Default: 60 seconds

Health Monitoring
Statistics Polling Time

How often, in seconds, to update the statistics file with new health data.
The file is cumulative, and new data is added to existing data.
Default: 60 seconds

Acceleration Statistics
Interval

All Application Acceleration measuring and statistics are performed for the
defined interval, in seconds. The statistics are updated at the end of every
(This parameter is not interval. This means that a longer interval will give better average results
available in AppDirector but will lower the ability to see Security Monitoring values.
1.07.12.)
Default: 5

SRP Configuration
SRP Management Host
IP Address

The APSolute Vision server IP address.


Statistics Reporting Protocol (SRP) is a private Radware protocol for
efficient transmission of statistical data from the device to the APSolute
Vision server.

Configuring AppDirector Static Forwarding Table


Once a regular VLAN is defined, AppDirector performs bridging among interfaces assigned to the
same VLAN. Bridging within a VLAN means that AppDirector learns the MAC addresses of frames
arriving from each physical interface, and maintains a list of MAC addresses per interface.
AppDirector enables you to statically add MAC addresses to the interface list.
When a frame arrives from one interface, AppDirector looks for the frame Destination addresses
within its address list according to the following conditions:

If the Destination address is listed in the same interface as the Source address, AppDirector
discards the frame.

If the Destination address is listed in another interface, AppDirector forwards the frame to the
relevant interface.

If the Destination address is not listed in any interface, AppDirector broadcasts the frame to all
interfaces participating in the VLAN.

You can create and edit static bridge forwarding nodes.

92

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

To configure the Static Forwarding table


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Static
Forwarding.
2. To add or modify static forwarding entries, do one of the following:

To add a static forwarding entry, click the

(Add) button.

To edit an entry, double-click the entry in the table.

3. Configure the parameters; and then, click OK.

Table 27: Static Forwarding Parameters

Parameter

Description

Destination MAC Address

The static nodes MAC address.

Receive Port

Port through which frames are received from this entry.

Type

Describes how the node entry behaves upon device reset.


Values:
PermanentThe entry remains after device reset.
Delete On RebootThe entry is deleted by a device reset.

DefensePro Setup
You can configure the following setup parameters for a selected DefensePro device:

Configuring DefensePro Global Parameters, page 94

Configuring DefensePro Date and Time Synchronization, page 94

Configuring DefensePro Daylight Saving, page 95

Configuring DefensePro E-mail Settings, page 96

Configuring DefensePro Syslog Settings, page 97

Configuring DefensePro BOOTP, page 100

Configuring DefensePro High Availability, page 101

Configuring Dynamic Protocols for DefensePro, page 106

Configuring IP Fragmentation for DefensePro, page 108

Configuring Security Reporting Settings, page 108

Configuring Out-of-Path Settings for DefensePro, page 112

Configuring DefensePro Session Table Settings, page 112

Configuring DefensePro Suspend Settings, page 119

Configuring DefensePro Advanced Settings, page 120

Configuring Tunneling Inspection, page 121

Document ID: RDWR-APSV-V0130_UG1205

93

APSolute Vision User Guide


Basic Device Configuration

Configuring DefensePro Global Parameters


You can view the following device information:

Basic device parameters

The time and date settings on the device

Device hardware and software versions

To view and configure DefensePro global parameters


1.

In the Configuration perspective Setup tab navigation pane, select Global Parameters.

2.

Configure location and contact information, if required; and then, click


the changes.

(Submit) to submit

Table 28: DefensePro Global Parameters

Parameter

Description
Basic Parameters

Device Description

(Read-only) The description configured on the device.

Device Name

(Read-only) The device name configured in APSolute Vision.

Location

Enter the device location, if required.

Contact Information

Enter contact information, if required.

System Up Time

(Read-only) The length of time since that the device has been up
since last device reboot.

Date and Time


Device Time

(Read-only) The time setting on the device.

Device Date

(Read-only) The date setting on the device.

Version Information
Software Version

(Read-only) The version of the product software on the device.

Hardware Version

(Read-only) The version of device hardware.

Configuring DefensePro Date and Time Synchronization


DefensePro uses Network Time Protocol (NTP) to synchronize time and date. NTP enables device
synchronization by distributing an accurate clock across the network. At predefined intervals, a
device sends time query messages to the NTP Server. The server sends the date and time to the
device.
Enabling or disabling the NTP capability results in different levels of accuracy.

Note: When NTP is disabled, the time and date must be set manually for the device.

94

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

To configure DefensePro date and time synchronization


1. In the Configuration perspective Setup tab navigation pane, select Time Settings.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 29: NTP Parameters

Parameter

Description

Enable NTP

Enables or disables the NTP feature.


Default: Disabled
Note: The NTP Server Address must be configured to enable the NTP
feature.

Server Name

The IP address of the NTP server.

L4 Port

The NTP server port.


Default: 123

Polling Interval

The interval, in seconds, between time query messages sent to the NTP
server.
Default:
64For DefensePro 5.11
172,800For DefensePro versions other than version 5.11

Time Zone

The time-zone offset from GMT (-12:00 to +12:00 hours).


Default: 00:00

Configuring DefensePro Daylight Saving


DefensePro supports daylight savings time. You can configure the daylight savings time start and
end dates and times. During daylight savings time, the device automatically adds one hour to the
system clock. The device also indicates whether it is on standard time or daylight saving time.

Note: When the system clock is manually configured, the system time is changed only when
daylight saving time starts or ends. When daylight saving time is enabled during the
daylight saving time period, the device does not change the system time.

To configure DefensePro daylight saving


1. In the Configuration perspective Setup tab navigation pane, select Time Settings > DayLight
Saving.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

95

APSolute Vision User Guide


Basic Device Configuration

Table 30: Daylight Saving Parameters

Parameter

Description

Enabled

Enables or disables daylight saving time.


Default: Disabled

Begins at

The start date and time for daylight saving time.

Ends at

The end date and time for daylight saving time.

Current Mode

Specifies whether the device is on standard time or daylight saving


time.

Configuring DefensePro E-mail Settings


You can configure the device to send information messages via e-mail to device users. This feature
can be used for sending trap information via e-mail. When you configure device users, you can
specify whether an individual user should receive notifications via e-mail and the minimal event
severity reported via SNMP traps and e-mail. The user will receive traps of the configured severity
and higher.
The e-mail configuration applies both for SNMP traps and for SMTP e-mail notifications. SMTP
notifications are enabled globally for the device.

Note: The device optimizes the mailing process by gathering security and system events,
which it sends in a single notification message when the buffer is full, or when a timeout
of 60 seconds expires.

To configure DefensePro e-mail settings


1.

In the Configuration perspective Setup tab navigation pane, select Email Settings.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Note: To configure users to receive e-mails about errors, in the User Table, set the e-mail
address and notification severity level for each user. For information about configuring
users, see Configuring Device Users, page 144.

Table 31: DefensePro E-mail Parameters

Parameter

Description
Basic SMTP Parameters

Enable Email Client

Enables the e-mail client. Select to support features that are related
to sending e-mail messages.
Default: Disabled

Enable Sending Email upon Enables sending notifications via e-mail.


Errors
Default: Disabled

96

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 31: DefensePro E-mail Parameters

Parameter

Description
SMTP Server Parameters

Primary Server Address

IP address of the SMTP Server.

Alternate Server Address

An IP address of an alternative SMTP Server. The alternate SMTP


server is used when SMTP connection cannot be established
successfully with the main SMTP server, or when main SMTP server
closed the connection. The device tries to establish connection to the
main SMTP server, and starts re-using it when available.

SMTP Client Parameters


Email Address

Mail address that will appear in the Sender field of e-mail messages
generated by the device, for example device1@domain.com.

Configuring DefensePro Syslog Settings


In DefensePro 6.00 and later, event traps can be mirrored to up to five syslog servers. For each
DefensePro device, you can configure the appropriate information. Any traps generated by the
device will be mirrored to the specified syslog servers.
In DefensePro versions prior to 6.00, event traps can be mirrored to one syslog server. For each
DefensePro device, you can configure the appropriate information. Any traps generated by the
device will be mirrored to the specified syslog server.
You can also use additional notification settings, such as Facility and Severity. Facility specifies the
type of device of the sender. Severity specifies the importance or impact of the reported event. The
user-defined Facility value is used when the device sends syslog messages; the Severity value is
determined dynamically by the device for each message that is sent.

Note: Instead of configuring each individual device, Radware recommends configuring the
APSolute Vision server to convey the syslog messages from all devices. For more
information about configuring syslog reporting on the APSolute Vision server, see the
APSolute Vision Administrator Guide.

To configure syslog in DefensePro 6.00 and later


1. In the Configuration perspective Setup tab, select Syslog.
2. Do one of the following:

To enable the syslog feature, select the Enable Syslog checkbox.

To disable the syslog feature, clear the Enable Syslog checkbox.

Default: Enabled
3. Do one of the following:

To add an entry, click the

To modify an entry, double-click the entry in the table.

(Add) button.

4. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

97

APSolute Vision User Guide


Basic Device Configuration

Table 32: Syslog Parameters for DefensePro 6.00 and Later

Parameter

Description

Enable Syslog Server

Specifies whether the syslog server is enabled.


Default: Enabled

Server Address

The IP address or hostname of the device running the syslog service


(syslogd).

Source Port

The syslog source port.


Default: 514
Note: Port 0 specifies a random port.

Destination Port

The syslog destination port.


Default: 514

Facility

The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages

Local 6

Clock Daemon

Local 7

Clock Daemon2

Log Alert

FTP Daemon

Log Audit

Kernel Messages

Mail System

Line Printer Subsystem

Network News Subsystem

Local 0

NTP Daemon

Local 1

Syslogd Messages

Local 2

System Daemons

Local 3

User Level Messages

Local 4

UUCP

Local 5
Default: Local Use 6

98

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 32: Syslog Parameters for DefensePro 6.00 and Later

Parameter

Description

Protocol

The protocol that the device uses to send syslog messages.

(This parameter is
available only in
DefensePro version
6.02 and later.)

Values:
UDPThe device sends syslog messages using UDP. That is, the
device sends syslog messages with no verification of message
delivery.
TCPThe device sends syslog messages using TCP. That is, the device
verifies the message delivery. The device holds undelivered messages
in a backlog. As soon as the connection to the syslog server is reestablished, the device sends them. If the backlog is full (100
messages, non-configurable), the device replaces lower-priority
messages with higher-priority messages (FIFO).
TLSThe device sends syslog messages using TCP with Transport
Layer Security (TLS) and uses the CA certificate specified in the CA
Certificate Name field. That is, the device verifies message delivery.
The device holds undelivered messages in a backlog. As soon as the
connection to the syslog server is re-established, the device sends
them. If the backlog is full (100 messages, non-configurable), the
device replaces lower-priority messages with higher-priority messages
(FIFO).
Default: UDP
Note: Report notification of lost syslog messages to your network
administrator.

CA Certificate Name
(This parameter is
available only in
DefensePro version
6.02 and later.)

The name of the CA certificate in the Certificate Table that the device uses
to send syslog messages when TLS is selected in the Protocol field.
To configure a new CA certificate, from the drop-down list, select New.
To view the existing certificates, click
in the dialog box, double-click on it.

. And then, to edit a certificate

For information on configuring certificates, Managing Certificates,


page 131.

To configure syslog for DefensePro versions prior to 6.00


1. In the Configuration perspective Setup tab navigation pane, select Syslog.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 33: Syslog Parameters for DefensePro Versions Prior to 6.00

Parameter

Description

Enable Syslog

Enables or disables syslog reporting.

Server Address

IP address of the device running the syslog service (syslogd).

Document ID: RDWR-APSV-V0130_UG1205

99

APSolute Vision User Guide


Basic Device Configuration

Table 33: Syslog Parameters for DefensePro Versions Prior to 6.00

Parameter

Description

Facility

The type of device of the sender. This is sent with syslog messages.
You can use this parameter to do the following:
Distinguish between different devices
Define rules that split messages
Values:
Authorization Messages

Local 6

Clock Daemon

Local 7

Clock Daemon2

Log Alerts

FTP Daemon

Log Audit

Kernel Messages

Mail System

Line Printer Subsystem

Network New Subsystem

Local 0

NTP Daemon

Local 1

Security messages

Local 2

Syslogd Messages

Local 3

System Daemons

Local 4

User Level Messages

Local 5

UUCP

Default: Local Use 6


L4 Source Port

The syslog source port.


Default: 514

L4 Destination Port

The syslog destination port.


Default: 514

Configuring DefensePro BOOTP


BOOTP is a protocol that is used to obtain the client IP address from the BOOTP server.

To configure BOOTP settings


1.

In the Configuration perspective Setup tab navigation pane, select BootP.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 34: BOOTP Parameters for DefensePro

Parameter

Description

Server Address

The IP address of the BootP server. The device forwards BootP requests to
the BootP server and acts as a BootP relay.

Relay Threshold

The time, in seconds, that the device waits before relaying requests to the
BootP server. This delay allows local BootP servers to answer first.

100

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Configuring DefensePro High Availability


This feature is available in DefensePro 5.10 and later.
This section contains the following topics:

High-Availability in DefenseProOverview, page 101

Monitoring DefensePro Cluster in the System Tab, page 103

Configuring the Settings for a DefensePro High-Availability Cluster, page 104

Switching the Device States, page 106

High-Availability in DefenseProOverview
To support high availability (HA), you can configure two compatible DefensePro devices to operate in
a two-node cluster.
To be compatible, both cluster members must be of the same platform, software version, software
license, throughput license, and Radware signature file.
One member of the cluster is the primary; the other member of the cluster is the secondary.
A receiver in a DefensePro Security Group cannot be a secondary device in a cluster.
When you configure a cluster and submit the configuration, the newly designated primary device
configures the required parameters on the designated secondary device.
You can configure a DefensePro high-availability cluster in the following ways:

To configure the primary device of the cluster, the failover parameters, and the advanced
parameters, you can use the High Availability pane (Configuration perspective, Setup >
High Availability). When you specify the primary device, you specify the peer device, which
becomes the secondary member of the cluster.

To configure only the basic parameters of a cluster (Cluster Name, Primary Device, and
Associated Management Ports), you can use the Configuration perspective system pane.

The members of a cluster work in an active-passive architecture.


When a cluster is created:

The primary device becomes the active member.

The secondary device becomes the passive member.

The primary device transfers the relevant configuration objects to the secondary device.

A secondary device maintains its own configuration for the device users, IP interfaces, routing, and
the port-pair Failure Mode.
A primary device immediately transfers each relevant change to its secondary device. For example,
after you make a change to a Network Protection policy, the primary device immediately transfers
the change to the secondary device. However, if you change the list of device users on the primary
device, the primary device transfers nothing (because the secondary device maintains its own list of
device users).
The passive device periodically synchronizes baselines for BDoS and HTTP Mitigator protections.
The following situations trigger the active device and the passive device to switch states (active to
passive and passive to active):

The passive device does not detect the active device according to the specified Heartbeat
Timeout.

All links are identified as down on the active device according to the specified Link Down
Timeout.

Optionally, the traffic to the active device falls below the specified Idle Line Threshold for the
specified Idle Line Timeout.

You issue the Switch Over command. To switch the device states, in the Monitoring perspective
system pane, right-click the cluster node; and then select Switch Over.)

Document ID: RDWR-APSV-V0130_UG1205

101

APSolute Vision User Guide


Basic Device Configuration
You cannot perform many actions on a secondary device.
You can perform only the following actions on a secondary device:

Switch the device state (that is, switch over active to passive and passive to active)

Break the cluster if the primary device is unavailable

Configure management IP addresses and routing

Configure the port-pair Failure Mode.

Manage device users

Download a device configuration

Upload a signature file

Download the device log file

Download the support log file

Reboot

Shut down

Change the device name

Change the device time

Initiate a baseline synchronization if the device is passive, using CLI or Web Based Management.

Notes:
>> Before you can configure a cluster, the devices must be locked.
>> By design, an active device does not to fail over during a user-initiated reboot. Before
you reboot an active device, you can manually switch to the other device in the cluster.
>> You can initiate a baseline synchronization if a cluster member is passive, using CLI or
Web Based Management.
>> When you upgrade the device software, you need to break the cluster (that is, ungroup
the two devices). Then, you can upgrade the software and reconfigure the cluster as you
require.
>> In an existing cluster, you cannot change the role of a device (primary to secondary or
vice versa). To change the role of a device, you need to break the cluster (that is,
ungroup the two devices), and then, reconfigure the cluster as you require.
>> If the devices of a cluster belong to different sites, APSolute Vision creates the cluster
node under the site where the primary device resides; and APSolute Vision removes the
secondary device from the site where it was configured.
>> APSolute Vision issues an alert if the state of the device clusters is ambiguous. For
example, if there has been no trigger for switchover and both cluster members detect
traffic. This state is normal during the initial synchronization process.
>> There is no failback mechanism. There is only the automatic switchover action and the
manual Switch Over command.
>> When a passive device becomes active, any grace time resets to 0 (for example, the
time of the Graceful Startup Mode Startup Timer).
>> You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
>> The Properties pane displays the high-availability information of the selected device.

102

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Monitoring DefensePro Cluster in the System Tab


In the system pane, APSolute Vision identifies the high-availability cluster elements, roles, modes,
and states using various combinations of icons and icon elements.

Note: You can monitor high-availability operation in the High Availability pane of the
Monitoring perspective.
The following table describes the icons that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.

Table 35: Icons in the System Pane for DefensePro High-Availability Clusters

Icon

Description
Cluster
Primary device
Secondary device

The following table describes the icon elements that APSolute Vision displays in the system pane for
DefensePro high-availability clusters.

Table 36: Icons Elements in the System Pane for DefensePro High-Availability Clusters

Icon Element Description


Active device
Synchronizing
Unavailable
The following table describes some icons that APSolute Vision can displays in the system pane for
DefensePro high-availability clusters.

Table 37: Icons in the System Pane for DefensePro High-Availability ClustersExamples

Icon

Description
The cluster is operating nominally.
The cluster is synchronizing its members.
The cluster is unavailable.
The primary device is active, unlocked, and operating nominally.
The primary device is passive, unlocked, and operating nominally.
The secondary device is passive, unlocked, and operating nominally.

Document ID: RDWR-APSV-V0130_UG1205

103

APSolute Vision User Guide


Basic Device Configuration

Table 37: Icons in the System Pane for DefensePro High-Availability ClustersExamples

Icon

Description
The secondary device is active, unlocked, and operating nominally.
The secondary device is unlocked and unavailable.

Configuring the Settings for a DefensePro High-Availability Cluster


You can use the High Availability pane in the Configuration perspective to specify the primary device
of the cluster, and configured the failover parameters and advanced parameters.
When you specify the primary device, you specify the peer device, which becomes the secondary
member of the cluster.

To configure the settings for a high-availability cluster


1.

In the Configuration perspective Setup tab navigation pane, select High Availability.

2.

Configure the parameters; and then, click


(Submit) to submit the changes. APSolute Vision
names the cluster Cluster_<IP address of primary device>.

Note: To rename the cluster, in the Configuration perspective system pane, right-click the
cluster node, and select Rename <Cluster Name>. Rename the cluster (up to
32 characters); and then, click outside the cluster node.

Table 38: High Availability Parameters for DefensePro

Parameter

Description
Cluster Definition

Cluster Member

Specifies whether the device is a member of a two-node cluster for high


availability. If you clear the Cluster Member checkbox in the configuration
(of the primary or secondary member), APSolute Vision breaks the cluster
(after you submit the changes).
Note: You can clear the Cluster Member checkbox in the configuration
of the secondary only when the primary member is unavailable.

Peer Device

The name of the other device in the cluster. The drop-down list contains
the names of all the DefensePro devices that are not part of a cluster.
When the device is a member of an existing high-availability cluster, the
drop-down list is unavailable.

Associated
Management Ports

Specifies the management (MNG) port or ports through which the primary
and secondary devices communicate.
Values: MNG1, MNG2, MNG1+2
Note: You cannot change the value if the currently specified
management port is being used by the cluster. For example, if the
cluster is configured with MNG1+2, and MNG1 is in use, you
cannot change the value to MNG2.

104

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 38: High Availability Parameters for DefensePro

Parameter

Description
Failover

Heartbeat Timeout

The time, in seconds, that the passive device detects no heartbeat from the
active device before the passive device becomes active.
Values: 110
Default: 5

Link Down Timeout

The time, in seconds, after all links to the active device are identified as
being down before the devices switch states.
Values: 165,535
Default: 1
Note: If a dead link or idle line is detected on both cluster members,
there is no switchover.

Use Idle Line


Detection

Specifies whether the devices switch states due to an idle line detected on
the active device.
Default: Disabled
Note: If an idle line is detected on both cluster members, there is no
switchover.

Idle Line Threshold

The minimum bandwidth, in Kbit/s, that triggers a switchover when the


Use Idle Line Detection option is enabled.
Values:
5124,294,967,296In version 6.02 and later
51265,535In versions prior to 6.02
Default: 512
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.

Idle Line Timeout

The time, in seconds, with line bandwidth below the Idle Line Threshold
that triggers a switchover when the Use Idle Line Detection option is
enabled.
Values: 365,535
Default: 10
Note: If the Use Idle Line Detection checkbox is cleared, this
parameter is ignored.

Advanced Configuration
Baseline Sync.
Interval

The interval, in seconds, that the active device synchronizes the BDoS and
HTTP Mitigator baselines.
Values: 360086400
Default: 3600
Note: The active device synchronizes the baselines also when the
cluster is created.

Switchover Sustain
Timeout

The time, in seconds, after a manual switchover that the cluster members
will not change states.
Values: 303600
Default: 180

Document ID: RDWR-APSV-V0130_UG1205

105

APSolute Vision User Guide


Basic Device Configuration

Switching the Device States

To switch the device states


1.

In the Monitoring perspective system pane, right-click the cluster node.

2.

Select Switch Over.

Configuring Dynamic Protocols for DefensePro


Dynamic protocols use control or signaling channels that handle data, voice, and audio streaming
channels. For example, FTP has control session and data session; SIP has signaling sessions, data
sessions (RTP), and control sessions (RTCP).
Some dynamic sessions are in the Session Table longer than regular sessions. With VoIP, SIP and
H255, there are times with no traffic, however, the call is still active and the session does not age.
You can configure different aging times for various dynamic protocols, and different policies for
different connections of the same session. In FTP, for example, you can set one policy for FTP data
and another policy for FTP control.
Before you configure dynamic protocols, ensure that the Session table Lookup Mode is Full L4 (which
is the default). To change settings, see Configuring DefensePro Session Table Settings, page 112.

To configure dynamic protocols


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Dynamic
Protocols.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 39: Dynamic Protocol Parameters

Parameter

Description
FTP

Enable FTP

Enables/disables FTP Dynamic Protocol.


Default: Enabled

Control Session Aging Time

Specifies the Control Session Aging Time, in seconds.


Default: 0

Data Session Aging Time

Specifies the Data Session Aging Time, in seconds.


Default: 0

TFTP
Enable TFTP

Enables/disables TFTP Dynamic Protocol.


Default: Enabled

Data Session Aging Time

Specifies the Data Session Aging Time, in seconds.


Default: 0

106

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 39: Dynamic Protocol Parameters

Parameter

Description
Rshell

Enable Rshell

Enables/disables Rshell Dynamic Protocol.


Default: Enabled

Control Session Aging Time

Specifies the Control Session Aging Time, in seconds.


Default: 0

Data Session Aging Time

Enter a value for Data Session Aging Time, in seconds.

Rexec
Enable Rexec

Enables/disables Rexec Dynamic Protocol.


Default: Enabled

Control Session Aging Time

Specifies the Control Session Aging Time, in seconds.


Default: 0

Data Session Aging Time

Specifies the Data Session Aging Time, in seconds.

H.225
Enable H.225

Enables/disables H.225 Dynamic Protocol.


Default: Enabled

Control Session Aging Time

Specifies the Control Session Aging Time, in seconds.


Default: 0

H.245 Data Session Aging


Time

Specifies the Data Session Aging Time, in seconds.


Default: 0

SIP
Enable SIP

Enables/disables SIP Dynamic Protocol.


Session Initiation Protocol (SIP) is an IETF standard for initiating an
interactive user session involving multimedia elements such as video,
voice, chat, gaming, and so on. SIP can establish, modify, or
terminate multimedia sessions or Internet telephony calls.
When a policy for SIP is configured to block traffic from one direction,
it is not possible to open a SIP connection from another direction (SIP
uses the same port number for both source and destination).
Default: Disabled

Signaling Session Aging


Time

Specifies the Signaling Session Aging Time, in seconds.


When the clients communicate directly with each other, or work with
non-standard SIP ports, increase the aging time of the Signaling
Session Aging Time parameter.
Default: 20

RTCP Session Aging Time

Specifies the RTCP Session Aging Time, in seconds.


Default: 0

TCP Segments Aging Time

Specifies the SIP TCP Segments Aging Time, in seconds.


Default: 5

Document ID: RDWR-APSV-V0130_UG1205

107

APSolute Vision User Guide


Basic Device Configuration

Configuring IP Fragmentation for DefensePro


This section is relevant only for DefensePro versions prior to 5.12.

Note: In DefensePro 5.12 and later, you configure the IP Fragmentation parameters in the
Basic Parameters pane under the Configuration perspective Networking tab.
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the managed device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments that belong to same datagram, then classifies and forwards
them accordingly. The device does not reassemble the original IP packet, but forwards the
fragmented datagrams to their destination, even if the datagrams arrive at the device out of order.

To configure IP fragmentation In DefensePro versions prior to 5.12


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select IP


Fragmentation.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 40: IP Fragmentation Parameters

Parameter
Enable IP Fragmentation

Description
When selected, enables IP fragmentation.
Default: Enabled

Queuing Limit

The percentage of IP packets the device allocates for out-ofsequence fragmented IP datagrams.
Values: 0100
Default: 25

Aging Time

The time, in seconds, that the device keeps the fragmented


datagrams in the queue.
Values: 1255
Default: 1

Configuring Security Reporting Settings


This feature is available only in AppDirector version 2.30 and later and DefensePro.
To support historical and real-time security-monitoring capabilities and provide in-depth attack
information for each attack event, the managed device establishes a data-reporting protocol
between the device and APSolute Vision. This protocol, called Statistical Real-time Protocol (SRP),
uses UDP packets to send attack information.
In addition, DefensePro can provide the APSolute Vision server sampled captured packets that were
identified by the DefensePro as part of the specific attack. DefensePro sends these packets to the
defined IP address, encapsulated in UDP packets.
You can enable the reporting channels used by managed devices to receive information about
attacks, and to report detected attacks based on their various risk levels.

108

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration
You can also configure DefensePro devices to send captured attack packets along with the attack
event for further offline analysis. Packet reporting and SRP use the same default port, 2088.

To configure security reporting channels


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Security
Reporting Settings.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 41: Security Reporting Parameters

Parameter

Description
Basic Parameters

Report Interval

The frequency, in seconds, the reports are sent though the


reporting channels.
Values: 165,535
Default: 5

Maximal Number of Alerts per


Report

The maximum number of attack events that can appear in


each report (sent within the reporting interval).
Values: 12000
Default: 1000

Report per Attack Aggregation


Threshold

The number of events for a specific attack during a reporting


interval, before the events are aggregated to a report. When
the number of the generated events exceeds the Aggregation
Threshold value, the IP address value for the event is
displayed as 0.0.0.0, which specifies any IP address.
Values: 165,535
Default: 5

L4 Port for Reporting

The port used for packet reporting using SRP.


Values: 165,535
Default: 2088

Enable Sending Traps

When selected, the device uses the traps reporting channel.


Default: Enabled

Minimal Risk Level for Sending


Traps

The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low

Enable Sending Syslog

When selected, the device uses the syslog reporting channel.


Default: Disabled

Minimal Risk Level for Sending


Syslog

The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low

Enable Sending Terminal Echo

When selected, the device uses the Terminal Echo reporting


channel.
Default: Disabled

Document ID: RDWR-APSV-V0130_UG1205

109

APSolute Vision User Guide


Basic Device Configuration

Table 41: Security Reporting Parameters

Parameter

Description

Minimal Risk Level for Sending


Terminal Echo

The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low

Enable Sending Email

When selected, the device uses the e-mail reporting channel.


Default: Disabled

Minimal Risk Level for Sending


Email

The minimal risk level for the reporting channel. Attacks with
the specified risk value or higher are reported.
Default: Low

Enable Security Logging

When selected, the device uses the security logging reporting


channel.
Default: Low

Packet Reporting and Packet Trace


This group box and the parameters in it are available only in DefensePro 5.11 and later.
Enable Packet Reporting

Specifies whether the DefensePro device sends sampled


attack packets along with the attack event.
Default: Enabled

Maximum Packets per Report

The maximum number of packets that the device can send


within the Report Interval.
Values: 165,535
Default: 100

Destination IP Address

The destination IP address for the packet reports.


Default: 0.0.0.0
Note: Only one destination IP address can be configured
for packet reporting, even when more than one
APSolute Vision server manages the device.

Enable Packet Trace on Physical Port Specifies whether the feature is disabled or enables the
feature and specifies the physical port to which the
DefensePro device sends identified attack traffic (when the
Packet Trace feature is enabled in the policy rule or profile).
Values:
noneThe Packet Trace feature is disabled.
The physical, inspection ports (that is, excluding the
management ports)
Default: none
Caution: A change to this parameter takes effect only
after you update policies.
Note: DefensePro x06 models support the Packet Trace
functionality only for dropped traffic.
Maximum Rate

The maximum number of packets per second that the Packet


Trace feature sends.
Values: 1200,000
Default: 50,000
Caution: A change to this parameter takes effect only
after you update policies.

110

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 41: Security Reporting Parameters

Parameter

Description

Maximum Length of Dropped


Packets

The maximum length, in bytes, of dropped packets that the


Packet Trace feature sends. DefensePro can limit the size of
Packet Trace sent packets only for dropped packets. That is,
when a rule is configured with Report Only (as opposed to
Block), the Packet Trace feature sends the whole packets.
Values: 641550
Default: 1550
Tip: If you are interested only in the packet headers of the
dropped packets, to conserve resources, modify the minimal
value, 64.
Caution: A change to this parameter takes effect only
after you update policies.

Packet Reporting
This group box and the parameters in it are available only in DefensePro versions prior to 5.11.
Enable Packet Reporting

When selected, DefensePro sends sampled attack packets


along with the attack event.

Maximal Number of Packets per


Report

The maximum number of packets that the device can send


within the Report Interval.

Destination Address

By default, this is the destination IP address of the


management station.

netForensics Reporting
Enable netForensics Reporting

When selected, enables reporting using netForensics


reporting agent.
Default: Disabled

Agent IP Address

The IP address of the netForensics agent.

L4 Port

The port used for netForensics reporting.


Values: 165,535
Default: 555

Data Reporting Destinations


Destination IP Address

The target addresses for data reporting.


The table can contain up to 10 addresses. By default, when
there is room in the table, addresses are added automatically
when you add a DefensePro device to the tree in the system
pane.
To add an address, click the
(Add) button. Enter the
destination IP address; and then, click OK.

Document ID: RDWR-APSV-V0130_UG1205

111

APSolute Vision User Guide


Basic Device Configuration

Configuring Out-of-Path Settings for DefensePro


When you install DefensePro outside the critical path of the traffic, you can configure the Out-of-Path
Mode to mitigate DoS attacks using the capabilities of the routers access list. When the device
operates in the Out-of-Path mode, the traffic is copied to the device and verified separately from the
main traffic route. When an attack is identified, Behavioral DoS translates the footprint into a router
Access List (ACL) command and configures the router accordingly.

Note: The feature works on Cisco routers that have the capability to mirror an interface and
accept ACL commands to reroute traffic. This feature was tested on Cisco 6509
IOS 12.2.

To configure out-of-path settings


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Out of Path.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 42: Out of Path Parameters

Parameter

Description

Enable Out of Path


Mode

You must enable and reboot the device before you can configure out-ofpath settings.
When Out of Path is enabled, the only available protection is BDoS.

Router IP Address

The IP address of the organization router that manages all the incoming
traffic.

Routers Enable
Password

Administrators password for the router.

Verify Password

Verification of password for the router.

SSH User Name

The name of the SSH user.

SSH Password

The password of the SSH user.

Verify SSH Password

Verification of password for the SSH user.

Router Interface for


Receiving Traffic

The router interface that is being monitored, and traffic from it will be
redirected.

Configuring DefensePro Session Table Settings


DefensePro includes a Session table, which tracks sessions bridged and forwarded by the device.

To configure Session table settings


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Session
Table Settings.

2.

Configure the parameters; and then, click

112

(Submit) to submit the changes.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 43: Session Table Parameters in Defense Pro 6.05 and Later

Parameter

Description
Basic Parameters

Enable Session Table

When enabled, the device uses the Session table.


Default: Enabled

Session Aging Parameters


Note: When the Access Control List (ACL) feature is enabled, aging times are determined by the
relevant ACL parameters.
Idle TCP-Session Aging Time

The time, in seconds, that the Session table keeps idle TCP
sessions.
Values: 17200
Default: 100

Idle UDP-Session Aging Time

The time, in seconds, that the Session table keeps idle UDP
sessions.
Values: 17200
Default: 100

Idle SCTP-Session Aging Time

The time, in seconds, that the Session table keeps idle SCTP
sessions.
Values: 17200
Default: 100

Idle ICMP-Session Aging Time

The time, in seconds, that the Session table keeps idle ICMP
sessions.
Values: 17200
Default: 100

Idle GRE-Session Aging Time

The time, in seconds, that the Session table keeps idle GRE
sessions.
Values: 17200
Default: 100

Idle Other-Protocol-Session
Aging Time

The time, in seconds, that the Session table keeps idle sessions
of protocols other than TCP, UDP, SCTP, ICMP, or GRE.
Values: 17200
Default: 100

Incomplete TCP Handshake


Timeout

How long, in seconds, the device waits for the three-way


handshake to be achieved for a new TCP-session. When the
timeout elapses, the device deletes the session and, if the Send
Reset To Server checkbox is selected, sends a reset packet to
the server.
Values:
0The device uses the specified Session Aging Time.
110The TCP Handshake Timeout in seconds.
Default: 10

Document ID: RDWR-APSV-V0130_UG1205

113

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description
Advanced Parameters

Remove Session Entry at


Session End

Specifies whether the device removes sessions from the Session


Table after receiving a FIN or RST packet if no additional packets
are received on the same session within the Remove Session
Entry at Session End Timeout period.
Default: Enabled

Remove Session Entry at


Session End Timeout
(This option is available only if
Remove Session Entry at
Session End is enabled.)

When Remove Session Entry at Session End is enabled, the time,


in seconds, after which the device removes sessions from the
Session Table after receiving a FIN or RST packet if no additional
packets are received on the same session.
Values: 160
Default: 5

Send Reset to Destination of


Aged TCP Connection

Specifies whether the DefensePro device sends a RST packet to


the destination of aged TCP sessions.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled

Session-Table-Full Action

The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic

Alert-Start Threshold

The percentage of full capacity of the Session Table when the


device starts issuing alerts.
Default: 95

Alert-Stop Threshold

The percentage of full capacity of the Session Table when the


device stops issuing alerts.
Default: 90

114

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description

Lookup Mode

The layer of address information that is used to categorize


packets in the Session Table.
Values:
Full L4 An entry exists in the Session Table for each source
IP, source port, destination IP, and destination port
combination of packets passing through the device.
L4 Destination PortEnables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session Table resources (only one entry for each
port that is secured).
Default: Full L4
Caution: Radware recommends that you always use the
Full L4 option. When Session Table Lookup Mode is
Layer 4 Destination Port, the following
Protections do not work:

ACL
Anti Scanning
Connection Packet Rate Limit
Connection Rate Limit
HTTP Mitigator
HTTP Replies Signatures
Out-of-State protection
Server Cracking
Stateful Inspection
SYN Protection

Disable Session Aging

When enabled, the device enables aging sessions in the Session


(This option is available only for table.
L4 Destination Port Lookup
Default: Disabled
Mode.)

Table 44: Session Table Parameters in Defense Pro Versions 5.10 through 6.03

Parameter

Description

Enable Session Table

When enabled, the device uses the Session table.


Default: Enabled

Remove Session Entry at


Session End

When enabled, the device removes sessions from the Session


Table five seconds after receiving a FIN or RST packet if no
additional packets are received on the same session within the
five seconds. This option is available only for Full Layer 4 Lookup
Mode (default mode).
Default: Enabled

Document ID: RDWR-APSV-V0130_UG1205

115

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description

Send Reset to Destination When Specifies whether the DefensePro device sends a RST packet for
No Data is Received
TCP sessions where the device has seen the three-way
handshake (SYN and then ACK from the source) but has not seen
subsequent data packets.
Values:
EnabledDefensePro sends reset a RST packet to the
destination and cleans the entry in the DefensePro Session
table.
DisabledDefensePro ages the session normally (using
short SYN timeout), but the destination might hold the
session for quite some time.
Default: Disabled
Lookup Mode

The layer of address information that is used to categorize


packets in the Session Table.
Values:
Full Layer 4An entry exists in the Session Table for each
source IP, source port, destination IP, and destination port
combination of packets passing through the device. This is
the default mode for the Session Table. Radware
recommends that you always use this option.
L4 Destination PortEnables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session Table resources (only one entry for each
port that is secured).
Note: When Session Table Lookup Mode is set to Layer 4
Destination Port, the following Protections do not
work:

Aging Time

ACL

Anti Scanning

Connection Packet Rate Limit

Connection Rate Limit

HTTP Mitigator

HTTP Replies Signatures

Out-of-State protection

Server Cracking

Stateful Inspection

SYN Protection

The time, in seconds, that the device keeps a non-active session


in the Session Table.
Default: 100
Note: When the Access Control List (ACL) feature is enabled,
Session table aging is determined by the relevant ACL
parameter.

116

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description
Advanced Parameters

TCP Handshake Timeout

How long, in seconds, the device waits for the three-way


handshake to be achieved for a new TCP-session. When the
timeout elapses, the device deletes the session and, if the Send
Reset To Server checkbox is selected, sends a reset packet to
the server.
Values:
0The device uses the specified Session Aging Time.
110The TCP Handshake Timeout in seconds.
Default: 10

Session Table Full Action

The action that the device takes when the Session Table is at full
capacity.
Values:
Allow new trafficThe device bypasses new sessions until
the till session table has room for new entries.
Block new trafficThe device blocks new sessions until the
session table has room for new entries.
Default: Allow new traffic

Alert-Start Threshold

The percentage of full capacity of the Session Table when the


device starts issuing alerts.
Default: 95

Alert-Stop Threshold

The percentage of full capacity of the Session Table when the


device stops issuing alerts.
Default: 90

Table 45: Session Table Parameters in Defense Pro 5.01

Parameter

Description

Enable Session Table

When enabled, the device uses the Session table.


Default: Enabled

Remove Session Entry at


Session End

When enabled, the device removes sessions from the Session


Table five seconds after receiving a FIN or RST packet if no
additional packets are received on the same session within the
five seconds. This option is available only for Full Layer 4 Lookup
Mode (default mode).
Default: Enabled

Send Reset to Server When No


Data is Received

When enabled, the device sends a TCP RST packet to the server
if no data is transmitted through the session because it may be a
SYN attack.
Default: Disabled

Document ID: RDWR-APSV-V0130_UG1205

117

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description

Lookup Mode

The layer of address information that is used to categorize


packets in the Session Table.
Values:
Full Layer 4An entry exists in the Session Table for each
source IP, source port, destination IP, and destination port
combination of packets passing through the device. This is
the default mode for the Session Table. Radware
recommends that you always use this option.
L4 Destination PortEnables traffic to be recorded based
only on the TCP/UDP destination port. This mode uses
minimal Session Table resources (only one entry for each
port that is secured).
Note: When Session Table Lookup Mode is set to Layer 4
Dest Port, the following Protections do not work:

Aging Time

Server Cracking

HTTP Mitigator

Anti Scanning

HTTP Replies Signatures

Stateful Inspection

Out-of-State protection

ACL

The time, in seconds, that the device keeps a non-active session


in the Session Table.
Default: 100
Note: When the Access Control List (ACL) feature is enabled,
Session table aging is determined by the relevant ACL
parameter.

Enable Table Protection

Session Table Protection prevents the Session Table from


overflowing.
When enabled, when the Session Table reaches 80% of its
capacity, the device acts as follows:
For TCP traffic, the device performs Delayed Binding for
every new TCP session. Only after the three way handshake
is completed, does the device add the entry to the Session
Table.
For non-TCP traffic, the device limits the number of new
entries in the Session Table, per second. Once the device
reaches the Max non-TCP New Sessions limit, any additional
sessions (during the same second) are dropped.
Default: Enabled

Advanced Parameters
Session Protection Short
Lifetime

The different aging time, in seconds, for new sessions when


Session Protection is triggered. Entries already in the Session
Table are aged according to the regular Session Table Aging
Time.
Values: 110
Default: 5

118

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description

Maximum Non-TCP New


Sessions

The maximum number of new non-TCP sessions per second


allowed when Session Protection is triggered.
Values:
11,500,000For OnDemand Switch 2. Radware
recommends not to reduce the value to below the default.
14,290,000,000For OnDemand Switch 3. Radware
recommends not to reduce the value to below the default.
Default: 100

TCP Handshake Timeout

How long, in seconds, the device waits for the three-way


handshake to be achieved for a new TCP-session. When the
timeout elapses, the device deletes the session and, if the Send
Reset To Server checkbox is selected, sends a reset packet to
the server.
Values:
0The device uses the specified Session Aging Time.
110The TCP Handshake Timeout in seconds.
Default: 10

Configuring DefensePro Suspend Settings


A managed device can suspend traffic from an IP address that was the source of an attack, for a
defined period of time.
Dynamic blocking duration is implemented by the Anti-Scanning and Server Cracking protections
based on the suspend settings that you configure. (Although connection-rate limits and intrusion
signatures can be set manually to suspend the source, they do not support dynamic duration.)
The dynamic blocking duration is usually set by the managed devices Anti-Scanning and Server
Cracking protections:

The initial suspend time period cannot be lower than the Minimal Aging Timeout.

Each additional time the same source is suspended, the suspension length is doubled until it
reaches the Maximal Aging Timeout.

When the suspension length has reached the maximum length allowed, it remains constant for
each additional suspension.

To configure Suspend-table settings


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Suspend
Table Settings.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

119

APSolute Vision User Guide


Basic Device Configuration

Table 46: Suspend Table Parameters

Parameter

Description

Minimal Aging Timeout

The time, in seconds, for which the managed device suspends firsttime offending source IP addresses.
Default: 10

Maximal Aging Timeout

The maximal time, in seconds, for which the managed device


suspends a specific source. Each time the managed device suspends
the same source, the suspension length doubles until it reaches the
Maximal Aging Timeout.
Default: 600

Maximum Entries with Same The number of times the managed device suspends the same source
Source IP
IP address before the managed device suspends all traffic from that
source IP addressregardless of the specified Suspend Action. For
example, if the value for this parameter is 4 and the specified
Suspend Action is SrcIP-DstIP-SrcPort-DstPort, the managed device
suspends all traffic from a source IP address that had an entry in the
Suspend list more than four times, even if the destination IP address,
source port, and destination ports were different for the previous
updates to the Suspend table.
This parameter is irrelevant when the specified Suspend Action is
SrcIP.
Values:
0The device does not implement the feature.
110
Default: 0

Configuring DefensePro Advanced Settings


The advanced settings comprise the following parameters:

Accept Weak SSL Ciphersavailable only in DefensePro 6.02 and later

Enable Overload Mechanism

SRP Management Host IP Address

The Overload Mechanismthat is, the overload-protection mechanismidentifies and reports


overload conditions, and acts to reduce operations with high resource consumption.
DefensePro device uses the overload-protection mechanism to prevent the following:

SME OverloadWhen the overload occurs in the string-matching engine (SME), the
accelerator reduces the number of new sessions sent to the SME. The existing sessions continue
to pass through the SME and are inspected. Features that require the SME, including some of
the attack signatures, will not be applied to some of the sessions.

Master OverloadWhen the overload occurs in the Master CPU, only a percentage of the
traffic is processed by the CPU. Behavioral DoS footprint analysis is done on sampled data,
ensuring the continuation of the feature, but Stateful inspection and SYN protection do not work.

Accelerator OverloadWhen the overload occurs in the Accelerator CPU, only a percentage of
the traffic is inspected, while the rest passes through using bypass modes. Inspected traffic is
passed to the Master and SME if they are not overloaded.

System Wide OverloadIf all offload operations have failed to prevent overloaded conditions,
then a full bypass is implemented. Every device application is bypassed, including Bandwidth
Management, Statistics, Security, and so on.

120

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

To configure advanced settings


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Advanced
Parameters.
2. Configure the overload mechanism and SRP parameters; and then, click
the changes.

(Submit) to submit

Table 47: Advanced Settings Parameters

Parameter

Description

Accept Weak SSL Ciphers

Specifies whether the device allows management connections over


secure protocols with ciphers shorter than 128 bits.

(This parameter is available


only in DefensePro 6.02 and Default: Enabled
later.)

Enable Overload Mechanism Specifies whether the device uses the overload mechanism, which
identifies and reports overload conditions.
Radware recommends that the overload-protection mechanism
always be enabled.
SRP Management Host IP
Address

The IP address to which the device sends Statistics Reporting


Protocol (SRP) data. SRP is a private Radware protocol for efficient
transmission of statistical data from the device to the APSolute Vision
server.
Enter the APSolute Vision server IP address.
This parameter must be configured to view real-time reports and
attack details in APSolute Vision.

Configuring Tunneling Inspection


Carriers, service providers, and large organizations use various tunneling protocols to transmit data
from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS devices and load balancers cannot locate the relevant information because
their decisions are based on information located inside the IP packet in a known offset, and the
original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning
DefensePro in peering points and carrier network access points.
You can install DefensePro in different environments, which might include encapsulated traffic using
different tunneling protocols.In general, wireline operators deploy MPLS and L2TP for their
tunneling, and mobile operators deploy GRE and GTP.
DefensePro can inspect traffic that may use various encapsulation protocols. In some cases, the
external header (tunnel data) is the data that DefensePro needs to inspect. In other cases,
DefensePro needs to inspect the internal data (IP header and even the payload). You can configure
DefensePro to meet your specific inspection requirements.

Caution: Changing the configuration of this feature takes effect only after a device reset.

Document ID: RDWR-APSV-V0130_UG1205

121

APSolute Vision User Guide


Basic Device Configuration

To configure tunneling inspection


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Tunneling
Inspection.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

General Device Setup


You can configure the following setup parameters for a selected AppDirector or DefensePro device:

Configuring Access Protocols, page 122

Configuring SNMP Supported Versions, page 124

Configuring RADIUS Authentication for Device Management, page 124

Configuring the Device Event Scheduler, page 126

Configuring Access Protocols


In addition to managing AppDirector and DefensePro devices using APSolute Vision, you can also
use Web Based Management (WBM) and Command Line Interface (CLI).
You can connect managed devices to the following:

WBM on the device through HTTP and HTTPS

CLI through Telnet and SSH

Web services

To configure access protocols for WBM and CLI


1.

In the Configuration perspective Setup tab navigation pane, select Access Protocols.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 48: Access Protocol Parameters

Parameter

Description
Web Access

Enable Web Access

Enables access to the Web server.


Default: disabled

L4 Port

The port to which WBM is assigned.


Default: 80

Web Help URL

The location (path) of the Web help files.

Secured Web Access


Enable Secured Web Access Enables secured access to the Web server.
Default: disabled

122

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 48: Access Protocol Parameters

Parameter

Description

L4 Port

The port through which HTTPS gets requests.


Default: 443

Certificate

The certificate file used by the secure Web server for encryption.

Telnet
Enable Telnet

Enables Telnet access to the device.


Default: disabled

L4 Port

The TCP port used by the Telnet.


Default: 23

Session Timeout

The period of time, in minutes, the device maintains a connection


during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore, the actual timeout
can be up to 10 seconds longer than the configured time.

Authentication Timeout

The timeout, in seconds, required to complete the authentication


process.
Values: 1060
Default: 30

SSH
Enable SSH

Enables SSH access to the device.


Default: disabled

L4 Port

Source port for the SSH server connection.


Default: 22

Session Timeout

The period of time, in minutes, the device maintains a connection


during periods of inactivity. If the session is still inactive when the
predefined period ends, the session terminates.
Values: 1120
Default: 5
Note: To avoid affecting device performance, the timeout is
checked every 10 seconds. Therefore the actual timeout can
be up to 10 seconds longer than the configured time.

Authentication Timeout

The timeout, in seconds, required to complete the authentication


process.
Values: 1060
Default: 30

Web Services
This group box is not available in AppDirector 2.30 and later. In AppDirector 2.30 and later, Web
services are always enabled.
Enable Web Services

Enables access to Web services.


Default: Enabled

Document ID: RDWR-APSV-V0130_UG1205

123

APSolute Vision User Guide


Basic Device Configuration

Configuring SNMP Supported Versions


APSolute Vision connects to managed devices using SNMP. For information about SNMP, and
configuring SNMP for the managed devices, see Configuring SNMP, page 136.

To configure SNMP supported versions


1.

In the Configuration perspective Setup tab navigation pane, select SNMP Versions.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 49: SNMP Supported Version Parameters

Parameter

Description

Supported SNMP Versions

The currently supported SNMP versions.

Supported SNMP Versions


after Reset

The SNMP versions supported by the SNMP agent after resetting the
device. Select the SNMP version to support. Clear the versions that
are not supported.

Configuring RADIUS Authentication for Device Management


AppDirector and DefensePro provide additional security by authenticating the users who access a
device for management purposes. With RADIUS authentication, you can use RADIUS servers to
determine whether a user is allowed to access device management using CLI, Telnet, SSH or Web
Based Management. You can also select whether to use the device User Table when RADIUS servers
are not available.

Note: The managed devices must have access to the RADIUS server and must allow device
access.

To configure RADIUS authentication for device management in AppDirector 2.30 and


later
1.

In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.

2.

Configure RADIUS authentication parameters for the managed Radware device, and then,
click

(Submit) to submit the changes.

Table 50: RADIUS Authentication Parameters in AppDirector 2.30 and Later

Parameter

Description
Main

L4 Port

The access port number of the primary RADIUS server.


Values: 1645, 1812
Default: 1645

124

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 50: RADIUS Authentication Parameters in AppDirector 2.30 and Later

Parameter

Description

Secret

The authentication password for the primary RADIUS server.

Verify Secret

When defining the password, reenter for verification.

Server IP Address Type

Values: IPv4, IPv6

Server IP Address

The IP address of the primary RADIUS server.

Backup
L4 Port

The access port number of the backup RADIUS server.


Values: 1645, 1812
Default: 1645

Secret

The authentication password for the backup RADIUS server.

Verify Secret

When defining the password, reenter for verification.

Server IP Address Type

Values: IPv4, IPv6

Server IP Address

The IP address of the backup RADIUS server.

Basic Parameters
Timeout

The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1

Retries

The number of connection retries to the RADIUS server, after the


RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2

Client Lifetime

The time, in seconds, of the clients authentication. After the client


lifetime expires, the device re-authenticates the user.
Default: 30

To configure RADIUS authentication for device management in AppDirector versions


prior to 2.30 and DefensePro
1. In the Configuration perspective Setup tab navigation pane, select RADIUS Authentication.
2. Configure RADIUS authentication parameters for the managed Radware device, and then,
click

(Submit) to submit the changes.

Table 51: RADIUS Authentication Parameters in AppDirector Versions Prior to 2.30 and
DefensePro

Parameter

Description
Main

Server IP Address

The IP address of the primary RADIUS server.

Document ID: RDWR-APSV-V0130_UG1205

125

APSolute Vision User Guide


Basic Device Configuration

Table 51: RADIUS Authentication Parameters in AppDirector Versions Prior to 2.30 and
DefensePro

Parameter

Description

L4 Port

The access port number of the primary RADIUS server.


Values: 1645, 1812
Default: 1645

Secret

The authentication password for the primary RADIUS server.

Verify Secret

When defining the password, reenter for verification.

Backup
Server IP Address

The IP address of the backup RADIUS server.

L4 Port

The access port number of the backup RADIUS server.


Values: 1645, 1812
Default: 1645

Secret

The authentication password for the backup RADIUS server.

Verify Secret

When defining the password, reenter for verification.

Basic Parameters
Timeout

The length of time the device waits for a reply from the RADIUS
server before a retry, or, if the Retries value is exceeded, before
the device acknowledges that the server is offline.
Default: 1

Retries

The number of connection retries to the RADIUS server, after the


RADIUS server does not respond to the first connection attempt.
After the specified number of Retries, if all connection attempts
have failed (Timeout), the backup RADIUS server is used.
Default: 2

Client Lifetime

The time, in seconds, of the clients authentication. After the client


lifetime expires, the device re-authenticates the user.
Default: 30

Configuring the Device Event Scheduler


Some network policy rules remain inactive during certain hours of the day, or are activated only
during others. For example, a school library may want to block instant messaging during school
hours, but allow it after school hours, or an enterprise may assign high priority to mail traffic
between 08:00 and 10:00.
You can schedule the activation and inactivation of specific policy rules on the device by using the
Event Scheduler, to create schedules, and then attach them to a policy rules configuration.
Schedules define a date and time for specific actions.

126

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

To configure the event scheduler


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Event
Scheduler.
2. Do one of the following:

To add a schedule, click the

(Add) button.

To edit an entry, double-click the row.

3. Configure the parameters; and then, click OK.

Table 52: Scheduled Event Parameters

Parameter

Description

Task Name

The name of the schedule.

Frequency

How often the event occurs.


Values: daily, once, weekly
Default: once

Time

The time on the designated day in the format hhmm.


When multiple days are selected, the value is the same for all the
configured days.

Date

If the event frequency is once, configure the date that the event occurs
in the DD/MM/YYYY format.

Days of Week

If the selected event frequency is weekly, select the day or days the
event occurs.

Upgrading a License for a Managed Device


You can upgrade the capabilities of a managed device using the licensing procedure.
The license provided to you, is a one-time license. To change licenses, you must use a new license
key, after which, the old license key cannot be reused. For example, in AppDirector, if a license that
includes BWM and IPS activation keys was given to you on a trial basis but not purchased, Radware
will provide you with another license, but without these activation keys. The old license cannot be
reused.
Each license is based on the devices MAC address and on a license ID that is changed every time a
new license is used. To obtain a license upgrade or downgrade, you must include the MAC address
and the current license ID of the device when you order the required license part number. This
information is displayed in the License Upgrade window.
You will receive the new license string by e-mail. After you enter the new license information in the
License Upgrade pane, the old license cannot be reused.

Document ID: RDWR-APSV-V0130_UG1205

127

APSolute Vision User Guide


Basic Device Configuration

To upgrade a license after receiving new license keys


1.

In the Configuration perspective Setup tab navigation pane, select License Upgrade.

2.

Configure license upgrade parameters for the new license keys; and then, click
submit the changes.

(Submit) to

Table 53: AppDirector License Upgrade Parameters in AppDirector 2.14 and Later

Parameter

Description
Basic Information

Base MAC Address

The MAC address of the first port on the device. This is the MAC
address on which the license is based.

License Upgrade
License ID

Reports the device software license ID and must be provided to


Radware when requesting a new license.

New License Key

The device software license allows you to activate advanced software


functionality.

Throughput License ID

Manages the device throughput license ID and must be provided to


Radware when requesting a new throughput license.

Throughput License Key

Manages the device throughput level license.

Compression on Server
Side License ID1

The Compression on Server Side License ID, which must be provided to


Radware when requesting a new throughput license.

Compression on Server
Side License Key1

The Compression on Server Side License key.


Prefix values:
appdirector-compression-100
appdirector-compression-250
appdirector-compression-500
appdirector-compression-750
appdirector-compression-1000
appdirector-compression-1250
appdirector-compression-1500
appdirector-compression-unlimited

128

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 53: AppDirector License Upgrade Parameters in AppDirector 2.14 and Later

Parameter

Description

SSL CPS License Key1

The SSL CPS License key.


Prefix values:
appdirector-ssl-500
appdirector-ssl-2000
appdirector-ssl-5000
appdirector-ssl-10000
appdirector-ssl-20000
appdirector-ssl-30000
appdirector-ssl-40000
appdirector-ssl-50000
appdirector-ssl-unlimited

SSL CPS License ID1

SSL CPS License ID, which must be provided to Radware when


requesting a new throughput license.

1 Available when the acceleration engine is enabled.

Table 54: AppDirector License Upgrade Parameters in AppDirector 2.11

Parameter

Description
Basic Information

Base MAC Address

The MAC address of the first port on the device. This is the MAC
address on which the license is based.

License Upgrade
License ID

Reports the device software license ID and must be provided to


Radware when requesting a new license.

New License Key

The device software license allows you to activate advanced software


functionality.

Throughput License ID

Manages the device throughput license ID and must be provided to


Radware when requesting a new throughput license.

Throughput License Key

Manages the device throughput level license.

SSL TPS License ID1

Displays AppDirectors SSL TPS license.


The SSL Transactions Per Second license options for the device are:
appdirector-ssl-500
appdirector-ssl-2000
appdirector-ssl-5000
appdirector-ssl-10000
appdirector-ssl-20000
appdirector-ssl-30000
appdirector-ssl-40000
appdirector-ssl-50000
appdirector-ssl-unlimited

Document ID: RDWR-APSV-V0130_UG1205

129

APSolute Vision User Guide


Basic Device Configuration

Table 54: AppDirector License Upgrade Parameters in AppDirector 2.11

Parameter

Description

SSL TPS License Key1

Manages the device SSL TPS license ID and must be provided to


Radware when requesting a new throughput license.

Compression on Server
Side License ID1

Displays AppDirectors Compression on server side license.


The Compression on server side license options for the device are:
appdirector-compression-100
appdirector-compression-250
appdirector-compression-500
appdirector-compression-750
appdirector-compression-1000
appdirector-compression-1250
appdirector-compression-1500
appdirector-compression-unlimited

Compression on Server
Side License Key1

Manages the device Compression on server side license ID and must


be provided to Radware when requesting a new throughput license.

1 Available when the acceleration engine is enabled.

Table 55: AppDirector License Upgrade Parameters in AppDirector 1.07.12

Parameter

Description
Basic Information

Base MAC Address

The MAC address of the first port on the device. This is the MAC
address on which the license is based.

License Upgrade
License ID

Reports the device software license ID and must be provided to


Radware when requesting a new license.

New License Key

The device software license allows you to activate advanced software


functionality.

Throughput License ID

Manages the device throughput license ID and must be provided to


Radware when requesting a new throughput license.

Throughput License Key

Manages the device throughput level license.

Table 56: DefensePro License Upgrade Parameters

Parameter

Description
Basic Information

Base MAC Address

The MAC address of the first port on the device. This is the MAC
address on which the license is based.

License Upgrade
License ID

Reports the device software license ID and must be provided to


Radware when requesting a new license.

New License Key

The device software license allows you to activate advanced software


functionality.

130

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 56: DefensePro License Upgrade Parameters

Parameter

Description

Throughput License ID

Manages the device throughput license ID and must be provided to


Radware when requesting a new throughput license.

Throughput License Key

Manages the device throughput level license.

Managing Certificates
This section describes certificates and how to manage them using APSolute Vision.

Certificates
Certificates are digitally signed indicators which identify the server or user. They are usually
provided in the form of an electronic key or value. The digital certificate represents the certification
of an individual business or organizational public key but can also be used to show the privileges and
roles for which the holder has been certified. It can also include information from a third-party
verifying identity. Authentication is needed to ensure that users in a communication or transaction
are who they claim to be.
A basic certificate includes the following:

The certificate holders identity

The certificates serial number

The certificate expiry date

A copy of the certificate holders public key

The identity of the Certificate Authority (CA) and its digital signature to affirm the digital
certificate was issued by a valid agency

Keys
A key is a variable set of numbers that the sender applies to encrypt data to be sent via the
Internet. Usually a pair of public and private keys is used. A private key is kept secret and used only
by its owner to encrypt and decrypt data. A public key has a wide distribution and is not secret. It is
used for encrypting data and for verifying signatures. One key is used by the sender to encrypt or
interpret the data. The recipient also uses the key to authenticate that the data comes from the
sender.
The use of keys ensures that unauthorized personnel cannot decipher the data. Only with the
appropriate key can the information be easily deciphered or understood. Stolen or copied data would
be incomprehensible without the appropriate key to decipher it and prevent forgery. AppDirector and
DefensePro support the following key size lengths: 512, 1024, or 2048 bytes.

Self-Signed Certificates
Self-signed certificates do not include third-party verification. When you use secure WBM, that is, an
HTTPS session, the managed device uses a certificate for identification. By default, the device has
self-signed Radware SSL certificates. You can also specify your own self-signed SSL certificates.

Document ID: RDWR-APSV-V0130_UG1205

131

APSolute Vision User Guide


Basic Device Configuration

Modifying Certificate Information for a Selected Device

To view and modify certificate information for a selected device


In the Configuration perspective Setup tab navigation pane, select Certificates.
The Certificates table displays information for each certificate stored on the device. From here,
you can add, edit, and delete certificates. You can also import and export certificates, and show
certificate text.

Configuring Certificates
You can create or modify a self-signed certificate for secured access to Web Based Management
(WBM).
You can also create certificate signing requests and keys for new certificates.

Note: In AppDirector 2.11 and later, you can create and modify certificates for SSL policies and
Client CA policies. Also, in AppDirector 2.11 and later, you can manage certificates only
if you are connected via SNMPv3.

To create or modify a certificate or key


1.

In the Configuration perspective Setup tab navigation pane, select Certificates.

2.

Do one of the following:

3.

To add a certificate, click the

(Add) button.

To edit a certificate, double-click the certificate name.

Configure certificate parameters and click OK.

Table 57: Certificate Parameters

Parameter

Description

Name

The name of Key or Certificate.

Type

The type of certification.


Values:
Certificate
Certificate of Client CA1
Certificate Signing Request
Intermediate CA Certificate1
KeyWhen you select Key, only the Key Size and Passphrase fields
are available.
Default: Key

132

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 57: Certificate Parameters

Parameter

Description

Key Size

The key size, in bytes.


Larger key sizes offer an increased level of security. Radware
recommends that certificates have a key size of 1024 or more. Using a
certificate of this size makes it extremely difficult to forge a digital
signature or decode an encrypted message.
Values: 512 Bytes, 1024 Bytes, 2048 Bytes
Default: 1024 Bytes

Common Name

The domain name of the organization (for example, www.radware.com)


or IP address.

Organization

The name of the organization.

Email Address

Any e-mail address that you want to include within the certificate.

Key Passphrase

The Key Passphrase encrypts the key in storage and is required to


export the key. Since Private Keys are the most sensitive parts of PKI
data, they must be protected by a passphrase. The passphrase should
be at least four characters and Radware recommends using stronger
passphrases than that based on letters, numbers and signs.

Verify Key Passphrase

After you define the key passphrase, re-enter it for verification.

Locality

The name of the city.

State / Province

The state or province.

Organization Unit

The department or unit within the organization.

Country Name

The organization country.

Certificate Expiration

The duration, in days, that a certificate remains valid.


Values: 1365
Default: 365

1 If you select this option when it is not allowed (according to the type of certificate you
are using), the device alerts you with an error message.

Configuring Default Certificate Attributes


Use certificate defaults to define your organizations default parameters to be used when creating
signing requests or self-signed certificates.
To configure default attributes, the connection between the APSolute Vision server and the relevant
device must use SNMPv3.

To configure the default certificate attributes


1. In the Configuration perspective Setup tab navigation pane, select Certificates > Default
Attributes.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

133

APSolute Vision User Guide


Basic Device Configuration

Table 58: Default Certificate Parameters

Parameter

Description

Common Name

The domain name of the organization. For example, www.radware.com.

Locality

The name of the city.

State / Province

The state or province.

Organization

The name of the organization.

Organization Unit

The department or unit within the organization.

Country Name

The organization country.

Email Address

Any e-mail address to include in the certificate.

Importing Certificates
Depending on the product, you can import keys and certificates from another machine, and import a
certificate to an existing Signing Request to complete its process. You can also import intermediate
CA certificates for SSL policies, and Client CA Certificates for Client Authentication policies.
Keys and certificates are imported in PEM format. If you have separate PEM files for Key and for
certificate, you must import them consecutively with the same entry name.

To import a certificate or key


1.

In the Configuration perspective Setup tab navigation pane, select Certificates.

2.

Click the Import button below the table.

3.

Configure import certificate parameters, and click OK to start the import.

Table 59: Import Certificate Parameters in AppDirector

Parameter

Description

Entry Name

A new entry name to create by import, or an existing entry name to


overwrite or complete a Key or CSR.

Entry Type

Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Intermediate CA CertificateImports a certificate to be used in
the SSL policy.
Client CA CertificateImports a Client CA certificate.
Root TSL Certificate
Default: Key

134

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Parameter

Description

Passphrase

Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.

(This parameter is available


only when the Entry Type is
Key.)
Verify Passphrase
(This parameter is available
only when the Entry Type is
Key.)

Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.

File Name

The certificate file to import.

Table 60: Import Certificate Parameters in DefensePro

Parameter

Description

Entry Name

A new entry name to create by import, or an existing entry name to


overwrite or complete a Key or CSR.

Entry Type

Values:
KeyImports a key from backup or exported from another
system. To complete the configuration, you will need to import
a certificate into this key.
CertificateImports a certificate from backup or exported
from another machine. The certificate must be imported onto a
matching key or signing request.
Certificate of Client CAImports a Client CA certificate.
Default: Key
Note: In Web Based Management, DefensePro supports the
following three additional options: Intermediate CA
Certificate, Certificate and Key, SSH Public Key.

Passphrase
(This parameter is available
only when the Entry Type is
Key.)
Verify Passphrase

Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.

(This parameter is available


only when the Entry Type is
Key.)

Since Private Keys are the most sensitive parts of PKI data they
must be protected by a passphrase. The passphrase should be at
least four characters, and Radware recommends using stronger
passwords than that based on letters, numbers, and signs.

File Name

The certificate file to import.

Exporting Certificates
Key, certificate and signing request export is used for backup purposes, moving existing
configurations to another system or for completion of Signing Request processes. You can export
certificates from a device by copying and pasting a key or by downloading a file. Keys and
certificates are exported to PEM format.

Note: The Radware key is created without a Radware password at system startup, thus it can
be exported without a Radware password.

Document ID: RDWR-APSV-V0130_UG1205

135

APSolute Vision User Guide


Basic Device Configuration

To export a certificate or key


1.

In the Configuration perspective Setup tab navigation pane, select Certificates.

2.

Click the Export button below the table.

3.

Configure export certificate parameters, and click OK to start the export.

Table 61: Export Certificate Parameters

Parameter

Description

Entry Name

Select the name of the entry to export. By default, the name of the
selected certificate in the Certificates table is displayed.

Entry Type

According to the selected entry name, you can export Certificate,


Certificate Chain, Client CA Certificate, Key, or Certificate Signing Request.

Passphrase

Required when exporting Keys. Use the passphrase entered when the key
was created or imported. You must enter the key passphrase to validate
that you are authorized to export the key.

Showing Certificate Content


You can display the content of keys, certificates, or signing requests listed in the Certificates table.
The content is displayed in encrypted text format for copy-paste purposes, for example sending
signing requests to a certificate signing authority.

To display certificate content


1.

In the Configuration perspective Setup tab navigation pane, select Certificates.

2.

Click the Show button below the table.

3.

Select the entry name to show. By default, the name of the selected certificate in the
Certificates table is displayed.

4.

Select the entry type, and password for the key, if required.

5.

Click Show to display the content in the Certificate field.

Configuring SNMP
Simple Network Management Protocol (SNMP) is an application layer protocol that facilitates the
exchange of management information between APSolute Vision and network devices.
Radware devices can work with all versions of SNMP: SNMPv1, SNMPv2c, and SNMPv3.

136

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration
The default Radware user is configured in SNMPv1.

Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c traps that arrive at the
APSolute Vision are discarded.

Note: When you add a Radware device to APSolute Vision using SNMPv3, the user name and
authentication details must match one of the users configured on the device.
The following topics describe the procedures to configure SNMP on a selected device:

Configuring SNMP Users, page 137

Configuring SNMP Community Settings, page 138

Configuring the SNMP Group Table, page 139

Configuring SNMP Access Settings, page 140

Configuring SNMP Notify Settings, page 141

Configuring SNMP View Settings, page 142

Configuring the SNMP Target Parameters Table, page 142

Configuring SNMP Target Addresses, page 144

Configuring SNMP Users


With SNMPv3 user-based management, each user can have different permissions based on the user
name and authentication method. You define the users who can connect to the device, and store the
access parameters for each SNMP user.

Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
>> In the SNMP configuration, a user name is also known as a security name.

To configure an SNMP users for a device connected with SNMPv3 with Authentication
and Privacy
1. In the Configuration perspective Device Security tab navigation pane, select SNMP > SNMP
User Table.
2. Do one of the following:

To add a user, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure SNMP user parameters and click OK.

Document ID: RDWR-APSV-V0130_UG1205

137

APSolute Vision User Guide


Basic Device Configuration

Table 62: SNMP User Parameters

Parameter

Description

User Name

The user name, also known as a security name. The name can be up
to 18 characters.

Authentication Protocol

Protocol used during authentication process.


Values:
None
MD5
SHA
Default: None

Authentication Password

If an authentication protocol is specified, enter an authentication


password.

Privacy Protocol

Algorithm to be used for encryption.


Values:
NoneThe data is not encrypted.
DESThe device uses Data Encryption Standard.
Default: None

Privacy Password

If a privacy protocol is specified, enter a user privacy password.

Configuring SNMP Community Settings


The SNMP Community Table is used only for SNMP versions 1 and 2 to associate community strings
to users. When a user is connected to a device with SNMPv1 or SNMPv2, the device checks the
community string sent in the SNMP packet. Based on a specific community string, the device maps
the community string to a predefined user, which belongs to a group with certain access rights.
Therefore, when working with SNMPv1 or SNMPv2, users, groups, and access must be defined.
Use the Community Table to associate community strings with user names and vice versa, and to
restrict the range of addresses from which SNMP requests are accepted and to which traps can be
sent.

Note: You cannot change the community string associated with the user name that you are
currently using.

To configure SNMP community settings


1.

In the Configuration perspective Device Security tab navigation pane, select SNMP >
Community.

2.

Do one of the following:

3.

To add an SNMP community entry, click the

To edit an entry, double-click the row.

(Add) button.

Configure SNMP community parameters and click OK.

138

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 63: SNMP Community Parameters

Parameter

Description

Index

A descriptive name for this entry. This name cannot be modified after
creation.
Default: public

Community Name

The community string.


Default: public

Security Name

The security name identifies the SNMP community used when the
notification is generated.
Default: public

Transport Tag

Specifies a set of target addresses from which the SNMP accepts SNMP
requests and to which traps can be sent. The target addresses identified by
this tag are defined in the SNMP Target Addresses table. At least one entry
in the SNMP Target Addresses table must include the specified transport tag.
If no tag is specified, addresses are not checked when an SNMP request is
received or when a trap is sent.

Configuring the SNMP Group Table


SNMPv3 permissions are defined for groups of users. If, based on the connection method, there is a
need to grant different permissions to the same user, you can associate a user to more than one
group. You can create multiple entries with the same group name for different users and security
models.
Access rights are defined for groups of users in the SNMP Access table.

To configure SNMP group settings


1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Group
Table.
2. Do one of the following:

To add a group entry, click the

(Add) button.

To edit an entry, double-click the row.

3. Configure the parameters; and then, click OK.

Document ID: RDWR-APSV-V0130_UG1205

139

APSolute Vision User Guide


Basic Device Configuration

Table 64: SNMP Group Parameters

Parameter

Description

Group Name

The name of the SNMP group.

Security Model

The SNMP version that represents the required security model. Security models
are predefined sets of permissions that can be used by the groups. These sets
are defined according to the SNMP versions. By selecting the SNMP version for
this parameter, you determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User Based (SNMPv3)
Default: SNMPv1

Security Name

If the User Based security model is used, the security name identifies the user
that is used when the notification is generated. For other security models, the
security name identifies the SNMP community used when the notification is
generated.

Configuring SNMP Access Settings


The SNMP Access table binds groups and security models with SNMP views, which define subsets of
MIB objects. You can define which MIB objects can be accessed for each group and security model.
MIB objects can be accessed for a read, write, or notify action based on the Read View Name, Write
View Name, and Notify View Name parameters.
Views are defined in the SNMP Views table.

To configure SNMP access settings


1.

In the Configuration perspective Device Security tab navigation pane, select SNMP > Access.

2.

Do one of the following:

3.

To add an access entry, click the

To edit an entry, double-click the row.

(Add) button.

Configure SNMP access parameters and click OK.

140

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 65: SNMP Access Parameters


Parameter

Description

Group Name

The name of the group.

Security Model

Security models are predefined sets of permissions that can be used by


the groups. These sets are defined according to the SNMP versions.
Select the SNMP version that represents the required Security Model to
determine the permissions set to be used.
Values:
SNMPv1
SNMPv2c
User BasedThat is, SNMPv3
Default: SNMPv1

Security Level

The security level required for access.


Values:
No AuthenticationNo authentication or privacy are required.
Authentication & No PrivacyAuthentication is required, but privacy
is not required.
Authentication & PrivacyBoth authentication and privacy are
required.
Default: No Authentication

Read View Name

The name of the View that specifies which objects in the MIB tree are
readable by this group.

Write View Name

The name of the View that specifies which objects in the MIB tree are
writable by this group.

Notify View Name

The name of the View that specifies which objects in the MIB tree can be
accessed in notifications (traps) by this group.

Configuring SNMP Notify Settings


You can select management targets that receive notifications and the type of notification to be sent
to each selected management target. The Tag parameter identifies a set of target addresses. An
entry in the Target Address table that contains a tag specified in the Notify table receives
notifications.

To configure SNMP notification settings


1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Notify.
2. Do one of the following:

To add an SNMP notify entry, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure SNMP notify parameters and click OK.

Document ID: RDWR-APSV-V0130_UG1205

141

APSolute Vision User Guide


Basic Device Configuration

Table 66: SNMP Notify Parameters

Parameter

Description

Name

A descriptive name for this entry, for example, the type of notification.

Tag

A string that defines the target addresses that are sent this notification. All
the target addresses that have this tag in their tag list are sent this
notification.

Configuring SNMP View Settings


You can define subsets of the MIB tree for use in the Access Table. Different entries may have the
same name. The union of all entries with the same name defines the subset of the MIB tree and can
be referenced in the Access Table through its name.

To configure SNMP view settings


1.

In the Configuration perspective Device Security tab navigation pane, select SNMP > View.

2.

Do one of the following:

3.

To add an SNMP view entry, click the

To edit an entry, double-click the row.

(Add) button.

Configure SNMP view parameters and click OK.

Table 67: SNMP View Parameters

Parameter

Description

View Name

Name of this entry.

Sub-Tree

Object ID of a subtree of the MIB.


Note: Very occasionally, you might need to define a view mask for
AppDirector. To do this, use the AppDirector WBM application.

Type

Specifies whether the object defined in the entry is included or excluded in the
MIB view.
Values: Included, Excluded
Default: Included

Configuring the SNMP Target Parameters Table


The Target Parameters table defines message-processing and security parameters that are used in
sending notifications to a particular management target. Entries in the Target Parameters table are
referenced in the Target Address table.

142

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

To configure SNMP target parameters


1. In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Parameters Table.
2. Do one of the following:

To add a target parameters entry, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure target parameter settings and click OK.

Table 68: SNMP Target Parameters

Parameter

Description

Name

The name of the target parameters entry.


Maximum characters: 32

Message Processing
Model

The SNMP version to use when generating SNMP notifications.


Values: SNMPv1, SNMPv2c, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.

Security Model

The SNMP version that represents the required Security Model.


Security models are predefined sets of permissions that can be used by the
groups. These sets are defined according to the SNMP versions. By selecting
the SNMP version for this parameter, you determine the permissions set to
be used.
Values:
SNMPv1
SNMPv2c
User BasedThat is, SNMPv3
Default: SNMPv1
Caution: APSolute Vision does not support SNMPv2c traps. SNMPv2c
traps that arrive at the APSolute Vision are discarded.

Security Name

If the User Based security model is used, the security name identifies the
user that is used when the notification is generated. For other security
models, the security name identifies the SNMP community used when the
notification is generated.

Security Level

Specifies whether the trap is authenticated and encrypted before it is sent.


Values:
No AuthenticationNo authentication or privacy are required.
Authentication and No PrivacyAuthentication is required, but privacy
is not required.
Authentication and PrivacyBoth authentication and privacy are
required.
Default: No Authentication

Document ID: RDWR-APSV-V0130_UG1205

143

APSolute Vision User Guide


Basic Device Configuration

Configuring SNMP Target Addresses


In SNMPv3, the Target Addresses table contains transport addresses to be used in the generation of
traps. If the tag list of an entry contains a tag from the SNMP Notify Table, this target is selected for
reception of notifications. For SNMP versions 1 and 2, this table is used to restrict the range of
addresses from which SNMP requests are accepted and to which SNMP traps may be sent. If the
Transport Tag of an entry in the community table is not empty it must be included in one or more
entries in the Target Address Table.

To configure SNMP target addresses


1.

In the Configuration perspective Device Security tab navigation pane, select SNMP > Target
Address.

2.

Do one of the following:

3.

To add a target address, click the

To edit an entry, double-click the row.

(Add) button.

Configure target address parameters and click OK.

Table 69: SNMP Target Address Parameters

Parameter

Description

Name

Name of the target address entry.

IP Address and L4 Port


[IP-port number]

The IP address of the management station (APSolute Vision server)


and TCP port to be used as the target of SNMP traps. The format of the
values is <IP address >-<TCP port>, where <TCP port> must be
162. For example, if the value for IP Address and L4 Port is 1.2.3.4162, 1.2.3.4 is the IP address of the APSolute Vision server and 162 is
the port number for SNMP traps.
Note: APSolute Vision listens for traps only on port 162.

Mask

A subnet mask of the management station.

Tag List

Specifies sets of target addresses. Tags are separated by spaces. The


tags contained in the list may be either tags from the Notify table or
Transport tags from the Community table.
Each tag can appear in more than one tag list. When a significant event
occurs on the network device, the tag list identifies the targets to which
a notification is sent.
Default: v3Traps

Target Parameters Name

The set of target parameters to be used when sending SNMP Traps.


Target parameters are defined in the Target Parameters table.

Configuring Device Users


For each managed device, you can create a list of users who are authorized to access that device
through any enabled access method (Web, Telnet, SSH, SWBM). When configuration tracing is
enabled, users can receive e-mail notifications of changes made to the device.

144

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

To configure device users for a selected device


1. In the Configuration perspective Device Security tab navigation pane, select Users Table.
2. Do one of the following:

To add a user, click the

(Add) button.

To edit an entry, double-click the row.

3. Configure the parameters; and then, click OK.

Table 70: Device User Parameters

Parameter

Description
Device Users Table

User Name

The name of the user.

Password

Enter the password of the user, then repeat to verify.

Email Address

The e-mail address of the user to which notifications will be sent.

Minimal Severity for


Sending Traps

The minimum severity level of traps sent to this user.


Values:
NoneThe user receives no traps.
InfoThe user receives traps with severity info or higher.
WarningThe user receives Warning, Error, and Fatal traps.
ErrorThe user receives Error and Fatal traps.
FatalThe user receives Fatal traps only.
Default: None

Enable Configuration Tracing When selected, the specified user receives notifications of
configuration changes made in the device.
Every time the value of a configurable variable changes, information
about all the variables in the same MIB entry is reported to the
specified users. The device gathers reports and sends them in a
single notification message when the buffer is full or when the
timeout of 60 seconds expires.
The notification message contains the following details:
Name of the MIB variable that was changed.
New value of the variable.
Time of configuration change.
Configuration tool that was used (APSolute Vision, Telnet, SSH,
WBM).
User name, when applicable.
Access Level

The users level of access to the WBM and CLI.

Document ID: RDWR-APSV-V0130_UG1205

145

APSolute Vision User Guide


Basic Device Configuration

Table 70: Device User Parameters

Parameter

Description
Advanced Parameters

Authentication Mode

The method for of authenticating a users access to the device.


Values:
Local User TableThe device uses the User Table to authenticate
access.
RadiusThe device uses the RADIUS servers to authenticate
access.
Radius and Local User TableThe device uses the RADIUS
servers to authenticate access. If the request to the RADIUS
server times out, the device uses the User Table to authenticate
access.
Default: Local User Table

Exclude SNMP Engine ID


Specifies whether to exclude the SNMP engine ID and user
and User Information from information from exported configuration files.
Exported Configuration Files Default: Disabled
(This parameter is displayed
only in certain AppDirector
versions.)

Configuring Access Permissions on Physical Ports


Access to devices can be limited to specified physical interfaces. Interfaces connected to insecure
network segments can be configured to discard some or all management traffic directed at the
device itself. Administrators can allow certain types of management traffic to a device (for example,
SSH), while denying others such as SNMP. If an intruder attempts to access the device through a
disabled port, the device denies access, and generates syslog and CLI traps as notification.

To configure access permissions for a selected device


1.

In the Configuration perspective Device Security tab navigation pane, select Advanced.

2.

To edit permissions for a port, double-click the relevant row.

3.

Select or clear the checkboxes to allow or deny access; and then, click OK.

Table 71: Port Permission Parameters

Parameter

Description

Port

(Read-only) The name of the physical port.

SNMP Access

When selected, allows access to the port using SNMP.

Telnet Access

When selected, allows access to the port using Telnet.

SSH Access

When selected, allows access to the port using SSH.

Web Access

When selected, allows access to the port using WBM.

SSL Access

When selected, allows access to the port using SSL.

146

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Configuring Port Pinging


You can define which physical interfaces can be pinged. When a ping is sent to an interface for which
ping is not allowed, the packet is discarded. By default, all the interfaces of the device allow pings.

To define the ports to be pinged


1. In the Configuration perspective Device Security tab navigation pane, select Advanced > Ping
Ports.
2. To edit port ping settings, double-click the relevant row.
3. Select or clear the checkbox to allow or not allow pinging, then click OK.

Configuring Tuning Parameters


You can adjusting tuning parameters to use memory resources more efficiently, to conserve memory
resources.

Caution: Radware strongly recommends that you perform any device tuning only after
consulting with Radware Technical Support.
This section contains the following:

Configuring Tuning Parameters for AppDirector, page 147

Configuring Tuning Parameters for DefensePro, page 150

Configuring Tuning Parameters for AppDirector

To configure tuning parameters


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.
2. To change the current setting, enter the new value in the After Reset column.
3. Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.
For information about tuning parameters for AppDirector 1.07.12, see Tuning Parameters in
AppDirector 1.07.12, page 149.

Document ID: RDWR-APSV-V0130_UG1205

147

APSolute Vision User Guide


Basic Device Configuration

Table 72: Tuning Parameters in AppDirector 2.11 and Later

Parameter

Description
Device Tuning

For more information, see the tuning document, which is available from the Radware Web site.
Bridge Forwarding Table

The maximum number of entries currently available in the Bridge


Forwarding Table (bridging ports per destination MAC address).

IP Forwarding Table

The maximum number of entries currently available in the IP


Forwarding Table.

ARP Forwarding Table

The maximum number of entries allowed in the ARP Table.


The ARP table contains the IP address and corresponding MAC
address (physical address) of each network element connected to
the device. If an element is disconnected from the device, the
elements ARP record will be maintained until the timeout value is
exceeded.

Routing Table

The maximum number of entries in the Routing Table.

Host Name Table

The maximum number of entries in the Host Names Table.

Requests Table

The maximum number of entries in the Requests Table as used by


all delayed binding based mechanisms, for example, SSL ID
tracking, Layer 4 Policies, and so on.

Session IDs

The maximum number of entries in the Session ID Table.


Default table size: 16,384
Maximum: 256,000

Network Segments

The maximum number of network segments that can be configured


(network segments supported when the device uses the
Segmentation feature).

L4 Policies

Maximum number of Layer 4 policies that can be defined on the


device.

Acceleration Engine RAM


Percentage for Cache

Percentage of Acceleration-engine RAM allocated for cache when


application acceleration is enabled.
Default: 20

Application Delivery
Client Table

Maximum number of entries in the Client Table.

L3 Client Table

Size of the Layer 3 Client Table, as a percentage of the Client Table


size.
Default: 20

RADIUS Attributes Table

Maximum number of entries in the RADIUS Attributes Table.

(This parameter is not


available in AppDirector 2.14
and later.)
Static DNS Persistency Table

Maximum number of entries in the Static DNS Persistency Table.

Dynamic DNS Persistency


Entries

Maximum number of entries in the Dynamic DNS Persistency Table.

Session Table

Maximum number of session entries in table.

Session Passive Protocols


Table

Maximum number of session passive protocols entries in the table.

148

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 72: Tuning Parameters in AppDirector 2.11 and Later

Parameter

Description

Session Resets Entries

Maximum number of sessions that the device tracks to send RESET


in case Send Reset To Server is enabled in the Session Table.

Proximity Subnets

Maximum number of entries in the Dynamic Proximity Table.

Table 73: Tuning Parameters in AppDirector 1.07.12

Parameter

Description
Device Tuning

Bridge Forwarding Table

The maximum number of entries currently available in the Bridge


Forwarding Table (bridging ports per destination MAC address).

IP Forwarding Table

The maximum number of entries currently available in the IP


Forwarding Table.

ARP Forwarding Table

The maximum number of entries allowed in the ARP Table.


The ARP table contains the IP address and corresponding MAC
address (physical address) of each network element connected to
the device. If an element is disconnected from the device, the
elements ARP record will be maintained until the timeout value is
exceeded.

Routing Table

Maximum number of entries in the Routing Table.

Host Name Table

Maximum number of entries in the Host Names Table.

Requests Table

Maximum number of entries in the Requests Table as used by all


delayed binding based mechanisms, for example, SSL ID tracking,
Layer 4 Policies, and so on.

Session IDs

Maximum number of entries in the Session ID Table.


Default table size:16,384
Maximum: 256,000

Network Segments

Maximum number of network segments that can be configured


(network segments supported when the device uses the
Segmentation feature).

L4 Policies

Maximum number of Layer 4 policies that can be defined on the


device.

Application Delivery
Client Table

Maximum number of entries in the Client Table.

L3 Client Table

Size of the Layer 3 Client Table, as a percentage of the Client Table


size.
Default: 20

RADIUS Attributes Table

Maximum number of entries in the RADIUS Attributes Table.

Static DNS Persistency Table

Maximum number of entries in the Static DNS Persistency Table.

Dynamic DNS Persistency


Entries

Maximum number of entries in the Dynamic DNS Persistency Table.

Session Table

Maximum number of session entries in table.

Document ID: RDWR-APSV-V0130_UG1205

149

APSolute Vision User Guide


Basic Device Configuration

Table 73: Tuning Parameters in AppDirector 1.07.12

Parameter

Description

Session Passive Protocols


Table

Maximum number of session passive protocols entries in the table.

Session Resets Entries

Maximum number of sessions that the device tracks to send RESET


in case Send Reset To Server is enabled in the Session Table.

Configuring Tuning Parameters for DefensePro

To configure device tuning parameters


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters.

2.

To change the current setting, enter the new value in the After Reset column.

3.

Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.

Table 74: Device Tuning Parameters

Parameter
IP Fragmentation Table

Description
The maximum number of IP fragments that the device stores.
Values: 1256,000
Default: 1240

Session Table

The maximum number of sessions that the device can track.


Values: 204,000,000
Default per model:
x06 and x0162,000,000
x412-NL-O3,000,000
x412-NL-Q3,100,000
x412-BP-O3,000,000
x412-BP-Q2,900,000

Session Resets Entries

The maximum number of sessions that the device tracks to


send RESET when Send Reset To Server is enabled in the
Session table.
Values: 110,000
Default: 1000

Routing Table

The maximum number of entries in the Routing table.


Values: 2032,767
Default: 64

150

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 74: Device Tuning Parameters

Parameter

Description

Pending Table

The maximum number of new simultaneous dynamic sessions


the device can open.
Values: 1616,000
Default: 1024

SIP Call Table

The maximum number of SIP calls the device can track.


Values: 16256,000
Default: 1024

TCP Segmentation Table

The maximum number of TCP Segments. This parameter is


used when SIP Protocol is enabled and SIP is running over TCP.
Values: 132,768
Default: 256

Configuring Security Tuning


APSolute Vision supports the Security module in AppDirector 2.30 and later and DefensePro.
The security tables store information about sessions passing through the device and their sizes,
correlating them to the number of sessions. Some tables store Layer 3 information for every sourcedestination address pair of traffic going through the device requiring an entry for each combination.
Some tables keep information about Layer 4 sessions. Every combination of source address, source
port, destination address and destination port requires its own entry in the table.

Note: Layer 4 tables are larger than Layer 3 tables. TCP clients, using HTTP, may open several
TCP sessions to one destination address.
Each security table is responsible for clearing tables of old entries that are no longer required, and
ensuring that traffic is properly classified and inspected.

To configure security tuning


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Security.
2. Configure the tuning parameters.

Table 75: Application Security Tuning Parameters for AppDirector

Parameter

Description

Max. Number of Service


Protection Service

The maximum number of entries in the Service Protection policy.

Max. Number of BDoS Policies

The maximum number of configurable Behavioral DoS policies.

Document ID: RDWR-APSV-V0130_UG1205

151

APSolute Vision User Guide


Basic Device Configuration

Table 75: Application Security Tuning Parameters for AppDirector

Parameter

Description

Max. Number of Entries in


Counter Target Table

The maximum number of sessions in which a Destination address


is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.

Max. Number of Entries in


Counter Source Table

The maximum number of sessions in which a source address is


tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.

Max. Number of Entries in


The maximum number of sessions in which Source and
Counter Source and Target Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Max. Number of Concurrent
Active DoS Shield Protections

The maximum number of filters tracked.

Max. Number of Entries in


Counters Report

The maximum number of entries for reports on active concurrent


Tracking Signatures attacks.

Max. Number of Entries in


Counters Service Cracking
Protection

The maximum number of entries for concurrent active Service


Cracking protections.

DoS Shield filters use thresholds for activation. This table counts
the number of times traffic matches a DoS Shield signature per
policy. When the number of packets exceeds the predefined limit,
it is identified as an attack.

Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Max. Number of Entries in
Generic Signature Table

The maximum number of entries for concurrent active scanning


protections.

Max. Number of Signatures


Configured by User

The maximum number of user-configurable IPS signatures.

Max. Number of Source IPs in


Suspend Table

The maximum number of hosts that the Suspend table is able to


block simultaneously.
This value affects the abilities of other defenses, such as, AntiScanning, Service Cracking, and SYN protection.

152

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 76: Security Tuning Parameters for DefensePro

Parameter

Description

Max. Number of HTTP Mitigator


Suspect Sources

The maximum number of suspect sources in HTTP Mitigation


policies.
Values: 1000500,000
Default: 100,000

Max. Number of Server


Protection Servers

The maximum number of entries in the Server Protection policy.


Values: 10010,000
Default: 350

Max. Number of BDoS Policies

The maximum number of configurable Behavioral DoS policies.


Values: 1100
Default: 10

Max. Number of DNS Policies

The maximum number of configurable DNS Flood Protection


policies.
Values: 1100
Default: 10

Max. Number of Anti-Scanning IP The maximum number of source IP addresses that the device
Pairs
stores for anti-scanning purposes.
Values: 10,0001,000,000
Default: 100,000
Max. Number of Entries in
Counter Target Table

The maximum number of sessions in which a Destination address


is tracked.
Some attack signatures use thresholds per destination for
activation. The Counter Target Table counts the number of times
traffic to a specific destination matches a signature. When the
number of packets sent to a particular destination exceeds the
predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536

Max. Number of Entries in


Counter Source Table

The maximum number of sessions in which a source address is


tracked.
Some attack signatures use thresholds per source for activation.
The Counter Source Table counts the number of times traffic
from a specific source matches a signature. When the number of
packets sent from a particular source exceeds the predefined
limit, it is identified as an attack.
Values: 10065,536
Default: 65,536

Document ID: RDWR-APSV-V0130_UG1205

153

APSolute Vision User Guide


Basic Device Configuration

Table 76: Security Tuning Parameters for DefensePro

Parameter

Description

Max. Number of Entries in


The maximum number of sessions in which Source and
Counter Source and Target Table Destination addresses are tracked.
Some signatures use thresholds per source and destination for
activation. The Counter Source & Target Table counts the
number of times traffic from a specific source to a specific
destination matches a signature. When the number of packets
sent from a particular source to a particular destination exceeds
the predefined limit, it is identified as an attack.
Values: 10065,536
Default: 65,536
Max. Number of Concurrent
Active DoS Shield Protections

The maximum number of filters tracked.


DoS Shield filters use thresholds for activation. This table counts
the number of times traffic matches a DoS Shield signature per
policy. When the number of packets exceeds the predefined limit,
it is identified as an attack.
Values: 10016,000
Default: 10,000

Max. Number of Entries in


Counters Report

The maximum number of entries for reports on active concurrent


Tracking Signatures attacks.
Values: 10064,000
Default: 20,000

Max. Number of Entries in


Counters Server Cracking
Protection

The maximum number of entries for concurrent active Server


Cracking protections.
When the Server Cracking protection feature is enabled,
DefensePro uses one entry in this table whenever DefensePro
receives a response from the server that can indicate a potential
Server Cracking attack. The entry includes the IP address of the
potential attacker, the protected server, and the protocol. The
entry remains in use as long as DefensePro receives such server
responses.
Values: 10065,536
Default: 100

Max. Number of Entries in DHCP The number of MAC addresses to check for IP requests.
Table
The DHCP Discover table detects attacks by counting the IP
requests for each MAC address. The requests are made using
Dynamic Host Configuration Protocol. When the number of IP
requests for a particular MAC address exceeds the predefined
limit, it is identified as an attack.
Values: 10064,000
Default: 100
Max. Number of Entries in
Generic Signature Table

The maximum number of entries for concurrent active scanning


protections.
Values: 100100,000
Default: 10,000

154

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 76: Security Tuning Parameters for DefensePro

Parameter

Description

Max. Number of Signatures


Configured by User

The maximum number of user-configurable IPS signatures and


RSA signatures. DefensePro can store up to 500 concurrent RSA
signatures.
Values: 1010,000
Default with fraud protection not enabled: 100
Default with fraud protection not enabled: 3,000
Note: RSA signatures on the device accumulate until the
device ages them. The device ages RSA signatures
according to the specified aging times, Phishing
Signatures Aging, Drop Points Aging, and Malicious
Download Aging. If the Max. Number of Signatures
Configured by User is greater than 500, and number of
RSA signatures reaches 500, you cannot add any new
RSA signature. If you must add new RSA signatures
immediately, you can reduce the aging time, add the
RSA signature, and increase the aging time as
appropriate.

Max. Number of Source IPs in


Suspend Table

The maximum number of hosts that the Suspend table is able to


block simultaneously.
This value affects the abilities of other defenses, such as, AntiScanning, Server Cracking, and SYN protection.
Values: 1000100,000
Default: 10,000

Max. Number of Concurrent


Connection Packet Rate Limit
Attacks

The maximum number of concurrent Connection Packet Rate


Limit attacks that the device can handle.
Values: 51000
Default: 50

Configuring SYN Protection Tuning for Defense Pro


SYN Flood Protection tuning is relevant for DefensePro only.
SYN tables are used to define SYN Flood protection.

To configure SYN Protection tuning


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > SYN Protection.
2. Configure the tuning parameters.

Document ID: RDWR-APSV-V0130_UG1205

155

APSolute Vision User Guide


Basic Device Configuration

Table 77: SYN Protection Tuning Parameters

Parameter

Description

SYN Protection Table

The number of entries in the table that stores data regarding the
delayed binding process. An entry exists in the table from the
time a client starts the three-way handshake until the handshake
is complete.
Values: 10500,000
Default: 200,000

SYN Protection Requests Table

The number of entries in the table that stores the ACK, or data
packet, the client sends, until the handshake with the server is
complete and the packet is sent to the server.
The Request table and the SYN Protection table are
approximately the same size while the Triggers table is much
smaller.
Values: 10500,000
Default: 200,000

SYN Protection Signature


Detection Entries

The number of entries in the table that stores active triggers


that is, the destination IP addresses/ports from which the device
identifies an ongoing attack.
Values: 100020,000
Default: 1000

SYN Statistics Entries

The number of entries in the SYN Flood Statistics table.


Values: 100020,000
Default: 1000

Configuring Authentication Table Tuning


Authentication Table tuning is available only in DefensePro 6.00 and later.

To configure Authentication Table tuning


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Authentication Tables.

2.

Configure the tuning parameters.

Table 78: Authentication Table Tuning Parameters

Parameter

Description
Authentication Table Tuning

HTTP Authentication Table Size

The number of sources in the HTTP Authentication table.


DefensePro uses the HTTP Authentication table in HTTP Flood
profiles and the HTTP Authentication feature in a SYN Protection
profile.
Values: 500,0002,000,000
Default: 2,000,000

156

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Table 78: Authentication Table Tuning Parameters

Parameter

Description

TCP Authentication Table Size

The number of sources in the TCP Authentication table.


DefensePro uses the TCP Authentication table for the Safe Reset
Authentication Method feature in SYN Protection profiles.
Values: 500,0002,000,000
Default: 2,000,000
Note: For x412 platforms, the value is fixed at the default
2,000,000, and cannot be tuned.

Authentication Tables Aging


This group box and the parameters in it are available only in DefensePro 6.05 and later.
HTTP Authentication Table Aging The time, in seconds, that the device keeps idle sources in the
HTTP Authentication table.
Values: 603600
Default: 1200
TCP Authentication Table Aging

The time, in seconds, that the device keeps idle sources in the
TCP Authentication table.
Values: 603600
Default: 1200

DNS Authentication Table Aging

The time, in minutes, that the device keeps idle sources in the
DNS Authentication table.
Values: 160
Default: 20
Note: The DNS Authentication Table Aging text box is
empty if DNS Flood Protection has not been enabled on
the device (Configuration perspective > Security
Settings > DNS Flood Protection > Enable DNS
Flood Protection). You can, however, enter a value
even if DNS Flood Protection is not enabled, and the
value will persist.

Configuring Classifier Tuning


APSolute Vision supports the classifier (that is, Classes) module in AppDirector 2.30 and later and
DefensePro 5.10 and later.
A Classifier packet first flows into the system through the classifier. The classifier handles the packet
according to the Bandwidth Management policy that best matches the packet and by these tuning
parameters. You can view and edit the Classifier tuning parameters. The changes take effect after a
device reset.

To configure classifier tuning


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > Classifier.
2. To change the current setting, enter the new value in the After Reset column.

Document ID: RDWR-APSV-V0130_UG1205

157

APSolute Vision User Guide


Basic Device Configuration
3.

Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.

Table 79: Classifier Tuning Parameters

Parameter

Description

Max. Number of Networks

The maximum number of entries in the table for ranges.


Values: 3210,000
Default: 256

Max. Number of Discrete IP


Addresses per Network

The maximum number of entries in the table for IP addresses


that are allocated to a network.
Values: 161024
Default: 64

Max. Number of Subnets per


Network

The maximum number of entries in the table for network


subnets.
Values: 16256
Default: 64

Max. Number of MAC Groups

The maximum number of entries in the table for MAC groups.


Values:162048
Default: 128

Max. Number of Filter Entries

The maximum number of entries in the table for basic filters.


Values:5122048
Default: 512

Max. Number of AND Groups

The maximum number of entries in the advanced filters table for


AND groups.
Values: 2562048
Default: 256

Max. Number of OR Groups

The maximum number of entries in the advanced filters table for


OR groups.
Values: 2562048
Default: 256

Max. Number of Application


Ports Groups

The maximum number of entries in the table for application port


groups.
Values: 322000
Default: 512

Max. Number of Content Entries The maximum number of content entries in the table.
Values: 164096
Default: 256

158

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Basic Device Configuration

Configuring BWM Tuning


APSolute Vision supports the Bandwidth Management module in AppDirector 2.30 and later and
DefensePro 5.10 and later.
You can view and edit the bandwidth-management (BWM) tuning parameters. The changes take
effect after a device reset.

To configure BWM tuning


1. In the Configuration perspective Advanced Parameters tab navigation pane, select Tuning
Parameters > BWM.
2. To change the current setting, enter the new value in the After Reset column.
3. Click
(Submit) to submit the changes. You can reboot immediately or at a later time.
Changes will not take effect until after reboot.

Note: Radware recommends performing a memory check before rebooting the device.

Table 80: BWM Tuning Parameters

Parameter

Description

Policy Table

The number of policy entries in the table.


Values for AppDirector: 210,000
Values for DefensePro: 256150,000
Default: 1024

Policy Leaves

The percentage of hierarchical BWM leaves (that is, hierarchical


BWM policies without a child policy) out of the total number of
policies that the device supports.
Values: 50100
Default: 100

BW per Traffic Flow sessions


tracking

The number of traffic flows for which the device can provide
bandwidth or limit the number of sessions.
Values: 16400,000
Default: 2048

Destination Table

Displays the number of destination address entries in the table.


Values: 64128,000
Default: 256

Configuring SDM Tuning


SDM tuning is available only in DefensePro 6.00 and later.

Document ID: RDWR-APSV-V0130_UG1205

159

APSolute Vision User Guide


Basic Device Configuration

To configure SDM tuning


1.

In the Configuration perspective Advanced Parameters tab navigation pane, select


Tuning Parameters > SDM.

2.

Configure the tuning parameter.

Table 81: SDM Tuning Parameter

Parameter

Description

SDM Table Size

The size of the SDM table.


Values: Small, Medium, Large
Default: Medium

160

Document ID: RDWR-APSV-V0130_UG1205

Chapter 6 Device Network Configuration


You can perform the following networking configuration tasks for managed devices:

Configuring Device IP Interfaces, page 161

Managing IP Routing, page 164

Configuring Ports, page 180

Configuring AppDirector Redundancy, page 190

Configuring AppDirector VLANs, page 214

Configuring Segmentation for AppDirector, page 218

Configuring AppDirector Advanced Networking Parameters, page 223

Configuring DefensePro Redundancy, page 225

Configuring Basic Networking Parameters in DefensePro, page 226

Configuring Port Pairs for DefensePro, page 230

Configuring SSL Inspection for DefensePro, page 232

Configuring Device IP Interfaces


AppDirector and DefensePro perform routing between all IP interfaces defined on its Layer 2
interfaces (ports, trunks, and VLANs). They also perform routing based on other network layers,
such as Layer 4 and Layer 7.

To configure IP interfaces
1.

2.

3.

In the Configuration perspective Networking tab navigation pane:

(AppDirector) Select IP Interfaces.

(DefensePro) Select IP Management.

Do one of the following:

To add an IP interface, click the

(Add) button.

To edit an IP interface, double-click the row.

Configure the parameters; and then, click OK.

Document ID: RDWR-APSV-V0130_UG1205

161

APSolute Vision User Guide


Device Network Configuration

Table 82: IP Interface Parameters

Parameter

Description

IP Address

IP address of the interface.

Prefix Length

The prefix length that defines the subnet attached to this IP


interface.

(This parameter is available only


in AppDirector 2.30 and later.)

For IPv4, the prefix length varies between subnets to subnets,


and renumbering subnets can be expensive. With IPv4, the
allocation varies according to the size of the site, which can be a
problem when you migrate from one ISP to another.
IPv4 values: 032
For IPv6, the prefix length is a decimal value that indicates the
number of contiguous, higher-order bits of the address that
comprise the network portion of the address. For example,
10FA:6604:8136:6502::/64 is a possible IPv6 prefix. The prefix
length for an IPv6 subnet will always be less than 64. It allows
you to place as many IPv6 devices as the underlying network
medium allows.
IPv6 values: 064

Mask

The associated subnet mask.

(This parameter is available only


in DefensePro and AppDirector
versions prior to 2.30.)
Interface Index
(This parameter is available only
in AppDirector 2.30 and later.)
Port
(This parameter is available only
in DefensePro and AppDirector
versions prior to 2.30.)
Forward Broadcast
(This parameter is available only
for IPv4 interfaces.)

The interface identifier, for example, G-1. The configured trunk


and VLAN interfaces are included in the list.
The interface identifier, for example, G-1. In AppDirector, the
configured trunk and VLAN interfaces are included in the list.

Specifies whether the device forwards incoming broadcasts to


this interface.
Default: Enabled

Broadcast Address

Specifies whether to fill the host ID in the broadcast address


(This parameter is displayed only with ones or zeros.
for IPv4 interfaces.)
Values:
Fill 1Fill the host ID in the broadcast address with ones.
Fill 0Fill the host ID in the broadcast address with zeros.
Default: Fill 1
VLAN Tag

The VLAN tag to be associated with this IP Interface. When


multiple VLANs are associated with the same switch port, the
switch must identify to which VLAN to direct incoming traffic
from that specific port. VLAN tagging provides an indication in
the Layer 2 header that enables the switch to make the correct
decision.

Peer IP Address

The IP address of the interface on the peer device, which is


required in a redundant configurationthat is, a cluster for high
availability.
Default: 0.0.0.0

162

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 82: IP Interface Parameters

Parameter

Description

Prefix Onlink

Specifies whether the addresses with that prefix can be reached


(This parameter is displayed only directly without going through a router. The prefix list in the
for IPv6 interfaces in AppDirector Neighbor Discovery cache table defines a set of IP address
ranges that the host can reach. The prefix flags are L for on-link,
2.30 and later.)
and A for autonomous.
Default: Enabled
Prefix Autonomous

Specifies whether the prefix came from stateless


(This parameter is displayed only autoconfiguration. The prefix list in the Neighbor Discovery
for IPv6 interfaces in AppDirector cache table defines a set of IP address ranges that the host can
reach. The prefix flags are L for on-link, and A for autonomous.
2.30 and later.)
Default: Disabled
Preferred Lifetime

The router advertisement preferred life time, in seconds.

(This parameter is displayed only Values: 1Infinite


for IPv6 interfaces in AppDirector Default: Infinite
2.30 and later.)
Valid Lifetime

The router advertisement valid life time, in seconds.

(This parameter is displayed only Values: 1Infinite


for IPv6 interfaces in AppDirector Default: Infinite
2.30 and later.)
Address Origin

(Read-only) The origin of the address.

(This parameter is displayed only Values:


in AppDirector 2.30 and later.)
otherThe address may include a random chosen address
or well-known value for example, an IANA assigned anycast
address.
manualThe address was manually configured.
dhcpThe address was assigned to this system by a DHCP
server.
linklayerThe address was created by IPv6 stateless
autoconfiguration.

Document ID: RDWR-APSV-V0130_UG1205

163

APSolute Vision User Guide


Device Network Configuration

Table 82: IP Interface Parameters

Parameter

Description

Status

(Read-only) The current status of the IP interface.

(This parameter is displayed only Values:


in AppDirector 2.30 and later.)
PreferredThis is a valid address that can appear as the
destination or source address of the packet.
DeprecatedThis is a valid but deprecated address that
should no longer be used as a source address in new
communications, but packets addressed to such an address
are processed as expected.
InvalidThis is not valid address which should not appear
as the destination or source address of a packet.
InaccessibleThe address is not accessible because the
interface to which this address is assigned is not
operational.
UnknownThis address is unknown.
TentativeThe uniqueness of the address on the link is
being verified.
DuplicateThe address has been determined to be nonunique on the link and so must not be used.
OptimisticThe address is available for use, subject to
restrictions, while its uniqueness on a link is being verified.
This value is designed to minimize address configuration
delays and to reduce disruption.

Managing IP Routing
Radware devices forward IP packets to their destination using an IP routing table. This table stores
information about the destinations and how they can be reached. By default, all networks directly
attached to the device are registered in the IP routing table. Other entries can either be statically
configured or dynamically created through the routing protocol.
The following topics describe how to configure IP routing:

Configuring IP Routing in AppDirector, page 164

Configuring IP Routing in DefensePro, page 166

Configuring IP Routing in AppDirector


When an AppDirector device forwards an IP packet, the IP Routing table is used to determine the
next-hop IP address and the next-hop interface as follows:

For a direct delivery (the destination is a neighboring node), the next-hop MAC address is the
destination MAC address for the IP packet.

For indirect delivery (the destination is not a neighboring node), the next-hop MAC address is
the IP router address according to the IP Routing table.

The destination IP address does not change from source to destination. The destination MAC
(Layer 2 information) is manipulated to move a packet across networks.

The MAC of the destination host is applied once the packet arrives on the destination network.

164

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration
Dynamic addition and deletion of IP interfaces is supported. This ensures that extremely low latency
is maintained. The IP router supports RIP 1, RIP 2, and OSPF routing protocols OSPF and its MIB are
supported as specified in RFC 1583 and RFC 1850, with some limitations. You can configure static
routing and define the default gateway.

To configure static routes


1. In the Configuration perspective Networking tab navigation pane, select IP Routing.
2. Do one of the following:

To add an entry in AppDirector 2.30 and later, click the


the option for the IP version that you require.

(Add) button; and then, choose

To add an entry in AppDirector versions prior to 2.30, click the

To edit an entry, double-click the entry in the table.

(Add) button.

3. Configure the parameters; and then, click OK.


4. Configure the static route settings and click OK.
5. Configure global advanced parameters, if required.

Notes:
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.

Table 83: Static Route Parameters

Parameter

Description

Destination Network

The destination network to which the route is defined.

Prefix Length

The prefix length that defines the subnet attached to this IP interface.

(This parameter is
available only in
AppDirector 2.30 and
later.)

For IPv4, the prefix length varies between subnets to subnets, and
renumbering subnets can be expensive. With IPv4, the allocation varies by
the size of the site, which can be a problem when you migrate from one
ISP to another.
For IPv6, the prefix length is a decimal value that indicates the number of
contiguous, higher-order bits of the address that make up the network
portion of the address. For example, 10FA:6604:8136:6502::/64 is a
possible IPv6 prefix. The prefix length for an IPv6 subnet will always be
less than 64. It allows you to place as many IPv6 devices as the
underlying network medium allows.
IPv4 values: 032
IPv6 values: 064

Netmask

Network mask of the destination subnet.

(This parameter is not


available in
AppDirector 2.30 and
later.)

Document ID: RDWR-APSV-V0130_UG1205

165

APSolute Vision User Guide


Device Network Configuration

Table 83: Static Route Parameters

Parameter

Description

Next Hop

IP address of the next hop toward the Destination subnet. (The next hop
always resides on the subnet local to the device.)

Via Interface

The local interface or VLAN through which the next hop of this route is
reached. This can be the port name, trunk name, or VLAN ID.

Type

(Read-only) This field is displayed in the Static Routes table.


Values:
LocalThe subnet is directly reachable from the device.
RemoteThe subnet is not directly reachable from the device.

Metric

The metric value defined or calculated for this route.

Table 84: IP Routing Global Advanced Parameters

Parameter

Description

Enable Proxy ARP

When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled

Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
When this option is enabled, a trap is sent when there is an ICMP error
message.
Default: Enabled
Default Network
(This parameter is
available only in
AppDirector 1.07.12.)

The network from whose announcements the device will discover its
default gateway.
AppDirector selects as default gateway the router that was announced as
next hop router for the default network with the best metric (lowest
metric).
When a default network is configured, but the device also receives default
route announcements, the default gateway is selected according to default
route announcements.

Configuring IP Routing in DefensePro


IP routing is performed between DefensePro IP interfaces, while bridging is performed within an IP
interface that contains an IP address associated with a VLAN.

166

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

To configure IP routing
1. In the Configuration perspective Networking tab navigation pane, select IP Management > IP
Routing.
2. Do one of the following:

To add a static route, click the

(Add) button.

To edit a static route, double-click the row.

3. Configure the static route settings and click OK.


4. Configure global advanced parameters, if required.

Notes:
>> When editing a static route, you can modify only the Via Interface and Metric fields.
>> The Type field is displayed only in the Static Routes Table, not in the dialog box. It
cannot be configured.

Parameter

Description

Enable Proxy ARP

When enabled, a network host answers ARP queries for the network
address that is not configured on the receiving interface. Proxying ARP
requests on behalf of another host effectively directs all LAN traffic
destined for that host to the proxying host. The captured traffic is then
routed to the destination host via another interface.
Default: Enabled

Enable Sending Trap on The Internet Control Message Protocol (ICMP) is one of the core protocols
ICMP Error
of the Internet Protocol Suite and is used by networked computers
operating systems to send error messagesindicating, for example, that
a requested service is not available, or that a host or router could not be
reached.
Default: Enabled
Note: When this option is enabled, a trap is sent when there is an ICMP
error message.

Configuring ICMP
Internet Control Message Protocol (ICMP) is one of the core protocols of the Internet Protocol Suite
and is used by networked computers operating systems to send error messagesindicating, for
instance, that a requested service is not available or that a host or router could not be reached.

To modify ICMP interface parameters


1. In the Configuration perspective Networking tab navigation pane:

(AppDirector) Select IP Routing > ICMP.

(DefensePro) Select IP Management > IP Routing > ICMP.

Document ID: RDWR-APSV-V0130_UG1205

167

APSolute Vision User Guide


Device Network Configuration
2.

Double-click the row.

3.

Configure the ICMP settings and click OK.

Table 85: ICMP Interface Settings

Parameter

Description

IP Address

IP address of the interface.

Destination Address

IP destination address for multicast Router Advertisements sent from the


interface.
Values:
224.0.0.1The All Hosts multicast group that contains all systems on
the same network segment
255.255.255.255The limited-broadcast address

Advertise Interval
Minimum

The minimum time, in seconds, between sending unsolicited multicast


Router Advertisements from the interface.
Values: 3maximum specified interval
Default: 75% of the maximum specified interval

Maximum

The maximum time, in seconds, between multicast Router


Advertisements from the interface.
Values: minimum specified interval1800

Lifetime

The maximum time, in seconds, that the advertised addresses are


considered valid.
Values: Maximum specified interval9000
Default: Three times (3) the maximum interval

Advertise this Interface

Enables you to advertise the device IP using ICMP Router Advertise.

Preference Level

The preference level of the address as the default router address, relative
to other router addresses on same subnet.

Reset all Parameters to


Default

Resets ICMP interface parameters to default values.

Configuring the ARP Table


When Proxy ARP is enabled, a network host answers ARP queries for the network address that is not
configured on the receiving interface. Proxying ARP requests on behalf of another host effectively
directs all LAN traffic destined for that host to the proxying host. The captured traffic is then routed
to the destination host via another interface.
You can configure and manage the static ARP entries on the local router.

To configure the ARP table


1.

In the Configuration perspective Networking tab navigation pane:

(AppDirector) Select ARP Table.

(DefensePro) Select IP Management > ARP Table.

168

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration
2. Do one of the following:

To add a new entry, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure the ARP parameters and click OK.


4. Modify advanced parameters, if required; and then click

(Submit) to submit the changes.

Table 86: ARP Parameters

Parameter

Description

Port

The interface number where the station resides.

IP Address

The stations IP address.

MAC Address

The stations MAC address.

Type

Entry type.
Values:
OtherNot Dynamic or Static.
InvalidInvalidates ARP entry and effectively deletes it.
DynamicEntry is learned from ARP protocol. If the entry is not
active for a predetermined time, the node is deleted from the table.
StaticEntry has been configured by the network management
station and is permanent.

Table 87: Advanced Parameters

Parameter

Description

Inactive ARP Timeout

The time, in seconds, that inactive ARP cache entries can remain in the
ARP table before the device deletes them. If an ARP cache entry is not
refreshed within a specified period, it is assumed that there is a problem
with that address.
Values: 19999999
Default: 60000

Configuring Spanning Tree Protocol in AppDirector


Spanning Tree Protocol (STP) prevents loops in networks and environments where there is more
than one path through which the traffic may pass. If a packet has numerous links, it can choose
which path to use, which may cause loops in the network. The STP algorithm makes a calculation
based on various parameters including the preferred path and logically blocks all other paths.
AppDirector supports the Rapid Spanning Tree Protocol (backwards compatible with STP), allowing
you to configure Spanning Tree on each VLAN of the device. Different VLANs may have different STP
settings.

Document ID: RDWR-APSV-V0130_UG1205

169

APSolute Vision User Guide


Device Network Configuration

Notes:
>> STP is not supported on OnDemand Switch 1 platforms.
>> Spanning Tree is supported only for IP-Regular and IP-Switch VLANs.
>> When working with STP in a redundant configuration, the VRRP redundancy mechanism
must be used, and the primary device must have the lowest Bridge ID.

Configuring STP Global Parameters and Defaults

To configure the STP basic parameters and defaults


1.

In the Configuration perspective Networking tab navigation pane, select STP.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 88: STP Basic Parameters and Defaults

Parameter
Enable Spanning Tree

Description
Specifies whether the device enables STP.
Default: Disabled

Defaults
Bridge Priority

The default priority of bridge. The lower the value, the higher the priority.
Values: 061440The values are in multiples of 4096.
Default: 32768

Hello Time Interval

The interval, in seconds, between two BPDU packets sent by device.


Values: 110
Default: 2

Bridge Max. Aging

The maximum time, in seconds, the device waits for a BPDU packet before
it tries to re-configure.
Values: 640
Default: 20

Forward Delay

The time, in seconds, that the device waits before changing the state of
the port.
Values: 430
Default: 15

Port Priority

The port priority. When two (or more) ports have the same value, the
device uses the port with the lowest MAC address.
Values: 0240
Default: 128

170

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Configuring Spanning Tree Instances


When there is more than one VLAN on the device, each VLAN can run its own instance of a Spanning
Tree with different parameters for each VLAN. When there are multiple VLANs on the device, you can
enable and disable the Spanning Tree for each VLAN.

Note: Spanning Tree per VLAN is supported only when the VLANs do not share any physical
ports (each VLAN has its own physical ports).

To configure Spanning Tree Instances


1. In the Configuration perspective Networking tab navigation pane, select STP > Instances.
2. Double-click the VLAN ID to edit.
3. Configure the parameters; and then, click OK.

Table 89: STP Instance Parameters

Parameter

Description

VLAN ID

The VLAN to apply these settings to. Alternatively, you may apply the
settings to multiple VLANs.

Enable STP

Specifies whether STP is enabled on the VLAN.

Bridge Priority

The default priority of the bridge.


Values: 061440The values are in multiples of 4096.
Default: 32768

Hello Time Interval

The interval, in seconds, between two BPDU packets sent by device.


Values: 110
Default: 2

Aging Time

The maximum time, in seconds, that the device waits for a BPDU packet
before it tries to re-configure.
Values: 640
Default: 20

Forward Delay Time

The time, in seconds, the device waits before changing the state of the
port.
Values: 430
Default: 15

Configuring STP Ports


Within each VLAN, you can configure the behavior or individual physical ports. For example, ports
connected directly to servers do not need to wait for the forward delay timer to expire before they
start forwarding traffic. You can enable Mode Fast, which enables the device to forward traffic as
quickly as possible. You can also exclude any physical port from participating in the STP algorithm.

Document ID: RDWR-APSV-V0130_UG1205

171

APSolute Vision User Guide


Device Network Configuration

To configure Spanning Tree ports


1.

In the Configuration perspective Networking tab navigation pane, select STP > Ports.

2.

Double-click the port to edit.

3.

Configure the parameters; and then, click OK.

Table 90: STP Instance Parameters

Parameter

Description

Port ID

(Read-only) The identifier of the selected port.

VLAN ID

(Read-only) The VLAN to which the physical port belongs.

Enable STP

Specifies whether STP is supported on the port. When disabled, the


physical port does not participate in STP.
Default: Enabled

Priority

The port priority. When two (or more) ports have the same value, the
device uses the port with the lowest MAC address.
Values: 0240The values are in multiples of 16.
Default: 128

Path Cost

The spanning tree path cost for this port. The values are defined according
to port speed, but you can also change the value.
Port speed versus path cost:
10Mbps100
1Gbps 4
100Mbps19
10Gbps2
Values: 165,535

Enable Fast Mode

Specifies whether the port changes its status to the forwarding state.
Default: Disabled

Configuring NHRs in AppDirector


Each host or router handling a packet examines the destination address in the IP header, computes
the next hop that will bring the packet one step closer to its destination, and delivers the packet to
the next hop, where the process is repeated. A next-hop router (NHR) is a network element used for
outbound traffic in AppDirector multi-homing configurations. NAT addresses can be associated with
NHRs, similar to the way VIPs are associated with NHRs. The devices next-hop routers are listed in
the NHR table.
All next-hop routers connected to the AppDirector are defined in the NHR table. NHRs are associated
with the Virtual IP addresses of the device using the VIP NHR table.

172

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

To configure NHRs
1. In the Configuration perspective Networking tab navigation pane, select IP Routing > NHRs.
2. Do one of the following:

To add an NHR entry, click the

(Add) button.

To edit an NHR entry, double-click the row.

3. Configure NHR parameters and click OK.

Table 91: NHR Parameters

Parameter

Description

NHR IP Address

IP address of required NHR (next-hop router).

Enabled

The status of the NHR, enabled or disabled.

Physical Port

(View-only in NHR table) The number of the selected management


port.

Health Check
Method

Method that device uses to verify the NHRs health via the Path Health
Check IP, Ping or Disable.

Path Health Check IP

IP address of network element to be checked via this NHR to establish


the health status of this router.

Interval (sec.)

Interval, in seconds, between checks.

Number of Retries

Amount of checks that the device should perform without reply before
it acknowledges that the router is offline.

Configuring VIP-NHR Interfaces in AppDirector


You can associate a next hop router, configured in the NHR Table, to a virtual IP address configured
on the device.
The VIP NHR table is enabled only when the packet is destined for the default gateway of the box.
Due to the static route, the packet was not destined for the default gateway so in these instances
the VIP NHR table is not enabled. The NHR per VIP feature works only for traffic that matches the
devices default gateway.
Before defining the VIP NHR table, add a new NHR to the network and set up the general NHR
parameters.

To configure VIP-NHR interfaces


1. In the Configuration perspective Networking tab navigation pane, select IP Routing > VIPNHR.
2. Do one of the following:

To add a VIP-NHR entry, click the

To edit a VIP-NHR entry, double-click the row.

Document ID: RDWR-APSV-V0130_UG1205

(Add) button.

173

APSolute Vision User Guide


Device Network Configuration
3.

Configure the parameters; and then, click OK.

Table 92: VIP-NHR Parameters

Parameter

Description
Health Check

VIP Address

The required Virtual IP address.

Load Sharing

Enable/disable load sharing between primary and backup next hop routers,
based on relative weights.
Values:
Layer 3 HashingTraffic sent through both configured and backup NHR.
Load sharing is based on Layer 3 information (IP address).
Layer 4 HashingTraffic sent through both configured and backup NHR.
Load sharing is based on Layer 4 information (IP address and port).
DisabledTraffic sent via configured NHR only.
Default: Disabled

No Route Action

Determines action if both primary and backup next hop routers are offline.
Values:
DiscardThe packets are discarded.
Use Regular RoutingPackets are forwarded using Routing Table.

Main NHR
IP Address

The IP address of the required next hop router.

Weight

The relative amount of total traffic forwarded to the primary router when
Load Sharing is enabled.

Backup NHR
IP Address

The IP address of the backup next hop router.

Weight

The relative amount of total traffic forwarded to the backup router when Load
Sharing is enabled.

Configuring RIP in AppDirector


This feature is available only in AppDirector 1.07.12.
Routing Information Protocol (RIP) is a commonly used protocol for managing router information
within a self-contained network, such as a corporate Local Area Network (LAN) or an interconnected
group of such LANs. RIP is classified by the Internet Engineering Task Force (IETF) as one of several
internal gateway protocols (Interior Gateway Protocol). RIP is intended for small homogeneous
networks.
Using RIP, a gateway host (with a router) sends its entire Routing Table, which lists all the other
hosts that it recognizes, to its closest neighbor host every 30 seconds. The neighbor host then
passes the information on to its next available neighbor until all hosts within the network have the
same knowledge of the routing paths. This is known as Network Convergence. RIP uses a hop count
as a means to determine network distance. Each host with a router in the network uses the Routing
Table information to determine the next host to route a packet to a specified destination.
AppDirector supports RIP version 1 and RIP version 2.
VIP Advertising via Dynamic Routing enables you to achieve a redundant solution by using a single
AppDirector on each site, or by using a single AppDirector and a remote backup server within the
RIP or OSPF environment.

174

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

To configure RIP
1. In the Configuration perspective Networking tab navigation pane, select IP Routing > RIP.
2. Enable RIP and configure routes distribution.
3. To add or edit RIP interfaces, do one of the following:

To add a RIP interface, click the

(Add) button.

To edit an entry, double-click the row.

4. Configure the RIP interface settings and click OK.

Table 93: RIP Parameters

Parameter

Description

Enable RIP

Select to enable RIP in the router. When disabled, the process is not
active on any interface.

Routes Redistribution
Redistribute Static Routes

When enabled, all static routes learned via static are advertised into
RIP.

Redistribute RIP Routes

When enabled, all routes learned via OSPF are advertised into RIP.

Advertisement Interval

The RIP Advertisement interval, in seconds, where AppDirector sends


static routes advertisements via RIP.
Values: 165,535
Default: 30

Table 94: RIP Interface Parameters

Parameter

Description

IP Address

The IP address of the RIP interface.

Enabled

When enabled, the RIP process is active on the interface.

Outgoing RIP

The type of RIP to send.


Values:
RIP version 1Sending RIP updates compliant with RFC 1058.
RIP version 2Multicasting RIP-2 updates.
Do Not SendNo RIP updates are sent.

Incoming RIP

The type of RIP to receive.


Values:
RIP 1Accepting RIP 1.
RIP 2Accepting RIP 2.
Do Not ReceiveNo RIP updates are accepted.

Default Metric

Metric for default route entry in RIP updates originated on this


interface. 0 (Zero) indicates that no default route must be originated;
here, a default route through another router is propagated.

Document ID: RDWR-APSV-V0130_UG1205

175

APSolute Vision User Guide


Device Network Configuration

Table 94: RIP Interface Parameters

Parameter

Description

Virtual Distance

Virtual number of hops assigned to the interface. This enables finetuning of the RIP routing algorithm.

Auto Send

Enable this option to minimize network traffic when AppDirector is the


only router on the network.
Note: When enabled, the device advertises RIP messages with the
default metric only. This allows some stations to learn the
default router address. If the device detects another RIP
message, Auto Send is disabled.

Configuring OSPF in AppDirector


Open Shortest Path First (OSPF) is an interior gateway routing protocol developed for IP networks
and based on the shortest path first or link-state algorithm. Routers use link-state algorithms to
send routing information to all nodes in a network by calculating the shortest path to each node
based on a topography of the Internet constructed by each node. After sending the routing
information, each router sends the portion of the routing table (keeping track of routers to particular
network destinations) that describes the state of its own links, and sending the complete routing
structure (topography). Shortest path first algorithms allow you to perform more frequent updates.
With OSPF you can build a more stable network, as fast convergence prevents routing loops and
Count-to-Infinity (when routers continuously increment the hop count to a particular network).
An OSPF network is divided into areas, which have 32-bit area identifiers commonly, but not always,
written in the dotted decimal format of an IP address. Area identifiers are not IP addresses and may
duplicate, without conflict, any IP address.

To configure OSPF
1.

In the Configuration perspective Networking tab navigation pane, select IP Routing > OSPF.

2.

Configure OSPF parameters.

3.

To configure OSPF interfaces, select IP Routing > OSPF > OSPF Interfaces.

Table 95: OSPF Parameters

Parameter

Description

Enable OSPF

Select to enable OSPF in the router. When disabled, the process is not
active on any interface.

Router ID

ID number of router. To ensure uniqueness the router ID should be


defined as one of the router IP addresses.

Area ID

IP address of the area.

Import External Links into


AS

When selected, imports Autonomous System external link


advertisements.

Route Redistribution
Redistribute RIP Routes

176

Controls the redistribution of routes from RIP into OSPF. When


enabled, all routes inserted into the IP routing table via SNMP are
advertised into OSPF as external routes.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 95: OSPF Parameters

Parameter

Description

Redistribute Static Routes

When enabled, all static routes learned via static are advertised into
RIP.

Redistribute External
Direct Routes

Controls redistribution of direct routes external to OSPF into OSPF.


When enabled, all external routes are advertised into OSPF as
external.

Configuring OSPF Interfaces for AppDirector


You can add and update OSPF interface parameters and interface metrics.

To configure OSPF interfaces


1. In the Configuration perspective Networking tab navigation pane, select IP Routing > OSPF >
OSPF Interfaces.
2. To add or edit OSPF interfaces, do one of the following:

To add an OSPF interface, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure the OSPF interface parameters and click OK.

Table 96: OSPF Interface Parameters

Parameter

Description

Enabled

When selected, the OSPF process is active on at least one interface.


When disabled, the process is not active on any interface.

IP Address

IP address of the OSPF interface.

Priority

Priority of the interface. Value 0 means that this router is not eligible to
become the designated router on the current network. If more than
one router has the same priority, then router ID is used.

Hello Interval

Number of seconds between Hello packets. All routers attached to a


common network must have the same Hello Interval.

Dead Router Period

Number of seconds routers Hello packets have not been seen before
routers neighbors declare the router down. The Time Before Declare
Router Dead value must be a multiple of the Hello Interval. All routers
attached to a common network must have a Time Before Declare
Router Dead value.

Authentication Type

Type of authentication key for the interface.


Values:
No authentication
Simple password

Authentication Key

Authentication key for the interface, if Simple Password is selected.

Metric

The metric of using this type of service on this interface. The default
value of the TOS 0 Metric is 10.

Document ID: RDWR-APSV-V0130_UG1205

177

APSolute Vision User Guide


Device Network Configuration

Configuring Border Gateway Protocol in AppDirector


Dynamic routing protocols, such as Border Gateway Protocol (BGP), announce and distribute routing
information between routers. AppDirector provides a redundant solution by using AppDirector and a
remote backup server that participate in the BGP environment. AppDirector works as a BGP peer,
supporting a single BGP instance (local AS), and does not route traffic based on BGP information.

To configure BGP
1.

In the Configuration perspective Networking tab navigation pane, select IP Routing > BGP.

2.

Configure the basic BGP basic parameters.

3.

Add or edit BGP peers as follows:


a.
b.

To add a BGP peer, click the


(Add) button; or to edit an entry, double-click the row.
Configure the BGP peer settings in the BGP Peer Table and click OK.

Table 97: BGP Basic Parameters

Parameter
Enable BGP

Description
Enables or disables BGP.
Default: Disabled

AppDirector AS

The AppDirectors Autonomous System number.


Default: 65,535

Initial Connection Delay


(This parameter is
available only in
AppDirector 2.14.03 and
later.)

The time, in seconds, to wait at device startup before establishing BGP


connections.
Values: 15120
Default: 15

Table 98: BGP Peer Table Parameters

Parameter

Description

Enabled

Enables or disables the BGP peer.


Default: Enabled

Peer IP Address

The IP address of the remote peer.

Connect Retry Time

The interval, in seconds, at which AppDirector will try to re-establish a


BGP connection with remote peer after TCP failure event.

178

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 98: BGP Peer Table Parameters

Parameter

Description

Hold Time

The hold time, in seconds, offered by AppDirector during BGP


connection establishment.
During the hold time, a peer must receive a keepalive or an update
message from the remote peer to consider the BGP connection active.
Values:
0Keepalive will not be sent by AppDirector, and AppDirector will
not expect keepalive messages from remote peer.
1 65,535
Default: 90

Keep Alive Interval

The interval, in seconds, used by AppDirector for sending keepalive


messages to the remote peer.
Values:
0Keepalive messages are not sent.
1 65,535
Default: 30

Configuring the Neighbor Cache in AppDirector


This feature is available only in AppDirector 2.30 and later.
The neighbor cache keeps track of the neighbors on the local links with which AppDirector is in
contact. The neighbor cache is the IPv6 parallel of the ARP table. The neighbors are either
dynamically discovered using neighbor discovery protocol or statically configured.

To configure the neighbor cache


1. In the Configuration perspective Networking tab navigation pane, select IP Routing >
Neighbor Cache.
2. Do one of the following:

To add an entry in AppDirector 2.30 and later, click the


Add New IPv6 Neighbor Cache Entry.

To edit an entry, double-click the entry in the table.

(Add) button; and then, select

3. Configure the parameters; and then, click OK.

Table 99: Neighbor Cache Parameters

Parameter

Description

Port

Interface identifier for neighbor cache entry.

IP Address

Neighboring nodes IPv6 address.

MAC Address

MAC address corresponding to neighboring nodes IPv6 address.

Document ID: RDWR-APSV-V0130_UG1205

179

APSolute Vision User Guide


Device Network Configuration

Table 99: Neighbor Cache Parameters

Parameter

Description

Type

The type of the neighbor-cache entry.


Values:
Dynamic
Invalid
Other
Static
Default: Static

State

The number of times this neighbor relationship has changed state, or


(This parameter is exposed an error has occurred.
only for existing entries)
Values:
Reachable
Stale
Delay
Probe
Invalid
Unknown
Incomplete

Configuring Ports
You can change the physical attributes of each port on the managed devicefor example, speed
and duplex mode.
You can also configure port trunking to combine physical network links into a single logical link for
increased bandwidth.

To configure ports
1.

In the Configuration perspective Networking tab navigation pane, select Port Configuration.

2.

To change a ports configuration, double-click the row.

3.

Configure the port settings and click OK.

Table 100: Port Configuration Parameters

Parameter

Description

Port

The index number of the port.

Speed

The traffic speed of the port.


Values: Ethernet, Fast Ethernet, Giga Ethernet, XG Ethernet
Note: According to standards, this parameter can be changed only for
copper ports. After this parameter is changed, auto-negotiation is
disabled.

180

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 100: Port Configuration Parameters

Parameter

Description

Duplex Mode

Specifies whether the port allows both inbound and outbound traffic (Full
Duplex) or one way only (Half Duplex).
Note: According to standards, this parameter can be changed only for
copper ports with a speed lower than Gigabit Ethernet. After this
parameter is changed, auto-negotiation is disabled.

Auto Negotiation

Specifies whether the port automatically detects and configures the speed
and duplex mode for the interface.

Configuring Link Aggregation


Use link aggregation, also called port trunking, to combine physical network links into a single
logical link for increased bandwidth.

Notes:
>> The same algorithm must be applied on the other switch in the trunk.
>> OnDemand Switch 1 and VL implement link aggregation via software and not at the
switch level, (these platforms do not include a Layer 2 switch hardware component).
Therefore, on these platforms, you cannot define trunks as port mirroring participants.

About Link Aggregation


Link aggregation, or port trunking, is a method of combining physical network links into a single
logical link for increased bandwidth. With link aggregation you can increase the capacity and
availability of the communications channel between devices (both switches and end stations) using
existing Fast Ethernet and Gigabit Ethernet technology. This is performed by using a set of multiple
parallel physical links between two devices grouped together to form a single logical link.
Link aggregation also provides load balancing where the processing and communications activity is
distributed across several links in a trunk, ensuring that no single link is overwhelmed. By taking
multiple LAN connections and treating them as a unified, aggregated link, you can achieve higher
link availability and increased link capacity.
Port trunking is supported according to the IEEE 802.3ad standard for link aggregation as follows:

Link aggregation is supported only on links using the IEEE 802.3 MAC.

Link aggregation is supported only on point-to-point links.

Link aggregation is supported only on links operating in Full Duplex mode.

Link aggregation is permitted only among links with the same speed and direction. On the
device bandwidth, increments are provided in units of 100Mbps and 1Gbps respectively.

The failure or replacement of a single link within a Link Aggregation Group will not cause failure
from the perspective of a MAC client.

MAC client traffic can be distributed across multiple links. To guarantee the correct ordering of
frames at the receiving-end station, all frames belonging to one conversation must be transmitted
through the same physical link. The algorithm for assigning frames to a conversation depends on the
application environment. Radware devices can define conversations on Layer 2, 3, or 4 information,
or on combined layers.
Using link aggregation, depending on the platform, you can define up to seven trunks. Up to eight
physical links can be aggregated into one trunk. AppDirector supports both static and dynamic
(LACP) trunks. In DefensePro, all trunk configurations are static. To provide optimal distribution for

Document ID: RDWR-APSV-V0130_UG1205

181

APSolute Vision User Guide


Device Network Configuration
different scenarios, the load sharing algorithm allows decisions based on source or destination (or
both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4 address (TCP/UDP port numbers).
These parameters are used as input for a hashing function.

Notes:
>> Only connected ports (Link Up) operating in Full Duplex mode can be attached to a
trunk.
>> You can define a management trunk (T-MNG) that includes only the management ports
(MNG-1 and MNG-2). The management ports cannot be a part of any other trunk. Using
the management trunk provides redundancy at the physical level for connectivity to the
management network. One link is active while the other is in backup mode. Failure of
the active link seamlessly activates the backup.
>> A port belonging to a trunk cannot be copied to another port (copy port).
>> In DefensePro, management ports that have preconfigured IP addresses cannot be
assigned to a trunk. Before attaching a physical port to a trunk, make sure that the port
is not used in any configuration (port mirroring, static forwarding).
>> In DefensePro, When a trunk is part of a protected segment definition, Port Operation in
the Port Pairs table must be set to Process mode for both directions of this segment.
>> In DefensePro, A trunk cannot be assigned with an IP address for management.
>> In DefensePro, Ports with internal bypass cannot be assigned into a trunk.
>> In DefensePro, It is not possible to set a port within a trunk as the Source or Destination
of SSL inspection.

Configuring Link Aggregation in AppDirector 2.30 and Later


Configuring link aggregation in AppDirector 2.30 and later involves the following:

Configuring the link-distribution hash parameters

Configuring the LACP parameters

Configuring the trunk parameters

You can also view the port-aggregation status of each physical port.

To configure link-distribution hash parameters and LACP parameters and view trunk
details
1.

In the Configuration perspective Networking tab navigation pane, select Link Aggregation. To
change a port assignment, double-click the corresponding row.

2.

Configure the parameters; and then, click OK.

182

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 101: Link-distribution Hash Parameters and LACP Parameters

Parameter

Description
Link Distribution Hash

Layer 2 Parameters

Specifies how the MAC address is used in the traffic distribution


algorithm.
Values:
No HashDo not use the MAC address.
Source MAC AddressUse the source MAC address.
Destination MAC AddressUse the destination MAC address.
Both MAC AddressesUse both the source and destination MAC
addresses.
Default: Both MAC Addresses

Layer 3 Parameters

Specifies if the IP address is to be used in the traffic distribution


algorithm.
Values:
No HashDo not use the IP address.
Source IP AddressUse the source IP address.
Destination IP AddressUse the destination IP address.
Both IP AddressesUse both the source and destination IP
addresses.
Default: Both IP Addresses

Layer 4 Parameters

Specifies if the application port is to be used in the traffic distribution


algorithm.
Values:
No HashDo not use the application port.
Source L4 PortUse the source application port.
Destination L4 PortUse the destination application port.
Both L4 PortsUse both the source and destination application
ports.
Default: Both L4 Ports

LACP
System ID

(Read-only) A six-octet MAC address value used as a unique identifier


for the system that contains this trunk (Aggregator).

System Priority

(Read-only) A two-octet value indicating the priority value associated


with the system.
Values: 0256
Default: 256

Document ID: RDWR-APSV-V0130_UG1205

183

APSolute Vision User Guide


Device Network Configuration

Editing Trunks in AppDirector 2.30 and Later

To edit a trunk in AppDirector 2.30 and later


1.

In the Configuration perspective Networking tab navigation pane, select Link Aggregation. To
change a port assignment, double-click the corresponding row.

Note: The Trunks table can display a column for each of the trunk parameters. However,
by default, the Trunks table displays only some of the parameters. To display or hide
columns, right-click in the table heading row and select or clear the check mark next
to the relevant parameters.
2.

Double-click the required row.

3.

Configure the parameters; and then, click OK.

Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.

Table 102: Trunk Parameters

Parameter

Description

Trunk Name

(Read-only) The name of the trunk.

LACP Mode

The Link Aggregation Control Protocol mode.


Values:
ManualLACP is disabled and manual aggregation is performed.
PassiveLACP acts as speak when spoken to, and therefore can
be used as a way of controlling accidental loops (as long as the
other device is in active mode).
ActiveLACP always sends frames along the configured links.
Default: Manual
Note: Regardless of the specified LACP Mode, the actor (the
AppDirector device) acts in Manual mode when LACP is not
active or not supported on the partner device (that is, switch,
router, and so on).

Available Ports

Lists the physical, device ports that you can select for the trunk.

Selected Ports

Lists the physical, device ports selected for the trunk.

Trunk Status

(Read-only)
Values:
IndividualNo port is attached to this trunk.
AggregateAt least one port is attached to this trunk.

Trunk MAC Address

184

(Read-only)

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 102: Trunk Parameters

Parameter

Description
LACP

Timeout

The time that the device waits between LACP control messages
(LACPDUs). If three times the selected timeout elapses without any
new control message, the link-state changes.
Values:
Fast1 second
Slow30 seconds
Default: Fast

Wait Time

The time to wait after link negotiation before starting to send control
messages.
Values: 110
Default: 3

Actor Priority

The priority assigned to this trunk by the Actor (that is, the system
sending the data unit, assigned by management or administration
policy), encoded as an unsigned integer.
Values: 065,535
Default: 32767

System ID

(Read-only) The System Identifier, in MAC address format, which is


used together with the LACP System Priority to uniquely identify the
system (that is, the AppDirector device).
Default: The device MAC address

System Priority

(Read-only) The LACP System Priority together with the LACP System
ID uniquely identify the system.
Values: 1256
Default: 256

Viewing the Port Aggregation Status


You can view the link-aggregation status of each physical, traffic port on the device.

Note: When a port is added into a trunk, it receives the trunk operation status. When a port is
removed from a trunk, it maintains its operational status.

To view the port aggregation status


In the Configuration perspective Networking tab navigation pane, select Link Aggregation >
Ports Aggregation Status.

Note: To select the columns that the Ports Aggregation Status table displays, right-click in
the table heading row and select or clear the check mark next to the relevant
parameters.

Document ID: RDWR-APSV-V0130_UG1205

185

APSolute Vision User Guide


Device Network Configuration

Table 103: Ports Aggregation Status Parameters

Parameter

Description

Port

The physical port index.

Port MAC Address

The MAC address assigned to the port.

Trunk Name

The trunk to which the port is attached.

Operational Status

Values:
Default, Not-In-BundleThe LACP control is off (manual
aggregation), and this port is not bundled in a trunk.
Default, BundledThe LACP control is off (manual aggregation),
and this port is bundled in the specified trunk.
LACP Control, Not-In-BundleThe LACP control is on, but this
port is not bundled in a trunk.
LACP Control, BundledThe LACP control is off (manual
aggregation), and this port is bundled in the specified trunk.

Port Status

Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.

Configuring Link Aggregation in AppDirector Versions Prior to 2.30 and Defense Pro

To configure link aggregation


1.

In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation.
You can view the MAC address of each trunk and the ports bound to it in the Link Aggregation
Ports table.

2.

To change a port assignment, double-click the corresponding row.

3.

Configure the port assignment; and then, click OK. When a port is added into a trunk, it receives
the trunk operation status. When a port is removed from a trunk, it maintains its operational
status. When a trunk operational status is set to down, a port removed from the trunk keeps its
down status.

Table 104: Link Aggregation Port Parameters

Parameter

Description

Port

(Read-only) The physical port index.

Port MAC Address

(Read-only) The MAC address assigned to the port.

186

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 104: Link Aggregation Port Parameters

Parameter

Description

Trunk Name

The trunk to which the port is attached.


The values depend on the platform.
Values:
0Specifies unattached.
T1T7The range of values depends on the platform. That is, the
number of trunks that you can configure depends on the device
platform.
T-MNG
Default: 0

Port Status

(Read-only)
Values:
IndividualThe port is not attached to any trunk.
AggregateThe port is attached to a trunk.

Configuring Link Aggregation Hashing for AppDirector Versions Prior to 2.30


This section is relevant only for AppDirector versions prior to 2.30. For AppDirector 2.30 and later,
the parameters are exposed elsewhere. DefensePro does not support this feature.
To provide optimal distribution for different scenarios the load-sharing algorithm allows decisions
based on source or destination (or both) Layer 2 address (MAC), Layer 3 address (IP), and Layer 4
address (TCP/UDP port numbers). You can configure these parameters, which are then used as input
for a link aggregation hashing function.

To configure link aggregation hashing


1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Link Aggregation > Link Aggregation Hashing.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

187

APSolute Vision User Guide


Device Network Configuration

Table 105: Link Aggregation Hashing Parameters

Parameter

Description

Layer 2 Hash

Specifies if the MAC address is to be used in the traffic distribution


algorithm.
Values:
No HashDo not use the MAC address.
Source MAC AddressUse the source MAC address.
Destination MAC AddressUse the destination MAC address.
Both MAC AddressesUse both the source and destination MAC
addresses.
Default: Both MAC Addresses

Layer 3 Hash

Specifies if the IP address is to be used in the traffic distribution


algorithm.
Values:
No HashDo not the use IP address.
Source IP AddressUse the source IP address.
Destination IP AddressUse the destination IP address.
Both IP AddressesUse both the source and destination IP
addresses.
Default: Both IP Addresses

Layer 4 Hash

Specifies if the application port is to be used in the traffic distribution


algorithm.
Values:
No HashDo not use the application port.
Source L4 PortUse the source application port.
Destination L4 PortUse the destination application port.
Both L4 PortsUse both the source and destination application ports.
Default: Both L4 Ports

Configuring Port Mirroring


Port Mirroring enables the device to duplicate traffic from one physical port on the device to another
physical port on the device. This is useful when an intrusion detection system (IDS) device is
connected to one of the ports on the device. You can choose to mirror either received and
transmitted traffic, received traffic only, or transmitted traffic only. You can also decide whether to
duplicate the received broadcast packets.

Notes:
>> Port mirroring is not supported on devices that run on the OnDemand Switch VL
platform, for example DefensePro x06 models.
>> Port mirroring requires that the input port be configured to Static-Forwarding Process
mode. When the input port is configured to Static-Forwarding Forward mode, traffic is
not mirrored.
>> In Static Forwarding mode, traffic with the same destination MAC address as the device
is not mirrored (rare).

188

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration
To avoid high-bandwidth DoS and DDoS attacks, you can mirror the traffic (that arrives at the
managed device) to a dedicated sniffer port. This allows collecting packet data during an attack and
sending the data to Radwares Security Operation Center (SOC) to develop an attack signature.
DefensePro supports traffic-rate port mirroring also. DefensePro devices can perform traffic-rate
port mirroring when the device is under attack. Traffic-rate port mirroring is based on a specified
traffic threshold. When the threshold value is reached, the DefensePro device starts copying traffic
from the interface to its mirroring output port. The process continues for the specified time, and
then the copying process stops. For example, if you have a single network segment connected
between interfaces 1 and 2, whenever traffic reaches the configured threshold, DefensePro device
copies the traffic arriving on interface #1 to interface #3.

To configure port mirroring in AppDirector


1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Port Mirroring.
2. Do one of the following:

To add a pair of ports to mirror traffic, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure the parameters; and then, click OK.


4. Click

(Submit) to submit the changes.

Table 106: AppDirector Port Mirroring Parameters

Parameter

Description

Input Interface

The traffic port.

Output Port

The port for the mirrored traffic.

Traffic to Mirror

The direction of the traffic that the device mirrors.


Values: Transmit and Receive, Receive Only, Transmit Only

Enable Promiscuous
Mode

Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled

To configure port mirroring in DefensePro


1. In the Configuration perspective Networking tab navigation pane, select Port Configuration >
Port Mirroring.
2. Do one of the following:

To add a pair of ports to mirror traffic, click the

To edit an entry, double-click the row.

(Add) button.

3. Configure the port mirroring settings; and then, click OK.


4. To configure advanced parameters for port mirroring, in the navigation pane, select
Port Mirroring > Advanced Parameters.

Document ID: RDWR-APSV-V0130_UG1205

189

APSolute Vision User Guide


Device Network Configuration
5.

Configure the advanced parameters; and then, click

(Submit) to submit the changes.

Table 107: DefensePro Port Mirroring Parameters

Parameter

Description

Input Interface

The traffic port.

Output Port

The port for the mirrored traffic.

Traffic to Mirror

The direction of the traffic that the device mirrors.


Values: Transmit and Receive, Receive Only, Transmit Only

Enable Promiscuous
Mode

Values:
EnabledThe device copies all traffic to the specified output port.
DisabledThe device copies only the traffic destined to the input.
Default: Enabled

Backup Port

The backup port for the mirrored traffic.

Mode

The mode of port mirroring.


Values: Enabled, Traffic Rate

Threshold

The number of threshold units (PPS/Kbps) that can pass through the
specified input port (Input Interface) before the mirroring process starts.

Note: The Threshold Units parameter and the Threshold Interval parameter are defined
globally for each device and not for each pair of ports.

Table 108: DefensePro Port Mirroring Advanced Parameters

Parameter

Description

Traffic Threshold Units The units in which the threshold is measured.


Values:
PPSPackets per second
KbpsKilobits per second
Threshold Interval

How long, in seconds, mirroring continues after the traffic rate falls below
the specified threshold.
Default: 30

Reset Traffic Rate

Click to set the device to record the traffic that exceeds the predefined limit
within a new Threshold Interval.

Configuring AppDirector Redundancy


Radware recommends installing AppDirector devices in pairs to provide fault tolerance in the case of
a single device failure. Each pair of AppDirector devices can function in an active-backup setup or
active-active setup.

190

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration
To achieve redundancy between pairs of AppDirector devices, the following methods are supported:

VRRPWorking with Virtual Router Redundancy Protocol enables dynamic redundancy to be


maintained using a logical entity called a virtual router. (VRRP was initially developed to provide
high availability for routers, hence the name virtual router. However, this protocol can be
supported by a wide range of devices that are not routers. As it is not a routing protocol, it does
not advertise IP routes or affect the routing table in any way). With VRRP, IP addresses are
associated with the Virtual MAC addresses that are owned by the main device, and are taken
over by the backup device at fail-over time.

Proprietary ARP (available only in AppDirector versions prior to 2.30)Working with Address
Resolution Protocol enables monitoring of the other device in a pair and checking its availability.
Using Proprietary ARP redundancy, at the failover time, the IP addresses of the main device are
managed by the backup device and are associated with the backup devices MAC address.

Notes:
>> Before starting a redundancy configuration, the role of each AppDirector must be set via
the relevant CLI command. For more information, see the AppDirector CLI Reference
Guide.
>> When managing an AppDirector cluster with APSolute Vision, if both devices are
connected using SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
Configure redundancy by performing the following tasks:
1. Configuring AppDirector Redundancy Global Settings, page 191
2. Configuring VRRP, page 195 or Configuring Proprietary Redundancy, page 204 (Proprietary
Redundancy is available only in AppDirector versions prior to 2.30)
3. Configuring Mirroring for Redundancy, page 205

Note: Radware recommends using VRRP for AppDirector redundancy.


For VRRP configuration guidelines, see Configuration Guidelines for AppDirector Redundancy Using
VRRP, page 200.
For more information about supported AppDirector networking configurations for redundancy, see
the AppDirector User Guide.

Configuring AppDirector Redundancy Global Settings


Radware recommends that you configure more than one AppDirector device on a network so that
they back up one another. Before you configure VRRP or Proprietary redundancy, configure
redundancy global settings, and selective interface grouping, if required. You can copy this
configuration to the backup device by downloading the configuration and then uploading it to the
backup device.

Document ID: RDWR-APSV-V0130_UG1205

191

APSolute Vision User Guide


Device Network Configuration

To configure redundancy global settings


1.

In the Configuration perspective Networking tab navigation pane, select Redundancy > Global
Settings.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Note: To configure selective interface grouping, in the Configuration perspective Networking


tab navigation pane, in the navigation pane, select Redundancy > Global Settings >
Selective Interface Grouping. For more information, see Configuring Selective
Interface Grouping, page 194.

Table 109: Redundancy Global Parameters

Parameter

Description

IP Redundancy Admin
Status

The method used to achieve redundancy between pairs of AppDirector


devices.
Values:
DisabledNo redundancy method is enabled.
ProprietaryWorking with Address Resolution Protocol (ARP)
enables monitoring of the other device in a pair and checking its
availability. Using Proprietary ARP redundancy, at failover, the IP
addresses of the main device are managed by the backup device
and are associated with the backup devices MAC address.
VRRPWorking with Virtual Router Redundancy Protocol enables
dynamic redundancy to be maintained using a logical entity called
a virtual router. (VRRP was initially developed to provide high
availability for routers, hence the name virtual router.)
Default: Disabled

Interface Grouping

Ensures that if one port fails, the others are also taken down. When it
is enabled, the backup device takes over only when all the interfaces
of the main device are down.
To configure interface grouping for specified ports only, enable this
option and configure selective interface grouping to define which
interfaces activate Interface Grouping when a port fails.

ARP with Interface


Grouping

Specifies whether the device can send ARP requests while the
interface grouping is active.
Values: Send, Avoid
Default: Send

192

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 109: Redundancy Global Parameters

Parameter

Description

Backup Device in VLAN

When AppDirector is installed in a bridge configuration, this parameter


determines how the device behaves when its redundancy state is set
to backup.
Values:
Forward TrafficForward all traffic. This is the default value, but it
should be used only when the device is in a routing configuration.
Block BroadcastWhen the device is in backup state broadcast
traffic is blocked in order to prevent loops.
Block AllWhen the device is in backup state, all traffic is blocked
in order to prevent loops. This cannot be used in a fully redundant
network configuration.
Default: Forward Traffic

Backup Fake ARP

When enabled, the backup device can perform a fake ARP.

(This parameter is not


available in AppDirector
2.30 and later.)

In networks with Layer 3 switches, the Fake ARP will confuse the
switch during the redundancy process. In this case, disable this
option.

Backup Interface Grouping When enabled, the backup device takes over only when the IP
interfaces defined in its Redundancy Table fail. Respectively, it will
release those interfaces only when all the main devices interfaces are
up.
VRRP Advertise Interval

The interval, in milliseconds, at which the main device sends


messages to the backup to notify that it is active. Use this setting for
advertise intervals of less than one second.
Values:
0Specifies that the Advertisements are sent according to the
Advertise interval per VR.
10025,000
Default: 0
Note: If this setting is greater than 0, it overrides the Advertise
interval per VR.

VRRP Automated
Configuration Updates

AppDirector can automatically add a new Virtual IP configured on the


device to the VRRP Associated IP Addresses table.
When this option is enabled and a Layer 4 policy is configured that
uses a new Virtual IP, this IP is automatically associated with the VRID
defined for the AppDirector interface that belongs to the same subnet
as the Virtual IP. Messages are sent to the device log announcing that
a Virtual IP was automatically associated to a specific VRID and
interface.
Default: Disabled

Document ID: RDWR-APSV-V0130_UG1205

193

APSolute Vision User Guide


Device Network Configuration

Table 109: Redundancy Global Parameters

Parameter

Description

Force Down Ports Time

The time, in seconds, for which the port must be down.


When enabled, the value that should be used depends on how long it
takes the switch to clear its MAC tables.
Values:
0The feature is disabled.
560

Failure Action

Specifies when Proxy-related failures induce failover in an activebackup configuration.


Values:
Acceleration Engine FailAcceleration engine failure.
SSL or Acceleration Engine FailSSL accelerator or Acceleration
engine failure.
Compression or Acceleration Engine FailHardware Compression
Card or Acceleration engine failure.
SSL or Compression or Acceleration Engine FailSSL Accelerator,
Hardware Compression Card or Acceleration engine failure.
IgnoreIgnore failures and do not perform failover.

Configuring Selective Interface Grouping


In AppDirector redundant installations, main and redundant AppDirector devices can have separate
interfaces solely for management purposes and not for handling the traffic. When one of the
management ports is down and Interface Grouping is enabled, the backup device takes over. To
avoid this, you can define which interfaces activate Interface Grouping when the management port
is down.

Notes:
>> When a grouped port that has an IP address assigned to it, but no VRID, is
disconnected, it does not initiate failover.
>> When a non-grouped port that has an IP address and a VRID assigned to it is
disconnected, it will still initiate a failover.

To configure selective interface grouping


1.

In the Configuration perspective Networking tab navigation pane, select Redundancy > Global
Settings > Selective Interface Grouping.
The table displays the list of interfaces for which virtual routers (VRs) are defined, and whether
each interface is grouped, meaning whether it initiates interface grouping if the management
port is down.

2.

To change the interface grouping setting for an interface, double-click the row.

3.

Select or clear the Grouped check box, and click OK.

194

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 110: Port Grouping Parameters

Parameter

Description

Port

(Read-only) The port name.

Grouped

When selected, the port can initiate interface grouping.

Configuring VRRP
The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the
static default routed environment. VRRP specifies an election protocol that dynamically assigns
responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling
the IP addresses associated with a virtual router is called the Master, and forwards packets sent to
these IP addresses. The election process provides dynamic fail-over in the forwarding responsibility
should the Master become unavailable. Any of the virtual routers IP addresses on a LAN can then be
used as the default first hops router by end-hosts.
To achieve redundancy between pairs of devices, Radware recommends using VRRP. VRRP enables
you to maintain dynamic redundancy using a logical entity called virtual router (VRRP was initially
developed to provide high availability for routers).
A virtual router (VR), has a Virtual Router Identifier (VRID) with one or more associated IP
addresses. Each VR has a VRMAC, which is a MAC address associated with the VR. This saves the
need for a MAC address update in case of a failover. The VRMAC address is determined by the VRID
and does not need to be configured manually.
The same VR needs to be configured on multiple devices to achieve redundancy between them for
the VR. Each device has a priority for a VR, and the main device for the VR is the device with the
highest priority. Using VRRP, the main device constantly sends advertisements to other VRRP
devices to indicate that it is online. When the advertisements stop, the main device is assumed to be
inactive. A new main device is then selected for this VR; that is, the device with the next highest
priority for that VR. However this protocol can be supported by a wide range of devices that are not
routers. As it is not a routing protocol, it does not advertise IP routes or affect the routing table in
any way. With VRRP, IP Addresses are associated with the Virtual MAC Addresses that are owned by
the main device, and are taken over by the backup device at failover time.
With VRRP, redundant AppDirector devices can synchronize their configurations. For more
information, see Online Configuration Synchronization, page 206.

To configure VRRP for redundancy


1. In the Configuration perspective Networking tab navigation pane, select Redundancy > VRRP.
2. From the VRRP Admin Status drop-down list, select the required option:

All DownSets the status of all VRs to Down, which shuts down the main device.

All UpSets the status of all VRs to Up, so that the main AppDirector device is immediately
activated and takes control from the backup device.

No ChangeMakes no change to the status of the VRs.

Default: No Change

Note: The VRRP Admin Status parameter is available only in AppDirector 2.14.03 and later.

Document ID: RDWR-APSV-V0130_UG1205

195

APSolute Vision User Guide


Device Network Configuration
3.

Do one of the following:

To add an entry in AppDirector 2.30 and later, click the


the option for the IP version that you require.

(Add) button; and then, choose

To add an entry in AppDirector versions prior to 2.30, click the

To edit an entry, double-click the entry in the table.

(Add) button.

4.

Configure the parameters; and then, click OK.

5.

To configure associated IP addresses, in the navigation pane, select Redundancy > VRRP >
Associated IPs.
For more information, see Configuring Associated IPs for VRRP, page 199.

Table 111: VRRP Router Parameters in AppDirector 2.30 and Later

Parameter

Description

IP Version

(Read-only) Specifies IPv4 or IPv6.

VR ID

The virtual routers identification number. This number must be unique on


the network.
Values: 1255

Port

The identifier of the physical port on the device.

Admin Status

When enabled, VRRP is activated for this port.

Priority

You must assign the highest priority (255) to the VR that is associated with
the physical IP address of the device.
Values: 1255
Default: 100
Notes:
>> When two devices are configured with VRRP and the master device
has a priority of 255 set for its virtual routers, shutting down all
virtual routers causes the backup state to move to master but
causes the client connections to cease. This is because when Virtual
Routers go down, the port does not go down. The port will continue
functioning, and as soon as the virtual router goes down, the port
will broadcast its MAC as the owner of the device interface IP. It will
continue sending health checks with source IP and interface IP and
ARPs for IPs on the directly connected networks.
>> These ARPs will poison the ARP cache of all machines on this
network, and they will record the interface MAC of the main box as
the holder of the interface IP that the backup device tried to take
over via VRRP.
>> Therefore, all traffic sent to the main device interface IP as a
gateway (reply traffic from the servers) reaches the main device
and is routed straight to the default gateway of the device. This is
not where this traffic should be heading because traffic sent to a
VIP which was taken over by the backup device (the main device
will not fix the IP headers) will route the packet as it stands which
will break the session.
>> When you do not use VR priority of 255 on the main device, you
cannot place its interface IP in the associated IP table. This means
that the default gateway will be a different IP which has no
problems being poisoned but with the interface activities of the
main device.

196

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 111: VRRP Router Parameters in AppDirector 2.30 and Later

Parameter

Description

Primary IP

This is used internally only, as the source IP of VRRP messages sent by the
device. It is recommended to use virtual IP interfaces. For more information
about using virtual IP interfaces for VRRP, see the AppDirector User Guide.
It is recommended to leave the default, which is the IP interface defined on
this port.

Advertise Interval

The interval, in centiseconds, at which advertisements are sent for this VR.
This setting overrides the default global parameter.
Default: 100

Preempt Mode

When a device with a certain priority fails, the device with the next highest
priority takes control of the VR. Preemption Mode defines takeover
procedure for the VR when the device with the higher priority resumes
functioning.
Values:
EnabledThe higher priority device takes over the VR.
DisabledThe device with lower priority maintains control of the VR.
This is only applicable when two or more devices share a VR.
Notes:
>> All defined VRs must have the same Preemption Mode setting
except for the router owning the IP address associated with the VR.
>> The router owning the IP address associated with the VR always
preempts independently of Preemption Mode setting.

Preferred State

The preferred state of the virtual router. This field affects the configuration
of the parallel VRRP entry on the peer device.
Values:
BackupThe peers VRRP entry should have a higher priority.
MasterThe peers VRRP entry should have a lower priority.
Default: Master

Table 112: VRRP Router Parameters in AppDirector Versions Prior to 2.30

Parameter

Description

Port

The identifier of the port on the device.

VR ID

Virtual routers identification number. This number must be unique on the


network.
Values: 1255

Enabled

When enabled, VRRP is activated for this port.

Document ID: RDWR-APSV-V0130_UG1205

197

APSolute Vision User Guide


Device Network Configuration

Table 112: VRRP Router Parameters in AppDirector Versions Prior to 2.30

Parameter

Description

Priority

You must assign the highest priority (255) to the VR that is associated with
the devices physical IP address (that is, the IP address that the device
owns).
Values: 1255
Default: 100
Notes:
>> When two devices are configured with VRRP and the master device
has a priority of 255 set for its virtual routers, shutting down all
virtual routers causes the backup state to move to master but
causes the client connections to cease. This is because when
Virtual Routers go down, the port does not go down. The port will
continue functioning, and as soon as the virtual router goes down,
the port will broadcast its MAC as the owner of the device interface
IP. It will continue sending health checks with source IP and
interface IP and ARPs for IPs on the directly connected networks.
>> These ARPs will poison the ARP cache of all machines on this
network, and they will record the interface MAC of the main box as
the holder of the interface IP that the backup device tried to take
over via VRRP.
>> Therefore, all traffic sent to the main device interface IP as a
gateway (reply traffic from the servers) reaches the main device
and is routed straight to the default gateway of the device. This is
not where this traffic should be heading because traffic sent to a
VIP which was taken over by the backup device (the main device
will not fix the IP headers) will route the packet as it stands which
will break the session.
>> When you do not use VR priority of 255 on the main device, you
cannot place its interface IP in the associated IP table. This means
that the default gateway will be a different IP which has no
problems being poisoned but with the interface activities of the
main device.

Primary IP

This is used internally only, as the source IP of VRRP messages sent by the
device. It is recommended to use virtual IP interfaces. For more
information about using virtual IP interfaces for VRRP, see the AppDirector
User Guide.
It is recommended to leave the default, which is the IP interface defined
on this port.

Authentication Type

The type of authentication.


Values: Simple Password, No Authentication
Default: No Authentication

Authentication Key

198

A password up to eight characters. This is required only when an


authentication type is specified.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 112: VRRP Router Parameters in AppDirector Versions Prior to 2.30

Parameter

Description

Enable Preemption
Mode

When a device with a certain priority fails, the device with the next highest
priority takes control of the VR. Preemption Mode defines takeover
procedure for the VR when the device with the higher priority resumes
functioning.
Values:
EnabledThe higher priority device takes over the VR.
DisabledThe device with lower priority maintains control of the VR.
This is only applicable when two or more devices share a VR.
Notes:
>> All defined VRs must have the same Preemption Mode setting
except for the router owning the IP address associated with the
VR.
>> The router owning the IP address associated with the VR always
preempts independently of Preemption Mode setting.

Advertise Interval

The interval, in seconds, at which advertisements are sent for this VR. This
setting overrides the default global parameter.
Default: 1

Configuring Associated IPs for VRRP


The Virtual Router Redundancy Protocol (VRRP) eliminates the single point of failure inherent in the
static default routed environment. VRRP specifies an election protocol that dynamically assigns
responsibility for a virtual router to one of the VRRP routers on a LAN. The VRRP router controlling
the IP addresses associated with a virtual router is called the Master, and forwards packets sent to
these IP addresses. The election process provides dynamic failover in the forwarding responsibility
should the Master become unavailable. Any of the virtual routers IP addresses on a LAN can then be
used as the default first hops router by end-hosts.

To configure associated IPs for VRRP


1. In the Configuration perspective Networking tab navigation pane, select Redundancy > VRRP
> Associated IPs.
2. Select the VRID for which to add an associated IP, and click Go. The table displays associated
IPs for the selected VRID.
3. Do one of the following:

To add an associated IP, click the

(Add) button.

To edit an entry, double-click the entry.

4. Enter the associated IP address and click OK.

Table 113: Associated IP Parameters

Parameter

Description

VR ID

(Read-only) The virtual routers identification number.

Associated IP Address

The IP address of the associated IP.

Document ID: RDWR-APSV-V0130_UG1205

199

APSolute Vision User Guide


Device Network Configuration

Configuration Guidelines for AppDirector Redundancy Using VRRP


The configuration needed in redundant environments depends on the following factors:

Redundancy configuration: Active-Backup or Active-Active

Network configuration: Routing or Bridging

VRRP Preemption state: enabled or disabled

Note: A fully redundant network environment affects only the required inter-AppDirector
connectivity and Layer 2 configuration. All other redundancy configuration parameters
are affected by the factors mentioned above.
These guidelines are for redundancy configurations using VRRP for the following scenarios:

Active-Backup Routing Configuration, page 200

Active-Active Routing Configuration, page 201

Example Active-Backup Bridging Configuration, page 203

Active-Backup Routing Configuration


In an Active-Backup configuration, the main AppDirector device is configured with the main Virtual
IP addresses. This device performs the regular AppDirector operations, handling all the inbound
sessions to the Virtual IP addresses and distributing traffic among the servers in the farm linked to
the Virtual IP address (via Layer 4 Policy).
The backup AppDirector device is configured with identical Virtual IP addresses that contain the
exact same Layer 4 Policies, servers and farm settings. This device acts as a hot standby and does
not perform load balancing as long as the main device is active. When the backup AppDirector
detects that the main AppDirector has failed, the backup device takes over the IP addresses of its
primary partner, informing all devices on the network that the backup device is now responsible for
the services of the main device.
When the main device is back online, the backup device releases the services if VRRP preemption is
enabled (default) or if a proprietary redundancy protocol is used. If VRRP preemption is disabled,
the backup device will remain active as long as it is online.

Table 114: Example Active-Backup Configuration

Parameters
Global Parameters

200

Main

Backup

IP Redundancy Admin
Status

VRRP

Same as main

Interface Grouping

Enable

Same as main

Backup Interface
Grouping

Enable

Same as main

Backup Device in VLAN N/Ruse default

Same as main

Force Down Port Time

Same as main

N/Ruse default

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 114: Example Active-Backup Configuration

Parameters
VRID Internet Side

VRID

Main

Backup

Same as main

If Index

Same as main

Primary IP

100.1.1.10

Same as main

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as main

Associated IPs

100.1.1.100,

Same as main

100.1.1.10
Outbound NAT
addresses, if relevant
VRID Server Side

VRID

Same as main

Port

Same as main

Primary IP

20.1.1.10

Same as main

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as main

Associated IPs

20.1.1.10

Same as main

Client NAT addresses, if


relevant
Mirroring

Mirroring Status

Disabled (if
preemption is
enabled)

Enabled

Enabled (if
preemption is
disabled)
Mirror Device IP

1.1.1.12

Default

Mirrored Tables

Client Table

Same as main

Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution

Active-Active Routing Configuration


AppDirector devices can be configured to function in an Active-Active mode where each AppDirector
is the primary provider of some services and a backup for the services provided by the other
AppDirector in the pair. In this case, both devices are set up as the main AppDirector for one or
more Virtual IPs and as backup AppDirector for the Virtual IPs for which the other unit is the main.
When one device fails, the other continues to handle traffic to its own Virtual IPs while assuming
responsibility for the backup devices Virtual IPs.

Note: Using the Active-Active setup, each server can provide service to Virtual IPs that are
active on one device. A server cannot provide service to multiple Virtual IPs where one
Virtual IP is active on one device, while another Virtual IP is active on another device.

Document ID: RDWR-APSV-V0130_UG1205

201

APSolute Vision User Guide


Device Network Configuration

Table 115: Example Active-Active Routing Configuration

Parameters
Global Parameters

VRID Internet Side


for VIP active in
AppDirector 1

AppDirector 1

AppDirector 2

IP Redundancy Admin
Status

VRRP

Same as AppDirector 1

Interface Grouping

Enable

Same as AppDirector 1

Backup Interface
Grouping

Enable

Same as AppDirector 1

Backup Device in VLAN N/Ruse default

Same as main

Force Down Port Time

N/Ruse default

Same as main

VRID

Same as AppDirector 1

Port

G1

Same as AppDirector 1

Primary IP

100.1.1.10

Same as AppDirector 1

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as AppDirector 1

Associated IPs

100.1.1.100,

Same as AppDirector 1

100.1.1.10
Outbound NAT
addresses (if relevant)
VRID Internet Side
for VIP active in
AppDirector 2

VRID

Same as AppDirector 1

Port

G1

Same as AppDirector 1

Primary IP

200.1.1.10

Same as AppDirector 1

Priority

100

200

Preempt Mode

Same for all VRIDs

Same as AppDirector 1

Associated IPs

200.1.1.100,

Same as AppDirector 1

200.1.1.10
Outbound NAT
addresses (if relevant)
VRID Server Side for
VIP active in
AppDirector 1

VRID

Same as AppDirector 1

Port

Same as AppDirector 1

Primary IP

20.1.1.10

Same as AppDirector 1

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as AppDirector 1

Associated IPs

20.1.1.10

Same as AppDirector 1

Client NAT addresses (if


relevant)

202

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 115: Example Active-Active Routing Configuration

Parameters
VRID Server Side for
VIP active in
AppDirector 2

AppDirector 1

AppDirector 2

VRID

Same as AppDirector 1

Port

Same as AppDirector 1

Primary IP

30.1.1.10

Same as AppDirector 1

Priority

100

200

Preempt Mode

Same for all VRIDs

Same as AppDirector 1

Associated IPs

30.1.1.10

Same as AppDirector 1

Client NAT addresses (if


relevant)
Mirroring

Mirroring Status

Disabled (if
preemption is
enabled).

Enabled

Enabled (if
preemption is
disabled).
Mirror Device IP

1.1.1.12

Default

Mirrored Tables

Client Table

Same as AppDirector 1

Session ID Table
Proximity and DNS
Persistency for
geographically
distributed solution

Example Active-Backup Bridging Configuration


Parameters
Global Parameters

VRID

Main

Backup

IP Redundancy Admin
Status

VRRP

Same as main

Interface Grouping

Enable

Same as main

Backup Interface
Grouping

Enable

Same as main

Backup in VLAN

Enable

Same as main

Force Port Down

Enable

Same as main

VRID

Same as main

Port

100001

Same as main

Primary IP

100.1.1.10

Same as main

Priority

200

100

Preempt Mode

Same for all VRIDs

Same as main

Associated IPs

100.1.1.100,

Same as main

100.1.1.10

Document ID: RDWR-APSV-V0130_UG1205

203

APSolute Vision User Guide


Device Network Configuration

Parameters
Mirroring

Mirroring Status

Main

Backup

Disabled (if
preemption is
enabled).

Enabled

Enabled (if
preemption is
disabled).
Mirror Device IP

1.1.1.12

Default

Mirrored Tables

Client Table

Same as main

Session ID Table

Configuring Proprietary Redundancy


This feature is available only in AppDirector versions prior to 2.30.
The Radware Proprietary redundancy mechanism uses Address Resolution Protocol (ARP) to ensure
that the backup AppDirector device is available and that the network connections between the main
and backup devices are up and that failover is achieved when the main device fails.
The backup device manages the polling process by continuously polling the main device, using the
ARP protocol. If the main device fails, the teaching process is realized when the backup device sends
broadcast ARPs informing its network neighbors that the IP addresses of the main device are now
associated with its own MAC addresses. This ensures that all traffic destined to the IP addresses of
the main device arrives to the backup device.
In Proprietary redundancy configurations, both AppDirector devices, the main and the backup, must
be defined to work with virtual and physical addresses. The virtual IP addresses are defined on the
backup AppDirector in the same manner as on the main AppDirector and the main device makes
sure that the backup AppDirector supports virtual addresses. Different physical IP addresses are
used for the main and backup devices, and an additional configuration is required on the redundant
AppDirector to support backup for the physical IP addresses of the main device.

Note: To allow the backup device to poll the main device, it must be aware of the main device
IP interfaces that its IP interfaces are backing up.

To configure proprietary redundancy


1.

In the Configuration perspective Networking tab navigation pane, select Redundancy >
Proprietary.

2.

Do one of the following:


To add an IP redundancy, click the

(Add) button.

To edit an entry, double-click the entry.


3.

Configure IP redundancy parameters and click OK.

204

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 116: IP Redundancy Parameters

Parameter

Description

Interface IP Address

The IP address of the backup interface.

Main Router Address

IP address on the main AppDirector interface, which this AppDirector is


backing up.

Poll Interval

Polling interval, in seconds, for the main AppDirector interfaces. If the


interval is 0, the AppDirector is not polled.

Time Out

Interval, in seconds, during which the AppDirector must respond. If the


main AppDirector does not respond within this interval, it is considered
inoperative. If Time Out is 0, the backup AppDirector ignores the row.

Configuring Mirroring for Redundancy


Stateful failover, also known as mirroring, allows a backup device to take over when a main device
fails, without dropping existing sessions or breaking persistency. Stateful failover is provided by
mirroring the content of the tables that define a session.
For effective and reliable mirroring, you must do the following:

Provide a direct connection between the two devices. It is recommended to use a trunk (link
aggregation).

Configure an IP interface on each device for the direct connection port and address used as the
Mirroring Device Address for the other device.

Exclude the physical port used for inter-device communication from Interface grouping.

Mirroring can handle long and short sessions and support HTTP traffic.
The following can be mirrored:

Client table (FTP, HTTP, and NATall types)

Session ID Table

Dynamic DNS Persistency Table

Proximity table (AppDirector global load balancing license only)

Notes:
>> Mirroring is not supported when delayed binding is used with Layer 7 Persistent
Switching Mode and configured to either overwrite or maintain.
>> Mirroring is supported for the Layer 7 Persistent Switching Mode named First.
>> When setting up Mirroring, Radware recommends using the same AppDirector software
version for the main and backup devices.
>> Setting up Mirroring affects the general device performance.
>> Radware recommends that mirroring is used for Stateful Failover with the VRRP
redundancy mechanism.

Document ID: RDWR-APSV-V0130_UG1205

205

APSolute Vision User Guide


Device Network Configuration

To configure mirroring for redundancy


1.

In the Configuration perspective Networking tab navigation pane, select Redundancy >
Mirroring.

2.

Configure the parameters; and then, click

(Submit) to submit the changes.

Table 117: Mirroring Parameters

Parameter

Description
Main Device Mirroring Parameters

Proximity Table Mirroring


(AppDirector global load
balancing license only)

Enables Proximity Table Mirroring.


Default: Disabled

Dynamic DNS Persistency Enables Dynamic DNS Persistency Table Mirroring (AppDirector Global
Table Mirroring
Only).
Default: Disabled
Client Table Mirroring

Enables Client table MirroringFTP, HTTP, and all types of NAT.


Default: Disabled

Session Id Table Mirroring Enables ID Table Mirroring.


Default: Disabled

Backup Device Mirroring Parameters


Mirroring Status

Enables backup device mirroring.


Default: Disabled

Mirror Device IP Address

IP address of the device to mirror from.

Online Configuration Synchronization


This feature is available in AppDirector 2.14 and later.
The Online Configuration Synchronization feature is relevant only for redundant VRRP
configurations.
In a redundant configuration, the peer devices require consistent configuration. To ensure that the
configuration is synchronized between a pair of redundant devices, you can use the Online
Configuration Synchronization feature to avoid the tedious and error-prone manual process.

Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.

206

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Device RolesMaster and Slave


Online Configuration Synchronization operates in a master/slave mode.
You set the device role, Master or Slave, manually. You set the main device (the device with the
higher specified priority) as master. The device role never changes dynamically, in contrast to the
VRRP mechanism, where the main device can fail over to the backup devicethat is, the backup
device becomes the active device. The specified device role Online Configuration Synchronization
roles are independent of the devices redundancy operation mode (active or backup).
You configure the master device only. You cannot configure the slave device. The master device
automatically updates the configuration on the slave device with all configuration changes.
The redundancy configuration is updated on the master device according to the recommended
configuration in Configuration Guidelines for AppDirector Redundancy Using VRRP, page 200.
After a configuration change that requires a reboot, the Online Configuration Synchronization
mechanism queries VRRP status when it reboots a slave device. If the slave is the VRRP active
device, reboot is suppressed to avoid unnecessary failover that will cause connection disruption. The
master will wait for the VRRP role to switch over and only then issue the reboot command.
With the exception of a few parameters, as long as Online Configuration Synchronization is enabled,
you cannot configure parameters on the slave device.
Online Configuration Synchronization does not synchronize the following parameters, and you can
configure them on both master and slave devices even when Online Configuration Synchronization is
enabled:

Device Name

VRRP Global Admin Status

OSPF Router ID

Layer 2 Interface parameters

Online Configuration Synchronization does not synchronize the following actions, and you can
perform them on both master and slave devices even when Online Configuration Synchronization is
enabled:

Software upgrade on the slave device

License upgrade on the slave device

Reset statistics

Clear table (for example, Client table and other tables)

Non-configuration commands (such as ping, telnet, and so on)

Troubleshooting operations (for example, filter Client table view, configure diagnostics, and
retrieve a support file)

CLI terminal configuration

Reset Slave Device


When the changes performed on the configuration require device reboot to become active or when
full synchronization is performed, it is necessary to reboot the slave device.
To avoid unnecessary failover from forwarded connection disruption, if the slave device is the VRRP
active device, the master device will not reboot the slave device. Full synchronization is required and
the configuration synchronization is suspended until VRRP control returns to the master of
configuration, and only then will full synchronization occur.
You can override this behavior by selecting Allow Active Slave Reboot checkbox. When the Allow
Active Slave Reboot checkbox is selected, the configuration master disregards the VRRP status
and reboots the slave device whenever the configuration synchronization requires.
For configuration changes requiring a reboot (such as table-size tuning), the master device will
update the slave device with the configuration change like any other change, but will not reboot the
slave immediately. Instead, the master device will wait until it is rebooted itself, because until then,

Document ID: RDWR-APSV-V0130_UG1205

207

APSolute Vision User Guide


Device Network Configuration
the configuration change will not have taken effect in either device, and the configurations are still
synchronized. When the master device comes online after rebooting, a self-check will show that it
has a more updated configuration (due to the reboot) and a full synchronization will occur.
If you make a configuration change that requires reboot, and the slave device was rebooted for any
reason (manually, due to crash or due to full synchronization after connection loss), before the
master device was rebooted, the slave device will now have a more updated configuration than the
master. This is the only case where this occurs.

Monitoring Online Configuration Synchronization


You can monitor the operation of the Online Configuration Synchronization featurefor both master
and slave devices. For more information, see the APSolute Vision online help.

Online Configuration Synchronization Criteria


When you configure Online Configuration Synchronization, the master device checks the that
following conditions are met:

The master device and the master device use the same hardware platform and have the same
memory size.

The master device and the master device have the same licensed features.

Note: License upgrade must be done manually on both the master and slave device, since
each license is associated with a specific machine.

The master device and the master device have the same software version.

Note: Any software upgrade must be performed manually on each device. During the
software upgrade, Online Configuration Synchronization must be disabled.

Parallel ports connected to the same subnets and the same IP addresses match crosswise.

There is at least one matching IP interface (with the same subnet and same interface) on the
master and slave devices.

Example
MasterIP: 1.1.1.1, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.2
SlaveIP: 1.1.1.2, Subnetmask: 255.0.0.0, Port: G-1, PeerAddress: 1.1.1.1
In addition, you must ensure that parallel ports connected to the same subnets and the same IP
addresses match crosswise.

208

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Configuring Online Configuration Synchronization


This feature is available in AppDirector 2.14 and later.
Configuring Online Configuration Synchronization involves the following steps:
1. On the slave device, set the Device Role to Slave and configure a new value for the
Synchronization Session Password. For security purposes, the initial password is randomly
generated.
2. On the master device, set the Device Role to Master and configure the Synchronization Session
Password with the same value used on the slave device. In a few seconds, the devices will start
to synchronize with each other. This process triggers a reboot of the slave device.
3. When the slave device finishes rebooting, the devices finish the synchronization process and
their configuration will match.
4. Each subsequent configuration change that is made on the master device is synchronized on the
slave device.

Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.
>> For each IP interface configured on the master device, a Peer IP address must be
configured. This IP address is used as the IP interface on the slave device.
>> You can monitor synchronization state on the master device. The state should show InSync. For more information, see the APSolute Vision online help.
>> If a configuration change requires a reboot, the change will take effect on the slave
device only after you reboot the master device. (The master device automatically
reboots the slave device.)

To configure Online Configuration Synchronization


1. In the Configuration perspective Networking tab navigation pane, select Redundancy >
Configuration Synchronization.
2. Configure the parameters; and then, click

Document ID: RDWR-APSV-V0130_UG1205

(Submit) to submit the changes.

209

APSolute Vision User Guide


Device Network Configuration

Table 118: Configuration Synchronization Parameters in AppDirector 2.14.03 and Later

Parameter

Description

Device Role

The role the device plays in the Online Configuration


Synchronization mechanism.
Values:
DisabledThe device does not participate in Online
Configuration Synchronization mechanism.
MasterOnly this device is configurable, and it
synchronizes its configuration with that of the slave device.
SlaveThis device receives its configuration from the
master device. only certain changes can be made on the
slave device. For more information, see Device Roles
Master and Slave, page 207.
Default: None

Synchronization Session
Password

The password used to establish an SSH session between the


master and slave devices.
The same value must be configured on both devices.

Verify Synchronization Session


Password

The password used to establish an SSH session between the


master and slave devices.
The same value must be configured on both devices.

Allow Active Slave Reboot

Specifies whether the device reboots the slave device when


configuration changes require reboot and the slave device is
currently the active (not the backup) device.
Default: Disabled
Note: For more information, see Reset Slave Device,
page 207.

Connection Preference

The IP interface through which configuration-synchronization


communication with the peer device is established.
Values:
AnyThe device tries to establish connectivity via any of
the device IP interfaces.
Any MNG IPThe device tries to establish connectivity via
any of the device IP interfaces configured on dedicated
management (MNG) ports.
Specific device IP interfacesSelect a specific device IP
interface for configuration synchronization communication.
Only IP interfaces for which a Peer IP Address is configured
are eligible.
Default: Any
Note: If the value changes during the configurationsynchronization communication, you must run the
Reconnect Slave command, which will cause the
devices to connect via the new preferred interface.

210

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 118: Configuration Synchronization Parameters in AppDirector 2.14.03 and Later

Parameter

Description

Alternate Connection Preference

The IP interface through which configuration-synchronization


communication with the peer device is established in case the IP
interface specified for the Connection Preference parameter is
not available.
Values:
NoneNo alternate connection.
AnyThe device tries to establish connectivity via any of
the device IP interfaces.
Any MNG IPThe device tries to establish connectivity via
any of the device IP interfaces configured on dedicated
management (MNG) ports.
Specific device IP interfacesOnly IP interfaces for which a
Peer IP Address is configured are eligible.
Default: None

Reconnect Slave
(This option button is available
only in AppDirector 2.14.03.)

Reconnects to the slave device with the current Connection


Preference.

Peer Connectivity Timers


Keep Alive Interval (Master Only) The interval, in seconds, at which the device sends keep-alive
messages to the slave device.
Values: 5600
Default: 120
Slave Response Timeout (Master The time, in seconds, after the slave device has not responded
Only)
that the master device considers the slave device disconnected.
Values: 1600
Default: 20
Slave Connect Interval (Master
Only)

The interval, in seconds, at which the device attempts to reestablish a connection with a slave device that is not responding.
Values: 1600
Default: 15

Slave Reboot Timeout (Master


Only)

The time, in seconds, after the master device sends a reboot


command to the slaveand the slave has not responded to a
connection attemptthat the master device considers the slave
device disconnected.
Values: 1600
Default: 240

Peer Disconnect Alert Delay

The time, in seconds, that the device (a master or a slave) sends


a trap after identifying a disconnection from its peer.
A trap alerting on slave disconnection will be sent only after
slave is disconnected for this period (to avert flip-flops).
Values: 03600
Default: 60

Document ID: RDWR-APSV-V0130_UG1205

211

APSolute Vision User Guide


Device Network Configuration

Table 118: Configuration Synchronization Parameters in AppDirector 2.14.03 and Later

Parameter

Description

Master Communication Timeout


(Slave Only)

The time, in seconds, after the slave device does not receive any
message from the master device that the slave considers the
master device to be disconnected.
Values: 5600
Default: 180

Exclude From Synchronization


Management IP

Specifies whether Online Configuration Synchronization does not


synchronize the IP interfaces defined on the management ports
MNG-1 and MNG-2.
Default: Disabled

Secured Management Settings

Specifies whether Online Configuration Synchronization does not


synchronize the secure management interface settings and the
certificates they use. These include the secure Web-based
management and SSH.
Default: Disabled

Table 119: Configuration Synchronization Parameters in AppDirector 2.14.01 and 2.14.02

Parameter

Description

Device Role

The role the device plays in the Online Configuration


Synchronization mechanism.
Values:
DisabledThe device does not participate in Online
Configuration Synchronization mechanism.
MasterOnly this device is configurable, and it
synchronizes its configuration with that of the slave device.
SlaveThis device receives its configuration from the
master device. only certain changes can be made on the
slave device. For more information, see Device Roles
Master and Slave, page 207.
Default: None

Synchronization Session
Password

The password used to establish an SSH session between the


master and slave devices.
The same value must be configured on both devices.

Verify Synchronization Session


Password

The password used to establish an SSH session between the


master and slave devices.
The same value must be configured on both devices.

Allow Active Slave Reboot

Specifies whether the device reboots the slave device when


configuration changes require reboot and the slave device is
currently the active (not the backup) device.
Default: Disabled
Note: For more information, see Reset Slave Device,
page 207.

212

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 119: Configuration Synchronization Parameters in AppDirector 2.14.01 and 2.14.02

Parameter

Description

Discover Management IP Only

Specifies whether the master device its peer only via the
management IP interface or via any device interface.
Default: Enabled

Peer Connectivity Timers


Keep Alive Interval (Master Only) The interval, in seconds, at which the device sends keep-alive
messages to the slave device.
Values: 5600
Default: 120
Slave Response Timeout (Master The time, in seconds, after the slave device has not responded
Only)
that the master device considers the slave device disconnected.
Values: 1600
Default: 20
Slave Connect Interval (Master
Only)

The interval, in seconds, at which the device attempts to reestablish a connection with a slave device that is not responding.
Values: 1600
Default: 15

Slave Reboot Timeout (Master


Only)

The time, in seconds, after the master device sends a reboot


command to the slaveand the slave has not responded to a
connection attemptthat the master device considers the slave
device disconnected.
Values: 1600
Default: 240

Peer Disconnect Alert Delay

The time, in seconds, that the device (a master or a slave) sends


a trap after identifying a disconnection from its peer.
A trap alerting on slave disconnection will be sent only after
slave is disconnected for this period (to avert flip-flops).
Values: 03600
Default: 60

Master Communication Timeout


(Slave Only)

The time, in seconds, after the slave device does not receive any
message from the master device that the slave considers the
master device to be disconnected.
Values: 5600
Default: 180

Exclude from Synchronization


Management IP

Specifies whether Online Configuration Synchronization does not


synchronize the IP interfaces defined on the management ports
MNG-1 and MNG-2.
Default: Disabled

Exclude Secured Management


Settings

Specifies whether Online Configuration Synchronization does not


synchronize the secure management interface settings and the
certificates they use. These include the secure Web-based
management and SSH.
Default: Disabled

Document ID: RDWR-APSV-V0130_UG1205

213

APSolute Vision User Guide


Device Network Configuration

Configuring AppDirector VLANs


A Virtual LAN (VLAN) is a group of devices on different physical LAN segments or on a single LAN
segment that can interact with each other as if they were all on the same physical LAN segment. In
other words, a VLAN is a group of PCs, servers, and other network resources that behave as if they
were connected to a single, network segment even though they are not, physically. They can share
resources and bandwidth as if they were connected to the same section.
Some switches are configured to support single or multiple VLANs. When a switch supports multiple
VLANs, the broadcast domains are not shared between the VLANs. The device learns the Layer 2
addresses on every VLAN port. Known unicast frames are forwarded to the relevant port. Unknown
unicast frames and broadcast frames are forwarded to all ports.
AppDirector VLANs provide bridging and switching functionality among ports assigned to the same
VLAN. AppDirector supports both Regular VLAN and Switch VLAN.

Note: AppDirector devices support up to 64 regular or switched VLANs and up to 2048 VLAN
IDs.

To configure a VLAN
1.

In the Configuration perspective Networking tab navigation pane, select VLANs.

2.

Do one of the following:

To add a VLAN, click the

(Add) button.

To edit a VLAN, double-click the row.

3.

Configure VLAN settings and click OK.

4.

To add ports to the VLAN, in the navigation pane, select VLANs > VLAN Ports.
For more information, see Configuring AppDirector VLAN Ports, page 216.

Table 120: VLAN Parameters

Parameter

Description

VLAN ID

Interface number of the VLAN automatically assigned by the management


station.

Protocol

Required VLAN protocol. You can choose IP or Switch VLAN only when the
VLAN type is Switch. Otherwise, the protocol is IP or Other.
Default: Other

Type

Required VLAN type.


Values:
Regular The VLAN acts as a bridge.
SwitchThe Switch VLAN can be part of a Regular VLAN.
Default: Regular

214

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 120: VLAN Parameters

Parameter

Description

Up Criterion

The conditions under which a VLAN interface is considered to be up.


Values:
Default by TypeFor Regular VLAN, when interface grouping is
enabled, all ports in the VLAN are up; otherwise, at least one port in
the VLAN is up.
For Switch VLAN, at least one port in the VLAN is up.
All PortsThe VLAN is considered up when all the ports in the VLAN
are up.
One PortThe VLAN is considered up when at least one port in the
VLAN is up.
Default: Default by Type

Down Criterion

The conditions under which a VLAN interface is considered to be down.


Values:
Default by TypeFor Regular VLAN, when interface grouping is
enabled, at least one port in the VLAN is down; otherwise, all ports in
the VLAN are down.
For Switch VLAN, all ports in the VLAN are down.
All PortsThe VLAN is considered down when all the ports in the
VLAN are down.
One PortThe VLAN is considered down when at least one port in the
VLAN is down.
Default: Default by Type

AppDirector Regular and Switch VLANs


Regular VLAN
A Regular VLAN can be described as an IP Bridge (a software bridge) between multiple ports that
incorporates all the traffic redirection of passing traffic at all layers (Layer 2Layer 7). Two protocols
can be used with Regular VLANs:

IP ProtocolThe VLAN must be assigned an IP address. All the traffic between ports is
intercepted transparently by AppDirector. Packets that need intelligent intervention are checked
and modified by AppDirector and then forwarded to the relevant port. Other packets are simply
bridged by AppDirector as if they were on the same wire.

Other ProtocolAn Other Protocol VLAN cannot be assigned an IP address. This type of VLAN
is used to bridge non-IP traffic through AppDirector. To handle both packets that need intelligent
intervention and non-IP traffic, you can configure IP VLAN and Other VLAN on the same ports.

Note: Switch VLAN can be standalone or part of a Regular VLAN.

Switch VLAN
Switch VLAN is not available in OnDemand Switch 1 or OnDemand Switch VL.
Switch VLAN provides wire-speed VLAN capabilities implemented through the hardware switch fabric
of the AppDirector device.

Document ID: RDWR-APSV-V0130_UG1205

215

APSolute Vision User Guide


Device Network Configuration
Depending on the protocol defined for the Switch VLAN, frames are treated as follows:

Switch VLAN ProtocolFrames arriving at the VLAN port are switched according to Layer 2
information. AppDirector does not intercept this traffic.

IP ProtocolFrames reaching the VLAN port are switched according to Layer 2 information,
except those whose Layer 2 address is the same as the AppDirector port Layer 2 address.
Frames with AppDirector Layer 2 destination are processed by AppDirector and then forwarded.

Configuring AppDirector VLAN Ports


After you create a VLAN, you can add ports to it.

To configure VLAN ports


1.

In the Configuration perspective Networking tab navigation pane, select VLANs > VLAN Port
Table.

2.

Select the VLAN for which you want to configure ports.

3.

Do one of the following:

4.

To add a port, click the

(Add) button.

To edit a VLAN port, double-click the row.

Configure VLAN port settings and click OK.

Table 121: VLAN Port Association Parameters

Parameter

Description

Select VLAN

Select the VLAN for which you want to add a port.

Port

The Layer 2 interface that you want to attach to the VLAN. The interface
can be a port index, trunk index, or Switch VLAN.

Include in Interface
Grouping

Specifies whether the status of this L2 interface should be taken into


consideration when calculating VLAN status for Interface Grouping
(relevant in redundant configurations only).
When enabled, interfaces can initiate Interface Grouping if this interface
is down.

Configuring AppDirector VLAN Advanced Parameters


AppDirector can rewrite VLAN tags on packets that pass through it.

To configure VLAN advanced parameters


1.

In the Configuration perspective Networking tab navigation pane, select VLANs > VLAN
Advanced Parameters.

2.

Configure the parameters; and then, click OK.

216

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 122: VLAN Advanced Parameters

Parameter

Description

Auto Config Aging Time

This parameter is not supported.


Default: 3600

Bridge Forwarding Table Aging


Time

The time, in seconds, that unused entries remain in the Bridge


Forwarding table before the device deletes them.
Default: 3600

VLAN Ether_Type

The Ethernet type for user-defined VLANs.


Default: 0000

VLAN Ether_Type Mask

The mask on Ethernet type for user defined VLANs.


Default: ffff

Enable 802.1q

Specifies whether the device handles VLAN tags traffic according


to IEEE 802.1Q.
Values:
EnabledThe device handles VLAN-tagged traffic according
to IEEE 802.1Q.
DisabledThe device drops all VLAN-tagged traffic.
Default: Disabled

VLAN Tag Handling

Specifies how the device handles VLAN tags.


Values:
RetainThe device preserves existing VLAN tags on the
ingress traffic that passes through the device. Traffic
generated by the device is tagged according to the IPinterface configuration. If an ingress packet has no VLAN tag,
the device performs VLAN tagging on the egress packet
according to the IP interface configuration.
OverwriteThe device performs VLAN tagging of outgoing
traffic according to the IP-interface configuration.
AppDirector sets tags for packets according to the IP
interface via which the traffic will exit the device. If the
packet destination IP address is on a subnet local to the
AppDirector device, AppDirector uses the device IP interface
for the subnet. If the packet destination IP address is not on
a subnet local to the AppDirector device, AppDirector selects
the device IP interface from the same subnet as the next hop
router through which the packet must be sent in order to
reach its destination.
Default: Overwrite
Note: If a packet arrives without a VLAN tag, at a destination
interface of AppDirector with a VLAN tag, AppDirector
sets the tag on the packet according to the destination
local subnet, even if it is in Retain VLAN Tag Handling
mode and behaves as in Overwrite VLAN Tag Handling
mode.

Document ID: RDWR-APSV-V0130_UG1205

217

APSolute Vision User Guide


Device Network Configuration

Configuring Segmentation for AppDirector


Sometimes a single AppDirector device is needed to load-balance multiple farms, each located on a
different segment around a firewall. AppDirector must ensure that all traffic between segments are
passed through the firewall. Dividing your network into logical segments, where a single AppDirector
load balances the traffic and all segments can be inspected by a single firewall is called
segmentation.
To support segmentation, AppDirector defines a type of network entity known as a segment.
Segments are logical entities that can be associated either with physical ports (including VLANs and
Trunks) or with VLAN tags. Layer 4 Policies are also associated with segments, to define the logical
location of each VIP. AppDirector allows traffic for a Layer 4 Policys VIP only when the traffic arrives
from the same segment where this policy resides.
A default gateway can be associated with each segment; usually, the firewall interface of that
segment. There are cases when AppDirector receives traffic that cannot be handled due to segment
conflicts; the segment over which traffic was received does not match the segment to which traffic is
forwarded. AppDirector does not route traffic between segments. All traffic between segments is
sent via a segment NHR.

Notes:
>> You can also assign a backup gateway to each segment, similar to the way Next Hop
Routers can be associated with Virtual IPs.
>> AppDirector default gateway can only belong to the default segment.
For more information about segmentation configurations, see the AppDirector User Guide.
For information about configuring segmentation in AppDirector 2.11.x, see Segmentation in
AppDirector 2.11, page 220.
Before you configure a Server Cracking profile, ensure that you have configured the NHRs to use for
segmentation. For more information, see Configuring NHRs in AppDirector, page 172.

To configure segmentation
1.

In the Configuration perspective Networking tab navigation pane, select Segmentation.

2.

Configure segmentation global parameters and click

3.

Do one of the following:

To create a new segment, click the

To edit an existing entry, double-click the row.

(Submit) to submit the changes.

(Add) button.

4.

Configure segment parameters, and click OK.

5.

To associate an NHR to each segment, in the navigation pane, select Segmentation >
Segment NHR.
For more information, see Associating NHRs to Segments, page 221.

218

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 123: Segmentation Global Parameters

Parameter

Description

Segmentation Mode

The segmentation operating method. All the segments must be of the


same type, either port segments or VLAN tag segments.
Values:
PortsSegmentation is enabled and is based on the devices physical
ports, trunks, or VLAN tags.
VLAN TagSegmentation is enabled and based on the 802.1q
environment. In AppDirector versions prior to 2.13, when the VLAN
Tag mode is in use, an 802.1q environment must be enabled and the
VLAN Tag Handling parameter must be set to Retain.
DisabledThe feature is disabled.
Default: Disabled

Default Segment
Forwarding Mode

Physical ports, VLANs, Trunks, and 802.1q VLAN tags that are not part of
any segment are considered to be members of a default segment. The
default segment is a grouping of all the ports, VLANs, trunks and 802.1q
VLAN tags that do not belong to any segment.
Configure the behavior of traffic from a port or tag that is not a member of
any segment and is destined to a port or tag that is a segment member.
Values:
ForwardForwards traffic to destination (not via Firewall) as if
Segmentation is disabled.
DiscardDiscards the traffic.
Default GatewayForwards the traffic to the AppDirector default
gateway with Segmentation if necessary.
Default: Default Gateway

Segmentation Shared
Ports

Select the port on which the firewall is connected to participate in all


segments automatically (even VLAN tag segments).

Default Segment
Shared VIP

When selected, enables VIPs belonging to the default segment to receive


traffic from any other segment directly (without passing via the firewall).

Table 124: Segment Parameters

Parameter

Description

Segment Name

The unique name of the segment.

Available Ports

The list of Fast Ethernet ports, Gigabit Ethernet ports or Trunk Ports
that can be associated with the segment.
To associate a port, select the port and click

Selected Ports

The list of Ethernet ports, Gigabit Ethernet ports or Trunk Ports that
are associated with the segment.
To remove a port association, select the port and click

VLAN Tag List

The list of VLAN tags to be associated with the segment. Use commas
(,) to separate VLAN tag entries.

Special Segmentation Flag When enabled, VIPs belonging to this segment can receive traffic from
any other segment directly (without passing via firewall).

Document ID: RDWR-APSV-V0130_UG1205

219

APSolute Vision User Guide


Device Network Configuration

Table 124: Segment Parameters

Parameter

Description

Back-end Segmentation

The behavior when the Layer 4 policy (VIP) and the server that
provides the service to the VIP belong to different segments. Back-end
Segmentation is an override that should be used when the server is
not within the same segment that is associated with the Layer 4 policy
and the client sends traffic to the VIP (for load balancing).

(This parameter is
available only in
AppDirector 2.14.03 and
later.)

Values:
EnabledThe device performs segmentation (forwards traffic to
Layer 4 policy segment NHR).
DisabledThe device forwards traffic directly to server.
Default: Enabled

Segmentation in AppDirector 2.11


For general information about segmentation, see Configuring Segmentation for AppDirector,
page 218.
In AppDirector 2.11:

You can configure only one VLAN tag per segment.

A configuration where farms associated with the same Layer 4 Policy VIP are associated with
different segments is not supported; therefore, ensure that such configuration conflicts are
avoided. Similarly, configurations where servers and the Virtual IP do not belong to the same
segment are not supported.

To configure segmentation
1.

In the Configuration perspective Networking tab navigation pane, select Segmentation.

2.

Configure segmentation global parameters and click

3.

Do one of the following:

To create a new segment, click the

To edit an existing entry, double-click the row.

(Submit) to submit the changes.

(Add) button.

4.

Configure segment parameters, and click OK.

5.

To associate an NHR to each segment, in the navigation pane, select Segmentation >
Segment NHR.
For more information, see Associating NHRs to Segments, page 221.

220

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 125: Segmentation Global Parameters

Parameter

Description

Segmentation Mode

The segmentation operating method. All the segments must be of the


same type; either port segments or VLAN tag segments.
Values:
PortsSegmentation is enabled and is based on the devices physical
ports, trunks or VLANs.
VLAN TagSegmentation is enabled and based on the 802.1q
environment. When the VLAN tag mode is in use, 802.1q
environment must be enabled and the VLAN Tag Handling parameter
must be set to Retain.
Disabled The feature is disabled.
Default: Disabled

Default Segment
Forwarding Mode

Physical ports, VLANs, Trunks, and 802.1q VLAN tags that are not part of
any segment are considered to be members of a default segment. The
default segment is a grouping of all the ports, VLANs, Trunks and 802.1q
VLAN tags that do not belong to any segment.
Configure the behavior of traffic from a port or tag that is not a member of
any segment and is destined to a port or tag that is a segment member.
Values:
Forward (Handling without Segmentation)Forwards traffic to
destination (not via Firewall) as if Segmentation is disabled.
DiscardDiscards the traffic.
Default Gateway (Handling with Segmentation if necessary)
Forwards the traffic to the AppDirector Default gateway with
Segmentation if necessary.
Default: Default Gateway

Table 126: Segment Parameters

Parameter

Description

Segment Name

The unique name of the segment.

Available Ports

The list of Fast Ethernet ports, Gigabit Ethernet ports or Trunk Ports that
can be associated with the segment.
To associate a port, select the port and click

Selected Ports

The list of Ethernet ports, Gigabit Ethernet ports or Trunk Ports that are
associated with the segment.
To remove a port association, select the port and click

VLAN Tag

Enter the VLAN tag to be associated with the segment.

Associating NHRs to Segments


A default gateway must be associated to each segment; this would be the Firewall interface of that
segment. When AppDirector receives traffic that cannot be handled due to segment conflicts,
meaning the segment over which traffic was received does not match the segment over which traffic
should be forwarded. AppDirector sends this traffic to the default gateway of the receiving segment.
You must assign a default gateway to each segment.

Document ID: RDWR-APSV-V0130_UG1205

221

APSolute Vision User Guide


Device Network Configuration
Before you associate NHRs to segments, ensure that you have configured the next-hop routers
(NHRs) to use for segmentation. For more information, see Configuring NHRs in AppDirector,
page 172.

To associate NHRs to segments


1.

In the Configuration perspective Networking tab navigation pane, select Redundancy >
Segmentation > Segment NHR.

2.

Do one of the following:

3.

To create a new association, click the

(Add) button.

To edit an existing entry, double-click the row.

Configure segment NHR parameters, and click OK.

Table 127: Segment NHR Parameters in AppDirector 2.30 and Later

Parameter

Description

Segment Name

The name of the segment for association of NHR. Select from the list.

Main NHR
IPv4 Address

Select the NHR IP address.

IPv6 IP Address

Select the NHR IP address.

Weight

Configure a weighting for the NHR.


Values: 1100

Backup NHR
IPv4 IP Address

Select the backup NHR IP address.

IPv6 IP Address

Select the NHR IP address.

Weight

Configure a weighting for the backup NHR.


Values: 1100

No Route Action

Configures AppDirector behavior when both the main and backup NHRs
are down.
Values:
DiscardDiscards the traffic.
Use Regular RoutingSends traffic according to the regular route.

Enable Load Sharing

When selected, outgoing traffic is sent through both NHRs at the same
time.

Table 128: Segment NHR Parameters in AppDirector Prior to Version 2.30

Parameter

Description

Segment Name

The name of the segment for association of NHR. Select from the list.

Main NHR
IP Address

Select the NHR IP address.

Weight

Configure a weighting for the NHR.


Values: 1100

222

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 128: Segment NHR Parameters in AppDirector Prior to Version 2.30

Parameter

Description
Backup NHR

IP Address

Select the backup NHR IP address.

Weight

Define a weighting for the backup NHR.


Values: 1100

No Route Action

Configures AppDirector behavior when both the main and backup NHRs
are down.
Values:
DiscardDiscards the traffic.
Use Regular RoutingSends traffic according to the regular route.

Enable Load Sharing

When selected, outgoing traffic is sent through both NHRs at the same
time.

Configuring AppDirector Advanced Networking


Parameters
To configure AppDirector advanced networking parameters
1. In the Configuration perspective Networking tab navigation pane, select Advanced.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 129: AppDirector Advanced Networking Parameter

Parameter

Description
Duplicate IPv6 Address Detection

Duplicate Address Detection (DAD) is the process by which a node determines that an IPv6 address
considered for use is not already in use by a neighboring node. (This is equivalent to the use of
gratuitous ARP frames in IPv4.) The DAD process consists of sending a neighbor discovery
whenever the device is assigned a new IP address, asking for a neighbor with the same address.
The device performs the DAD procedure for each newly configured IPv6 address: IP interface, VIP,
VIPIm, and client NAT addresses belonging to a subnet configured on the device (matching IP
interface). DAD is not performed for VIP, VIPIs, and client NAT addresses that do not have a
matching IP interface (that is, orphan addresses).
DAD is also performed for each configured IP addresses (IP interfaces, non-orphan VIPs, VIPIs and
client NAT addresses) on device startup.
Retransmits Number

Enables the DAD process and determines the number of times that the
DAD Neighbor discovery message is transmitted, where value of zero
means DAD is disabled.

Document ID: RDWR-APSV-V0130_UG1205

223

APSolute Vision User Guide


Device Network Configuration

Table 129: AppDirector Advanced Networking Parameter

Parameter

Description
IPv6 Router Advertisement

With IPv6, routers can be dynamically discovered and adopted as default gateways by the host
nodes on the same local link, rather than having to statically configure the default gateway and
change it on every network restructure. This process also allows the node to automatically assign
its own global unicast IP address, by having the router publish a prefix for the subnet to be
attached to the hosts link local address. This is called stateless auto-configuration and comes as an
alternative to DHCP, which is stateful, because it has to keep record of the assigned IP address.
Nevertheless, DNS server addresses must still be obtained from DHCP servers, but this does not
incur state maintenance.
The managed device can periodically send Router Advertisements (RAs) on each IP interface
according to a random interval, between specified minimum and maximum times. The managed
device also sends these messages in response to Router Solicitation messages.
To edit the IPv6 router advertisement, right-click the relevant row in the table, and select Edit
IPv6 Router Advertisement Entry.
Interface Index

(Read-only) The identifier of the interface on the physical device.

Send Router
Advertisements (RA)

Specifies whether the managed device sends IPv6 Router Advertisement


(RA) messages.
Default: Disabled

Max RA Interval

The maximum time, in seconds, between Router Advertisements that the


managed device sends.
Values: 41800
Default: 600

Min RA Interval

The minimum time, in seconds, between Router Advertisements that the


managed device sends.
Values: 31350
Default: 200
Note: The value must be no greater than 75 percent of the specified
Max RA Interval.

MTU

The Maximum Transmission Unit value the managed device puts in the
router advertisement message.
Values:
0Specifies that no MTU options are put in the message.
128065,536
Default: 0

Managed Address
Configuration

Specifies whether the Managed Address Configuration Flag is set in the


messages that the managed device sends. The flag indicates to the hosts
on the respective network link that they should use stateful configuration
with DHCPv6 for obtaining addresses and all networking configuration.
Default: Disabled

Other Stateful
Configuration

Specifies whether the Other Stateful Configuration Flag is set in the


messages that the managed device sends. The flag indicates to the hosts
on the respective network link that they should use stateful configuration
with DHCPv6 for obtaining additional networking configuration, excluding
IP addresses.
Default: Disabled

224

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 129: AppDirector Advanced Networking Parameter

Parameter

Description

Reachable Time

The Reachable Time value, in milliseconds, that the managed device puts
in the router advertisement message. This value is for the use of the
nodes that receive it. The Reachable Time specifies the time, in
milliseconds, that a neighbor node on the network link is considered
reachable since the last reachability confirmation.
Values:
0The Reachable Time is not specified in the router advertisement
message.
13600000
Default: 0

Retransmit Time

The Retransmit Time value, in milliseconds, that the managed device puts
in the router advertisement message. This value is for the use of the
nodes that receive it.
Values:
0The Retransmit Time is not specified in the router advertisement
message.
1232
Default: 0

Current Hop Limit

The Current Hop Limit value that the managed device puts in the router
advertisement message. This value is for the use of the nodes that receive
it.
Values:
0The Current Hop Limit is not specified in the router advertisement
message.
1255
Default: 64

Default Router Lifetime The Router Lifetime value, in seconds, that the managed device puts in
the router advertisement message. This value is for the use of the nodes
that receive it. The Router Lifetime specifies the time, in seconds, this
device should be used as a default router. Note that this is an expiration
interval only for the status of the device as a default router, not for other
information in the Router Advertisement message.
Values:
0Specifies that this device should not be used as a default router.
49000
Default: 1800

Configuring DefensePro Redundancy


This feature is available in DefensePro 5.10 and later.
Radware recommends installing DefensePro devices in pairs to provide high availability (HA)that
is, fault tolerance in the case of a single device failure.
To support high availability, you configure two compatible DefensePro devices to operate in a twonode cluster. One member of the cluster is configured as the primary; the other member of the
cluster assumes the role of secondary.

Document ID: RDWR-APSV-V0130_UG1205

225

APSolute Vision User Guide


Device Network Configuration
When you configure a cluster and commit the configuration, APSolute Vision configures the required
parameters on the secondary device.
You can configure a cluster from the APSolute Vision sites tree or from the High Availability pane in
the Configuration perspective.
For more information, see Configuring DefensePro High Availability, page 101.

Configuring Basic Networking Parameters in DefensePro


In DefensePro 5.12 and later, use the Basic pane to do the following:

Specify the IP Version Mode (IPv4 or IPv6)

Specify whether jumbo frames bypass the device or are discardedavailable only on platforms
with the DoS Mitigation Engine (DME)

Specify whether to inspect jumbo frames or discard themavailable only in DefensePro 6.05
and later

Configure the IP Fragmentation parameters

Specifies whether the device passes through all traffic that matches no network policy
configured on the device

In DefensePro versions prior to 5.12, use the Basic pane to configure the following:

Enable/disable tunneling

Enable/disable MPLS-RD

Specify the IP Version Mode (IPv4 or IPv6)

Tunneling Support in DefensePro Versions Prior to 5.12


This section is relevant only for DefensePro versions prior to 5.12.
Carriers, service providers, and large organizations use various tunneling protocols to transmit data
from one location to another. This is done using the IP network so that network elements are
unaware of the data encapsulated in the tunnel.
Tunneling implies that traffic routing is based on source and destination IP addresses. When
tunneling is used, IPS devices and load balancers cannot locate the relevant information because
their decisions are based on information located inside the IP packet in a known offset, and the
original IP packet is encapsulated in the tunnel.
To provide a carrier-grade IPS/DoS solution, DefensePro inspects traffic in tunnels, positioning
DefensePro in peering points and carrier network access points.
In general, wireline operators deploy MPLS and L2TP for their tunneling, and mobile operators
deploy GRE and GTP.

Caution: When you enable tunneling, you must reboot the device before you can configure
MPLS RD groups.

IPv4 and IPv6 Support


DefensePro supports IPv6 and IPv4 protocols and provides a fully functional IPS and DoS prevention
solution for IPv6/IPv4 packets. Management works only in IPv4.

Caution: Changing the configuration of this feature takes effect only after a device reset.

226

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

DefensePro supports processing of IPv6 packets and ICMPv6 packets, including:

Setting networks with IPv6 addresses

Applying security policies

Blocking attacks

Security reporting

IP Fragmentation
This section is relevant only for DefensePro 5.12 and later.
When the length of the IP packet is too long to be transmitted, the originator of the packet, or one of
the routers transmitting the packet, must fragment the packet to multiple shorter packets.
Using IP fragmentation, the managed device can classify the Layer 4 information of IP fragments.
The device identifies all the fragments belong to same datagram, then classifies and forwards them
accordingly. The device does not reassemble the original IP packet, but forwards the fragmented
datagrams to their destination, even if the datagrams arrive at the device out of order.

Note: In DefensePro versions prior to 5.12, you configure the IP Fragmentation in the IP
Fragmentation pane in the Configuration perspective Advanced Parameters tab
navigation pane.
1. In the Configuration perspective Networking tab navigation pane, select Basic.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Table 130: Basic Networking Parameters

Parameter

Description
Basic Parameters

IP Version Mode

The IP version that the device supports.


Values:
IPv4The device processes IPv4 packets only.
IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are
configured, all IPv6 policies (rules) are automatically
disabled. Policies applied on both IPv4 and IPv6 traffic
continue to process IPv4 traffic only. The IPv6 information
remains visible.

Document ID: RDWR-APSV-V0130_UG1205

227

APSolute Vision User Guide


Device Network Configuration

Table 130: Basic Networking Parameters

Parameter

Description
Jumbo Frames

Inspect Jumbo Frames


(On platforms with the DoS
Mitigation Engine, the
Inspect Jumbo Frames
checkbox is available only
when the Bypass Jumbo
Frames checkbox is
cleared.)

Specifies whether the device inspects jumbo frames or discards


them.
Values:
EnabledThe device inspects frames up to 9216 bytes.
DisabledThe device discards frames that are larger than 1550
bytes.
Default: Disabled
Notes:
>> Changing the configuration of this option takes effect only
after a device reset.
>> When this option is enabled, all DefensePro monitoring and
protection modules support monitoring, inspection,
detection, and mitigation of traffic and attacks on packets up
to 9216 bytes. For example, when this option is enabled, TCP
Authentication using Transparent Proxy supports an
additional maximum segment size (MSS) value to improve
performance of the protected networks.

Bypass Jumbo Frames

Specifies whether jumbo frames bypass the device.

(This parameter is displayed


only on platforms with the
DoS Mitigation Enginethat
is, the DME. This parameter
is available only when the
Inspect Jumbo Frames
checkbox is cleared.)

Values:
EnabledFrames of 15509216 bytes bypass the device without
any inspection or monitoring.
DisabledThe device discards frames that are larger than 1550
bytes.
Default: Disabled
Notes:
>> Changing the configuration of the option takes effect only
after a device reset.
>> When the option is enabled on an x412 platform, there may
be some negative effect on the following features: Packet
Anomalies, Black and White Lists, and BDoS real-time
signatures.
>> When the option is enabled on an x06 or x016 platform,
there may be some negative effect on Black and White lists.
>> When the option is enabled, TCP SYN Protection may not
behave as expected because the third packet in the TCP
three-way-handshake can include data and be in itself a
jumbo frame.
>> When the option is enabled, some protections that rely on
the DefensePro session table might produce false-negatives
and drop traffic when all the session traffic bypasses the
device in both directions for a period longer than Session
Aging Time.

IP Fragmentation
Enable IP Fragmentation

When selected, enables IP fragmentation.


Default: Enabled

228

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 130: Basic Networking Parameters

Parameter

Description

Queuing Limit

The percentage of IP packets the device allocates for out-of-sequence


fragmented IP datagrams.
Values: 0100
Default: 25

Aging Time

The time, in seconds, that the device keeps the fragmented


datagrams in the queue.
Values: 1255
Default: 1

Traffic Exclusion
This group box is available only in DefensePro 6.02 and later on x412 platforms with the DME.
Traffic Exclusion

Specifies whether the device passes through all traffic that matches
no network policy configured on the deviceregardless of any other
protection configured.
Default: Enabled
Caution: If Traffic Exclusion is enabled, to inspect traffic that
matches a Server Protection policy, you must configure
the Server Protection policy as a subset of the Network
Protection Policy rule.

To configure the Basic Networking parameters in DefensePro versions prior to 5.12


1. In the Configuration perspective Networking tab navigation pane, select Basic.
2. Configure the parameters; and then, click

(Submit) to submit the changes.

Note: When you enable tunneling, you must reboot the device before you can configure MPLS
RD groups.

Table 131: Basic Networking Parameters in DefensePro Versions Prior to 5.12

Parameter

Description

Enable Tunneling

Enables tunneling support on the device.

Enable MPLS-RD

Enables MPLS RD support on the device.

IP Version Mode

The IP version that the device supports.


Values:
IPv4The device processes IPv4 packets only.
IPv4 and IPv6The device processes IPv6 and IPv4 packets.
Note: If the IPv4 option is selected and IPv6 network classes are
configured, all IPv6 policies (rules) are automatically
disabled. Policies applied on both IPv4 and IPv6 traffic
continue to process IPv4 traffic only. The IPv6 information
remains visible.

Document ID: RDWR-APSV-V0130_UG1205

229

APSolute Vision User Guide


Device Network Configuration

Configuring Port Pairs for DefensePro


You can configure ports on a DefensePro device to receive, inspect, and transmit traffic. The traffic
from the receiving port is always sent out of the device from its corresponding transmitting port. The
ports are paired; one port receives traffic while another transmits traffic.
You can set the operation mode of a port pair. When the port pair operates in Process mode, the
traffic is inspected for attacks and traffic sampling policies are applied. When the port pair operates
in Forward mode, the traffic is forwarded to the destination port without any inspection.

Note: DefensePro x06 models automatically create static-forwarding definitions on the


following port pairswhen they are not assigned to packet trace or trunks: G-1G-2
and G-3G-4.

To configure a pair of ports


1.

In the Configuration perspective Networking tab navigation pane, select Port Pairs.

2.

Do one of the following:

3.

To add a pair of ports, click the

To edit a pair of ports, double-click the row.

(Add) button.

Configure the parameters; and then, click OK.

Table 132: Port Pair Parameters

Parameter

Description
Port Pairs

Source Port

The user-defined source port for received traffic.

Destination Port

The user-defined destination port for transmitted traffic.

Operation

The operation mode assigned to a pair of ports.


Values:
ForwardThe traffic is forwarded without any inspection.
ProcessThe traffic passes thought the CPU and is inspected for attacks,
bandwidth, and so on.

230

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Table 132: Port Pair Parameters

Parameter

Description

Failure Mode

Specifies whether the traffic passes through (bypasses) a pair of RJ-45 ports
when the platform is rebooting or is powered down (for example, if the device
fails).
Values:
Fail-CloseTraffic does not pass through when the platform is powered
down. When a pair of ports enters fail-close state, traffic is blocked and
the link appears to be down (no power), and switches that are connected
to the DefensePro device detect the link as being down.
Fail-OpenTraffic passes through (not processed by DefensePro) when
the platform is powered down.
When you configure Fail-Open for a port pair, you cannot:

Assign the ports into a link aggregation.

Configure either port as a copied destination port.

Configure the ports for SSL inspection.

Note: For more information, see Internal Bypass for RJ-45 Ports in
DefensePro, page 231.
In Port

Specifies which port in the pair is designated as the inbound portthe source
or destination port. This setting is used in real-time reports for inbound and
outbound traffic.

Advanced Parameters
In DefensePro x06 models, this group box and the Enable Interface Grouping checkbox is not
displayed. In x06 models, Interface Grouping is always enabled.
Enable Interface
Grouping

Specifies whether the device groups the statuses of the port-pair interfaces.
When the option is enabled, if one port of a port pair is disconnected,
DefensePro sets the status of the paired port to disconnected also; so, a
remote device connected to the DefensePro device perceives the same
disconnected status.
Typically, the option is enabled when DefensePro is configured between
switches that use link redundancy. Interface grouping is the only way both
switches always perceive the same DefensePro interfaces status.
Default: Disabled

Internal Bypass for RJ-45 Ports in DefensePro


You can configure whether the traffic passes through (bypasses) a pair of RJ-45 ports when the
platform is rebooting or is powered down (for example, if the device fails). You can choose from two
failure modes: Fail-Close or Fail-Open.
With the Fail-Close option, traffic does not pass through when the platform is powered down. When
a pair of ports enters fail-close state, traffic is blocked and the link appears to be down (no power),
and switches connected to DefensePro detect the link as being down.
With the Fail-Open option, traffic passes through (not inspected by DefensePro) when the platform is
powered down.

Document ID: RDWR-APSV-V0130_UG1205

231

APSolute Vision User Guide


Device Network Configuration
When you configure a port pair to use the Fail-Open option, you cannot do the following:

Assign the ports into a link aggregation.

Use either of the ports for management purposes.

Configure either of the ports as a copied destination port.

Configure the ports for SSL inspection.

By default, all the interfaces that support configurable failure modeexcept the last pairare
configured with the Process option for Port Operation with the failure mode set to Fail-Open.
For network debugging or testing purposes, using CLI, you can manually force a pair of ports into
the failure statewithout turning the power off or rebooting the device.
In high-availability, you can set the failure mode of a copper port on a primary device to fail-close.
Thus, when the primary device goes down, the data path will have to change to the secondary
device. On the secondary, device you should consider the fail-open configuration to ensure that
failure of both DefensePro devices will not result in traffic loss.
DefensePro sends appropriate notifications at the following times:

When the configuration of a port pair changes from Fail-Close to Fail-Open.

With the Fail-Open option, when:

A port changes status from up to down.

A port changes status from down to up.

Configuring SSL Inspection for DefensePro


Notes:
>> This solution is deprecated.
>> This solution is not supported in DefensePro x06 models.
DefensePro in conjunction with Radwares AppXcel, can inspect SSL encrypted sessions and protect
SSL tunnels from attacks. When a session is encrypted using SSL, an IPS/IDS device based on
signature matching cannot inspect the secured traffic. DefensePro passively inspects SSL encrypted
sessions. SSL traffic is mirrored by DefensePro and the decrypted session is inspected.
SSL traffic is classified by the device the same way regular traffic is. Traffic is mirrored by
DefensePro and sent to AppXcel. AppXcel decrypts the HTTPS to HTTP and DefensePro then applies
its security policies on the HTTP traffic. If an attack is identified, DefensePro sends a RST packet to
the source and/or destination of the original connection.

232

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration

Figure 32: SSL-based Protection Flow


AppXcel

HTTPS
2
RST

HTTP
3

4 RST

1
HTTPS
Router

DefensePro

Web servers

1. A client initiates an HTTPS session with the server.


2. When DefensePro forwards the traffic to the server, it replicates the HTTPS session to a
preconfigured port, where an AppXcel unit is connected.
3. AppXcel operates in passive SSL mode, decrypts the HTTPS session and returns it as an HTTP
session.
4. DefensePro inspects the HTTP traffic received from AppXcel based on its policies. If an attack is
detected, DefensePro sends a Reset packet to the source and/or destination.

Note: Bandwidth Management, DoS, SYN protection and other policies can also be applied to
the original SSL streams.
Before you configure SSL inspection, configure inspection ports in the Static Forwarding table by
setting the operating mode to Process.
When you assign the same Destination Port to more than one Source Port, you must set the
Destination Port of the traffic in the opposite direction, otherwise the traffic transmitted in that
direction is ignored. For example, if both Source Port 1 and Source Port 2 are associated with
Destination Port 3, then for traffic in the opposite direction, the Source Port is 3 while the
Destination Port must be defined (1 or 2).

To configure SSL inspection


1. In the Configuration perspective Networking tab navigation pane, select SSL Inspection.
2. Do one of the following:

To add an SSL inspection physical port, click the

To edit a port, double-click the row.

(Add) button.

3. Configure SSL inspection physical port settings and click OK.


4. Configure SSL inspection Layer 4 port settings.

Document ID: RDWR-APSV-V0130_UG1205

233

APSolute Vision User Guide


Device Network Configuration

Table 133: SSL Inspection Physical Port Parameters

Parameter

Description

Incoming Port

The scanning port that was configured for one of the traffic directions.

Port towards AppXcel The port that is used for SSL acceleration.
This port must be dedicated to the SSL acceleration and cannot be used for
other purposes, such as static forwarding or network interface.

Configuring SSL Inspection Layer 4 Ports for DefensePro


Notes:
>> This solution (configuring SSL-based protection with AppXcel) is deprecated.
>> This solution is not supported in DefensePro x06 models.

To configure SSL inspection Layer 4 ports


1.

In the Configuration perspective Networking tab navigation pane, select SSL Inspection >
L4 Ports.

2.

Do one of the following:

3.

To add an SSL inspection Layer 4 port, click the

To edit a port, double-click the row.

(Add) button.

Configure SSL inspection Layer 4 port settings and click OK.

Table 134: SSL Inspection Layer 4 Port Parameters

Parameter

Description

TCP Incoming Port

The SSL service port of the original traffic.


This TCP port is used for forwarding SSL sessions.

TCP Port towards


AppXcel

The corresponding service port that AppXcel uses for decrypted sessions.
This HTTP port is used after decryption.

IPv6 Support in AppDirector


AppDirector supports dual-stack IPv6 and IPv4 environments, including IPv4/IPv6 gateway
functionality.
AppDirector is certified for compliance with the IPv6 Ready logo Phase 1 requirements.

234

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Device Network Configuration
AppDirector application delivery capabilities, including Layer 4 and Layer 7 traffic management,
application acceleration (SSL offload, caching, compression), global traffic redirection, and high
availability (health monitoring, VRRP failover), are supported for the following types of traffic:

Pure IPv4IPv4 client to IPv4 servers

Pure IPv6IPv6 client to IPv6 servers

Mixed (gateway):

IPv4 client to IPv4 and/or IPv6 servers

IPv6 client to IPv4 and/or IPv6 servers

Unless otherwise specified, the various IP objects in the AppDirector configuration can accept both
IPv4 and IPv6 addresses.

Document ID: RDWR-APSV-V0130_UG1205

235

APSolute Vision User Guide


Device Network Configuration

236

Document ID: RDWR-APSV-V0130_UG1205

Chapter 7 Managing AppShape-Template


Instances
Use AppShape templates to accelerate, simplify, and optimize the configuration of Alteon ADC
devices for deployments of the following business applications:

SAP PortalFor an SAP portal that supports ASLR version 1.2.

SharePointFor Microsoft SharePoint Server 2010.

AppShape supports an application-centric view, including management screens, and compliance.


This results in simplified and efficient application management in the ADC.
Each AppShape instance automatically checks for changes in application resources and
automatically synchronizes them to the ADC.
When you configure an instance of an AppShape template, you specify an Alteon device that the
APSolute Vision server is managing. After you specify the Alteon device, you configure a small set of
parameters. The AppShape template sets and configures all the required ADC options, which are
tailored for the specific business application. APSolute Vision periodically validates and synchronizes
the device configuration to the AppShape template.

Note: When you specify the Alteon device for the AppShape instance the device can be
unlocked. However, to configure the parameters, submit, and apply the configuration,
the Alteon device must be locked (as with any configuration change to a device
managed in APSolute Vision).

To view the basic parameters of AppShape instances that the APSolute Vision is
managing
In the Configuration perspective system pane, select the AppShapes tab.
Table 135: Basic Parameters of AppShape Instances in APSolute Vision

Parameter

Description

Instance Name

The name of the AppShape instance.


Note: You can change the name in the configuration of the instance
on the device.

Configuration Validation

The latest-known status that specifies whether the AppShape instance


is synchronized with the AppShape template.

Last Validation

The last time that the configuration of the device was synchronized with
the AppShape template.

Device Name

The name of a device the on which the AppShape instance is deployed.

Virtual Address

The virtual IP address of the service.

Document ID: RDWR-APSV-V0130_UG1205

237

APSolute Vision User Guide


Managing AppShape-Template Instances

To view the configuration of an existing AppShape instance on a specific device


1.

In the Asset Management perspective system pane, select AppShape. The AppShape tab is
displayed.

2.

Select the row with the device whose configuration you want to view.

3.

Click Configure and View AppShape Instance.

Related Topics
SAP Message Server Automated Configuration Parameters, page 264

Configuring an SAP Portal AppShape Instance


An SAP Portal automates the configuration of an AppShape instance on an Alteon device. You can
configure up to four SAP Portal connections in an AppShape instance.
After you enable and configure the SAP Portal connection, you must configure an SAP Message
Server Automated Configuration scheduled task. The task periodically polls the SAP Portal and
updates the Alteon-device configuration.
The following diagram shows an APSolute Vision server, an Alteon device, and an example SAP
Portal configuration supporting two servers in a single host and two ports.

Figure 33: APSolute Vision Server, Alteon Device, and SAP Portal
APSolute Vision
Management

ADC
VIP 1.1.1.1
Client

ASL
R

SAP Portal

SAP Servers:
Host: 10.203 .100 .100
Ports: 50000
50200

The SAP Portal AppShape generates the following configurations:

SLB ConfigurationThe global parameters, slb on and direct enabled, are mandatory.
APSolute Vision automatically generates the server list. The logic removes or adds entries based
on the SAP servers listverifying the ports, the addresses, and the weights. APSolute Vision
creates a single group supporting both HTTP and HTTPS entries. Index 1 is the default, but the
device can use other indexes based on the HTTP service group index. The HTTP service redirects
to HTTPS. The user can remove the redirection flag. The HTTPS application service supports
HTTP compression and modification. The HTTPS SSL application service uses the user-defined
certificate and the generated SLL policy. Maintaining persistency, the pbind insert cookie is
activated (mandatory).

Compression Policy Configuration.

The Compression Policy configuration enables compression and creates a default policy.

The compression level is 1. The compression level is a recommendation; the user can set an
alternate value.

238

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing AppShape-Template Instances

SSL Configuration.

By default, SSL offloading is enabled.

The SSL configuration enables SSL offloading and creates the SSL policy accordingly. APSolute
Vision uses the SSL certificate that is specified in the configuration. The automated logic (that is,
the daemon) enforces convert to disabled.

Layer 7 Modification Configuration.

HTTP modification is vital in supporting the SAP portal.

The APSolute Vision mechanism enforces both the rules and the modification action, which are
required since Alteon replaces the service port (443) with the server port.

To configure an SAP Portal AppShape instance


1.

In the Configuration perspective system pane, AppShapes tab, select AppShape > SAP Portal.

2.

In the SAP Portal tab, to add an entry to the table:


a.
b.

Click the
(Add) button.
In the Create AppShape dialog box, from the Device Name drop-down list, select the
device on which to instantiate the AppShape template. The Device Name drop-down list
contains all compatible Alteon devicesstandalone, VA, and vADC devices. However, the list
does not filter out the devices that are not locked. To configure the instance the device must
be locked.

c.

Click OK.

3.

Click Configure and View AppShape Instance.

4.

Configure the parameters; and then, click

(Submit).

Table 136: SAP PortalAppShape Parameters

Parameter

Description
SAP Portal AppShape Instance

Last Validation

(Read-only) The last time, in yyyy-MM-dd hh:mm:ss.f


format, that the configuration device was synchronized
with the AppShape template.

Name

The name of the AppShape instance.

Virtual Address

The virtual IP address of the service.

Application Servers
Message Server Auto-Discovery

Specifies whether the SAP Message Server uses autodiscovery.


Default: Disabled

Address/Port table

Contains the addresses and ports of each real server.

(The table is displayed only when the


Message Server Auto-Discovery
checkbox is cleared.)

Click the
(Add) button to add a new server. For
information on configuring real servers, see

Document ID: RDWR-APSV-V0130_UG1205

239

APSolute Vision User Guide


Managing AppShape-Template Instances

Table 136: SAP PortalAppShape Parameters

Parameter

Description
Message Server Connection Settings

(The group box and the parameters in it are displayed only when the Message Server AutoDiscovery checkbox is selected.)
Host Name

The DNS name or IPv4 address of the SAP Message


Server.

Port

The listening port of the SAP Message Server.

Maximum characters: 30
Default: 8101

Load Balancing Settings


SLB Metric

The SLB metric used to select next server in group.


Default: Round Robin
Note: If you choose a value other than the default,
AppShape always uses the default value for any
additional, specifically related parameter. For
example, if the value of SLB Metric is Min Misses,
the specifically related Minmiss Hash is always
the default 24 Bits. For more information on the
SLB Metric, see Configuring Server Groups for
Virtual Services, page 392.

Health Check

The type of content that is examined during health checks.


The content depends on the type of health check.
Default: TCP

HTTP
Compression

Specifies whether the HTTP profile uses compression.


Default: Enabled

SSL
SSL Acceleration

Specifies whether SSL offloading is enabled for


acceleration.
Default: Enabled

Server Certificate

The name of the SSL certificate.

(This parameter is displayed only when


the Enable checkbox is selected.)
To view the existing SSL certificates, click
. And then,
to edit an SSL certificate in the dialog box, double-click on
it.
For information on configuring SSL certificates, see
Managing the Certificate Repository, page 472.

240

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing AppShape-Template Instances

Configuring a SharePoint AppShape Instance


To configure a SharePoint AppShape instance
1. In the Configuration perspective system pane, AppShapes tab, select AppShape >
SharePoint.
2. In the SharePoint tab, to add an entry to the table:
a.
b.

Click the
(Add) button.
In the Create AppShape dialog box, from the Device Name drop-down list, select the
device on which to instantiate the AppShape template. The Device Name drop-down list
contains all compatible Alteon devicesstandalone, VA, and vADC devices. However, the list
does not filter out the devices that are not locked. To configure the instance the device must
be locked.

c.

Click OK.

3. Click Configure and View AppShape Instance.


4. Configure the parameters; and then, click

(Submit).

Table 137: SharePointAppShape Parameters

Parameter

Description
SharePoint AppShape Instance

Last Validation

(Read-only) The last time, in yyyy-MM-dd hh:mm:ss.f


format, that the configuration device was synchronized with
the AppShape template.

Name

The name of the AppShape instance.

Virtual Address

The virtual IP address of the service.

Application Servers
Address/Port table

Contains the addresses and ports of each real server


configured for the SharePoint server.
Click the
(Add) button to add a new server. For
information on configuring real servers, see

Load Balancing Settings


SLB Metric

The SLB metric used to select next server in group.


Default: Round Robin
Note: If you choose a value other than the default,
AppShape always uses the default value for any
additional, specifically related parameter. For
example, if the value of SLB Metric is Min Misses, the
specifically related Minmiss Hash is always the
default 24 Bits. For more information on the SLB
Metric, see Configuring Server Groups for Virtual
Services, page 392.

Document ID: RDWR-APSV-V0130_UG1205

241

APSolute Vision User Guide


Managing AppShape-Template Instances

Table 137: SharePointAppShape Parameters

Parameter

Description

Health Check

The type of content that is examined during health checks.


The content depends on the type of health check.
Default: TCP

HTTP
Caching

Specifies whether the HTTP profile uses caching.


Default: Enabled

Compression

Specifies whether the HTTP profile uses compression.


Default: Enabled

Connection Management

Specifies whether the HTTP profile uses connection


management.
If enabled, you must configure the proxy IP address.
Default: Enabled

PIP

Opens the Add New Proxy IP dialog box. For information on


adding
a new proxy IP address, see Configuring Proxy IP,
(This button is displayed only when
page
367.
the Connection Management
checkbox is selected.)

SSL
SSL Acceleration

Specifies whether SSL offloading is enabled for acceleration.


Default: Enabled

Server Certificate

The name of the SSL certificate.

(This parameter is displayed only


when the Enable checkbox is
selected.)

To view the existing SSL certificates, click


. And then, to
edit an SSL certificate in the dialog box, double-click on it.
For information on configuring SSL certificates, see Managing
the Certificate Repository, page 472.

242

Document ID: RDWR-APSV-V0130_UG1205

Chapter 8 Managing Device Operations and


Maintenance
Use the APSolute Vision Monitoring perspective for operation and maintenance of managed devices:

Rebooting a Managed Device, page 243

Shutting Down a Managed Device, page 244

Enabling and Disabling APSolute Vision Monitoring, page 244

Viewing and Setting Device Date and Time, page 245

Upgrading Device Software, page 245

Downloading a Devices Log File to the APSolute Vision Client, page 246

Updating a Radware Signature File or RSA Signature File in DefensePro Devices, page 247

Downloading a Devices Technical Support File to the APSolute Vision Client, page 248

Managing Device Configurations, page 249

Updating Policy Configurations, page 252

Checking Device Memory Availability, page 253

Purging AppDirector HTTP and OCPF Caches, page 253

Resetting the Baseline for DefensePro Devices, page 253

Enabling and Disabling Interfaces, page 254

Rebooting a Managed Device


Some configuration changes on the device require a device reboot for the configuration to take
effect. This is indicated by a Reboot required notification in the Properties pane. You can activate
the device reboot from APSolute Vision.

Note: You can schedule device reboots in the APSolute Vision scheduler. For more information,
see Managing Tasks in the Scheduler, page 256.

To reboot a managed device


1.

In the Monitoring perspective system pane, right-click the device name and select Reboot.

2.

Click Yes in the Confirmation Required dialog box.

Document ID: RDWR-APSV-V0130_UG1205

243

APSolute Vision User Guide


Managing Device Operations and Maintenance

Shutting Down a Managed Device


You can activate a device shutdown from APSolute Vision.

Note: This feature applies only to OnDemand Switch platforms.

To shut down a managed device


1.

In the Monitoring perspective system pane, right-click the device name and select Shutdown.

2.

Click Yes in the Confirmation Required dialog box.

Enabling and Disabling APSolute Vision Monitoring


APSolute Vision monitoring is available by default. When enabled, APSolute Vision polls the
managed device for its status and collects device statistics.
You might want to disable APSolute Vision monitoring when testing, or using the device in a nonproduction environment.
When you disable APSolute Vision monitoring for a device:

APSolute Vision stops polling the device for its status.

The device icon in the system pane includes a small question mark (?)
AppDirector,

for Alteon,

for

for DefensePro.

The Alerts pane does not receive alerts from the device.

The device node in the sites tree does not include the device entities (for example, ports and
trunks).

Monitoring perspective tabs are unavailable.

DefensePro real-time and historical reports are not collected.

To enable APSolute Vision monitoring


In the Monitoring perspective system pane, right-click the device name and select Enable
Vision Monitoring.

To disable APSolute Vision monitoring


In the Monitoring perspective system pane, right-click the device name and select Disable
Vision Monitoring.

244

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Device Operations and Maintenance

Viewing and Setting Device Date and Time


You can view the current date and time on a managed device and you can change its date and time
setting.

To view the date and time on a managed device


In the Monitoring perspective system pane, right-click the device name and select Show Date
& Time.

Note: The date and time display is a snapshot only. It does not change if the dialog box is
left open.

To change the date and time on a managed device


1. In the Monitoring perspective system pane, right-click the device name and select Set Date and
Time.
2. Set the date and/or time as required, and click OK.

Upgrading Device Software


You can upgrade the software version on managed devices from APSolute Vision.
A device upgrade enables the new features and functions on the device without altering the existing
configuration. In exceptional circumstances, new software versions are incompatible with legacy
configuration files from earlier software versions. This most often occurs when attempting to
upgrade from a very old version to the most recently available version.
The software version file must be located on the APSolute Vision client system. APSolute Vision
automatically transfers it to the APSolute Vision server and uploads it to the device. New software
versions require a password, which can be obtained from the Radware corporate Web site. For a
maintenance-only upgrade, the password is not required.
After the device upgrade is complete, you must reboot the device.

Caution: Before upgrading to a newer software version, do the following:


>> Back up the existing configuration file. For more information, see Downloading a
Devices Configuration File, page 249.
>> Ensure that you have configured on the device the authentication details for the protocol
used to upload the file.

Document ID: RDWR-APSV-V0130_UG1205

245

APSolute Vision User Guide


Managing Device Operations and Maintenance

To update the device software version


1.

In the Monitoring perspective system pane, right-click the device name and select Manage
Software Versions.

2.

Configure software upgrade parameters, and click OK.

3.

When the device upgrade is complete, reboot the device.

Table 138: Software Upgrade Parameters

Parameter

Description

Upload Via

The protocol used to upload the software file from APSolute Vision to the
device.
Values: HTTP, HTTPS, TFTP

File Name

The name of the file to upload.

Software Version

The software version number as specified in the new software


documentation.

Password

Enter the password received with the new software version, and verify.
The password is case sensitive.

Downloading a Devices Log File to the APSolute Vision


Client
You can download a managed devices log file to the APSolute Vision client system. The log file is
automatically generated by the device and contains a report of configuration errors. The log file can
be used for debugging.

To download a device log file


1.

In the Monitoring perspective system pane, right-click the device name and select Export Log
File.

2.

Configure download parameters, and click OK.

Table 139: Device Log File Download Parameters

Parameter

Description

Download Via

The protocol used to download the log file.


Values: HTTP, HTTPS, TFTP

File Name

246

Save the downloaded log file as a text file on the client system. Enter or
browse to the location of the saved log file, and select or enter a file
name.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Device Operations and Maintenance

Updating a Radware Signature File or RSA Signature File


in DefensePro Devices
You can upload an updated Radware signature file or RSA signature file to a managed device.

Notes:
>> For AppDirector 2.30 and later, you can update a signature file, but only from you client
PC, and only manually (that is, not using a scheduled task).
>> RSA-signature support is available in DefensePro 5.10 and later.
You can upload an updated Radware signature file to a DefensePro device from the following
sources:

Radware.com or the proxy file server that is configured in the Vision Server
Connection configurationThe Alerts pane displays a success or failure notification and
whether the operation was performed using a proxy server.

APSolute Vision client systemThe name of the signature file on the must be DEVICE-MACADDRESS.sig.

Note: You can schedule Signature File updates in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.
For more information about using signature files, see the DefensePro User Guide.

To update the signature file of a device


1. In the Monitoring perspective system pane, right-click the device name and select Update
Attack Signature.
2. Configure the parameters, and click OK.

Table 140: Update Device Signature File Parameters for AppDirector

Parameter

Description

Update From

(Read-only) The location of the signature file to upload. For


AppDirector, this is Client. APSolute Vision uploads the signature file
from the APSolute Vision client system.

Upload Via

The protocol used to upload the signature file.


Values: HTTP, HTTPS, TFTP

File Name

The name of the signature file on the client system.

Document ID: RDWR-APSV-V0130_UG1205

247

APSolute Vision User Guide


Managing Device Operations and Maintenance

Table 141: Update Device Signature File Parameters for DefensePro

Parameter

Description

Signature Type

The type of the signature file to upload to the device.


Values:
Radware Signatures
RSA Signatures

Update From

The location of the signature file to upload.


Values:
Radware.comAPSolute Vision uploads the signature file directly
from Radware.com or from the proxy server that is configured in
the Vision Server Connection configuration.
ClientAPSolute Vision uploads the signature file from the
APSolute Vision client system. This option is only available for
Radware signatures.

Upload Via

The protocol used to upload the signature file.


Values: HTTP, HTTPS, TFTP

File Name

Name of the signature file on the client system.

(This parameter is
displayed only when
Update From Client is
selected)

Downloading a Devices Technical Support File to the


APSolute Vision Client
For debugging purposes, a managed device can generate a TAR file containing the technical
information that Radware Technical Support requires. The file includes output of various CLI
commands; for example, a printout of the Client table.
You can download a managed devices technical support file to the APSolute Vision client system and
send it to Radware Support.

Note: If you encounter problem with APSolute Vision server or APSolute Vision client (as
opposed to the managed device), see the APSolute Vision Administrator Guide.

To download a devices technical support file


1.

In the Monitoring perspective system pane, right-click the device name and select Export Tech
Support File.

2.

Configure download parameters, and click OK.

248

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Device Operations and Maintenance

Table 142: Device Technical Support File Download Parameters

Parameter

Description

Download Via

The protocol used to download the technical support file.


Values: HTTP, HTTPS, TFTP

Save As

Save the downloaded technical support file as a text file on the client
system. Enter or browse to the location of the saved file, and select or
enter a file name.

Managing Device Configurations


This section describes how to manage configurations of the Radware devices that are configured on
the APSolute Vision server.

Configuration File Content


The configuration file content is divided into two sections:

Commands that require rebooting the deviceThese include BWM Application


Classification Mode, Application Security status, Device Operation Mode, tuning parameters, and
so on. Copying and pasting a command from this section takes effect only after the device is
rebooted. The section has the heading: The following commands will take effect

only once the device has been rebooted!

Commands that do not require rebooting the deviceCopying and pasting a command
from this section takes effect immediately after pasting. The commands in the section are not
bound to SNMP. The section has the heading: The following commands take effect

immediately upon execution!


The commands are printed within each sectionin the order of implementation.
At the end of the file, the device prints the signature of the configuration file. This signature is used
to verify the authenticity of the file and that it has not been corrupted. The signature is validated
each time the configuration file is uploaded to the device. If the validity check fails, the device
accepts the configuration, but a notification is sent to the user that the configuration file has been
tampered with and there is no guarantee that it works. The signature looks like File Signature:
063390ed2ce0e9dfc98c78266a90a7e4.

Downloading a Devices Configuration File


You can download a devices configuration file from the device to APSolute Vision for backup,
Whether you choose to download to the APSolute Vision server or client system, a copy is always
saved in the APSolute Vision database.
For AppDirector in an active-backup configuration, you can send a devices configuration file to a
backup device. Or, for AppDirector in an active-active configuration, you can send a devices
configuration file to a peer device.

Document ID: RDWR-APSV-V0130_UG1205

249

APSolute Vision User Guide


Managing Device Operations and Maintenance
By default, you can save up to five (5) configuration files per device on the APSolute Vision server.
You can change this parameter in the APSolute Vision Setup page up to a maximum of 10. When the
limit is reached, you are prompted to delete the oldest file. For more information, see the APSolute
Vision Administrator Guide.

Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.

To download a devices configuration file


1.

In the Monitoring perspective system pane, right-click the device name and select Export
Configuration File from Device.

2.

Configure the download parameters; and then, click Save.

Table 143: Device Configuration File Download Parameters

Parameter

Description

Download to

Where to back up the device configuration file.


Values: Client, Server

Download Via

The protocol used to download the configuration file.


Alteon value: HTTPS
AppDirector and DefensePro values: HTTP, HTTPS, TFTP

Save As

Save the downloaded configuration file as a text file on the client system.
On the server, the default name is a combination of the device name and
backup date and time. You can change the default name.

Type

An Alteon or AppDirector device can generate configuration files for itself,


its peer device (active-active configuration), and its backup device
(This parameter is
(active-backup configuration). You can select any of these files for
available only in
AppDirector, and only in download.
AppDirector versions
Other device types generate configuration files only for the device itself.
after 1.07.12.)
Values: Device, Peer, Backup
Passphrase

The passphrase.

(This parameter is
available only in Alteon
devices.)
Include Private Keys
(This parameter is
available only in Alteon
and AppDirector 2.11
and later.)

250

When enabled, the certificate private key information is included in the


downloaded file. You must include the private key information to restore
the private keys; otherwise, the device reverts to default keys.

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Device Operations and Maintenance

Restoring a Devices Configuration


You can restore a managed devices configuration file from a backup configuration file on the
APSolute Vision server or client system to the managed device. When you upload the configuration
file to the device, it overwrites the existing device configuration.
After the restore operation is complete, you must reboot the device.

To restore a devices configuration


1. In the Monitoring perspective system pane, right-click the device name and select Import
Configuration File to Device.
2. Configure upload parameters, and click OK.
3. When the upload completes, reboot the device.

Table 144: Device Configuration File Upload Parameters

Parameter

Description

Upload from

The location of the backup device configuration file to send.


Values: Client, Server

Upload Via

The protocol used to upload the configuration file.


Alteon value: HTTP
AppDirector and DefensePro values: HTTP, HTTPS, TFTP

File for Upload

When uploading from the client system, enter or browse to the name of
the configuration file to upload.
When uploading from the server, select the configuration to upload.

Passphrase

The passphrase.

(This parameter is
available only with
Alteon devices.)

Synchronizing AppDirector Configurations


When AppDirector devices are organized in a cluster, you can synchronize the active device
configuration on the main device with backup devices in the cluster, if the devices are of the same
platform, version, and license.

Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.

Document ID: RDWR-APSV-V0130_UG1205

251

APSolute Vision User Guide


Managing Device Operations and Maintenance
This feature works only if Online Configuration Synchronization is enabled. For information on Online
Configuration Synchronization, see Online Configuration Synchronization, page 206.

Note: You can schedule configuration file backups in the APSolute Vision scheduler. For more
information, see Managing Tasks in the Scheduler, page 256.

To synchronize an AppDirector device configuration


1.

In the Monitoring perspective system pane, right-click a main device in the cluster and select
Synchronize Device Configuration.

2.

Configure synchronization parameters, and click OK.


When synchronization completes, the backup device is rebooted.

Table 145: Synchronize Device Configuration Parameters

Parameter

Description

File Type

The AppDirector device stores separate configuration files for a peer


device (in an active-active configuration), and a backup device (in an
active-backup configuration). Select which configuration file to use for the
synchronization.
Values: Peer, Backup

Include Private Keys

When enabled, the certificate private key information is included in the


synchronization.

Backup Device

(Read-only) The backup device that is being synchronized.

Updating Policy Configurations


You can apply the following configuration changes to a managed device in a single operation:

Network security policy

Server security policy

ACL policy

White list

Black list (relevant for DefensePro only)

Classes

To update policy configurations on a managed device


1.

In the Monitoring perspective system pane, right-click the device name and select Update
Policies.

2.

Click Yes in the Confirmation dialog box.

252

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Managing Device Operations and Maintenance

Checking Device Memory Availability


You can check whether a managed device has enough memory before you change any tuning
parameters, including NAT tuning.

To check device memory availability


In the Monitoring perspective system pane, right-click the device name and select Check
Available Memory. A message box is displayed, which notifies you whether there is enough
memory on the device, or, if not, how much memory is required.

Purging AppDirector HTTP and OCPF Caches


You can purge the HTTP and OCPF cache on an AppDirector device in version 2.14 and later.

To purge an HTTP or OCPF cache on an AppDirector device


1. In the Monitoring perspective system pane, right-click the device name and select one of the
following:

Purge HTTP Cache

Purge OCPF Cache

2. Click OK.

Resetting the Baseline for DefensePro Devices


Resetting baseline-learned statistics clears the baseline traffic statistics and resets default normal
baselines. Reset the baseline statistics only when the characteristics of the protected network have
changed entirely and bandwidth quotas need to be changed to accommodate the network changes.
You can reset the baseline for all the network policy rules that contain a BDoS or DNS Protection
profile, or for a selected network policy rule that contains a BDoS or DNS Protection profile.
For information about configuring network-protection policy rules, see the DefensePro User Guide.

To reset BDoS baseline statistics


1. In the Monitoring perspective system pane, right-click the device name and select Reset BDoS
Baseline.
2. Select whether to reset the baseline for all network policy rules that contain a BDoS profile, or
for a specific network-protection rule that contains a BDoS profile; and then, click OK.

Document ID: RDWR-APSV-V0130_UG1205

253

APSolute Vision User Guide


Managing Device Operations and Maintenance

To reset DNS baseline statistics


1.

In the Monitoring perspective system pane, right-click the device name and select Reset DNS
Baseline.

2.

Select whether to reset the baseline for all network policy rules that contain a DNS profile, or for
a specific network-protection rule that contains a DNS profile, then click OK.

Enabling and Disabling Interfaces


You can enable and disable interfaces from the Monitoring perspective. In AppDirector, you can
enable and disable device ports and trunks, and VLANs. In DefensePro, you can enable and disable
device ports and trunks.

To enable an interface
1.

In the Monitoring perspective system pane, select the relevant device.

2.

Expand the node in the tree to display the interfaces.

3.

Right-click the interface name and select Enable.

Note: If the interface is already enabled, this option is unavailable.

To disable an interface
1.

In the Monitoring perspective system pane, select the relevant device.

2.

Expand the node in the tree to display the interfaces.

3.

Right-click the interface name and select Disable.

Note: If the interface is already disabled, this option is unavailable.

254

Document ID: RDWR-APSV-V0130_UG1205

Chapter 9 Scheduling APSolute Vision and


Device Tasks
The following topics describe how to schedule APSolute Vision and device operations in the APSolute
Vision Scheduler:

Overview of Scheduling, page 255

Managing Tasks in the Scheduler, page 256

Overview of Scheduling
You can schedule various operations for the APSolute Vision server and managed devices. Scheduled
operations are called tasks.
The APSolute Vision scheduler tracks when tasks were last performed and when they are due to be
performed next. When you configure a task for multiple devices, the task runs on each device
sequentially. After the task completes on one device, it begins on the next. If the task fails to
complete on a device, the Scheduler will activate the task on the next listed device.
Scheduled tasks run according to the time as configured on the APSolute Vision client.

Caution: If the APSolute Vision client timezone differs from the timezone of the APSolute Vision
server or the managed device, take the time offset into consideration.
When you define a task, you can choose whether to enable or disable the task. All configured tasks
are stored in the APSolute Vision database.
You can define the following types of scheduled tasks:

Back up the APSolute Vision server configuration

Back up a device configuration

Back up the APSolute Vision Reporter data

Reboot a device

Validate the AppShape SharePoint configuration

Validate the AppShape SAP Portal configuration and poll the SAP Message Servers

Synchronize the AppDirector-device configuration with backup device

Update the Radware signature file onto a DefensePro device from Radware.com or the proxy
server

Update the RSA signature file onto a DefensePro device from Radware.com or the proxy server

Update the APSolute Vision Attack Description file from Radware.com or the proxy server

Note: You can perform some of the operations manually, from the Monitoring perspective.

Document ID: RDWR-APSV-V0130_UG1205

255

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Managing Tasks in the Scheduler


The Scheduler window is the starting point for viewing and configuring tasks, which are scheduled
operations.
The Tasks table displays the following information for each configured task.

Parameter

Description

Name

The name of the configured task.

Task Type

The type of task to be performed.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task is saved in the database.

Schedule

The frequency at which the task is performed; for example, daily or


weekly. The schedule start date is displayed, if it has been defined.

Last Execution Status

Whether the last task run was successful. When the task is disabled, or
has not yet started, the status is Never Executed.

Last Execution Time

The date and time of the last task run. When the task is disabled, or has
not yet started, this field is empty.

Next Execution Time

The date and time of the next task run. When the task is disabled, this
field is empty.

Description

The user-defined description of the task.

To configure a task schedule


1.

In the Configuration perspective main toolbar, click the


displays information for each scheduled task.

2.

To add or edit a task:

3.

(Scheduler) button. The Tasks table

To add a new task, click the


(Add) button. Select the type of task, and click OK. The
dialog box for the selected task type is displayed.

To edit a task, double-click the entry in the table.

Configure task parameters, and click OK. All task configurations include basic parameters and
scheduling parameters. Other parameters depend on the type of task selected.

APSolute Vision Configuration Backup, page 257

APSolute Vision Reporter Backup, page 259

AppShape SharePoint Configuration Validation, page 260

To run an existing task


1.

In the Configuration perspective main toolbar, click the


displays information for each scheduled task.

2.

Right-click the required task; and then, click Run Task.

256

(Scheduler) button. The Tasks table

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Task Parameters
Set the following parameters to configure tasks in the Scheduler:

APSolute Vision Configuration Backup, page 257

APSolute Vision Reporter Backup, page 259

AppShape SharePoint Configuration Validation, page 260

Device Configuration Backup Parameters, page 262

Device Reboot Parameters, page 263

SAP Message Server Automated Configuration Parameters, page 264

Synchronize Active Device Configuration Parameters, page 265

Update RSA Signatures File Parameters, page 267

Update Radware Security Signatures Files for a Device, page 268

Update APSolute Vision Attack Description File Parameters, page 270

APSolute Vision Configuration Backup


This task creates a backup of the APSolute Vision configuration in the specified location.
Each backup includes the following:

The APSolute Vision system configuration

The local users

The managed devices

The host IP addresses in the database-viewer list

The task does not back up the following:

The password of the radware user of the APSolute Vision server appliance

The IP address/es of the APSolute Vision server appliance

The DNS address/es of the APSolute Vision server appliance

The network routes of the APSolute Vision server appliance

Attack data

The system stores up to five configuration-backup iterations. After the fifth configuration-backup,
the system deletes the oldest one.

Note: For information on managing the backups using CLI, see the APSolute Vision
Administrator Guide.

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Document ID: RDWR-APSV-V0130_UG1205

257

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Parameters
Protocol

The protocol that APSolute Vision uses for this task.


Values:
FTP
SCP
SFTP
SSH
Default: FTP

Destination
IP Address

The IP address of the server.

Directory

The path to the export directory.

258

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks
Backup File Name

The name of the backup, up to 15 characters, with no spaces. Only


alphanumeric characters and underscores (_) are allowed.

User

The username.

Password

The user password.

Verify Password

The user password.

APSolute Vision Reporter Backup


This task creates a backup of the APSolute Vision Reporter data in the specified location. The backup
includes all the APSolute Vision Reporter data.
The system stores up to three iterations of the APSolute Vision Reporter data. After the third
reporter-backup, the system deletes the oldest one.

Note: For information on managing the backups using CLI, see the APSolute Vision
Administrator Guide.

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Document ID: RDWR-APSV-V0130_UG1205

259

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Schedule Period

Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Parameters
Protocol

The protocol that APSolute Vision uses for this task.


Values:
FTP
SCP
SFTP
SSH
Default: FTP

Destination
IP Address

The IP address of the server.

Directory

The path to the export directory.

Backup File Name

The name of the backup, up to 15 characters, with no spaces. Only


alphanumeric characters and underscores (_) are allowed.

User

The username.

Password

The user password.

Verify Password

The user password.

AppShape SharePoint Configuration Validation


The AppShape SharePoint Configuration Validation task checks whether the AppShape SharePoint
instances on the specified devices conform to the AppShape SharePoint template.

260

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the Alteon devices on which this task runs.

Document ID: RDWR-APSV-V0130_UG1205

261

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Device Configuration Backup Parameters


Note: By default, you can save up to five (5) configuration files per device on the APSolute
Vision server. You can change this parameter in the APSolute Vision Setup tab. For more
information, see the APSolute Vision Administrator Guide.

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

262

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Configuration Type (AppDirector only)


File Type

The AppDirector device stores separate configuration files for itself, its
peer device (for an active-active configuration), and its backup device (for
(This parameter is not
available in AppDirector an active-backup configuration). Select which configuration file to back
up.
versions prior to 2.x.)
Values: Device, Peer, Backup

Communication Parameters (Not Relevant for Alteon Devices)


Note: This group box and the parameter in it are not relevant for Alteon devices. Alteon devices
support only HTTPS for this task.
Protocol

The protocol that APSolute Vision uses for this task.


Values: HTTPS, TFTP
Default: HTTPS

Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the devices whose configurations this task
backs up.

Device Reboot Parameters


Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Document ID: RDWR-APSV-V0130_UG1205

263

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Schedule Period

Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the devices that this task reboots.

SAP Message Server Automated Configuration Parameters


You can configure up to four SAP message-server connections. An SAP Portal AppShape instance
automates the configuration of an Alteon standalone, VA, or vADC.
After you enable and configure the SAP message-server connection, you must configure an SAP
Message Server Automated Configuration scheduled task. The task periodically polls the SAP
Message Server, validates, and, if necessary, updates the configuration of the SAP Portal AppShape
instances on the specified devices.

Note: The frequency range for the SAP Message Server Automated Configuration task is 5
3600 minutes.

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

264

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Schedule

Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the Alteon devices that use the SAP Message
Server connection configured on them to update its configuration accordingly.

Synchronize Active Device Configuration Parameters


Notes:
>> When managing an AppDirector cluster with Vision, if both devices are connected using
SNMPv3, you must ensure that their SNMP engine IDs are unique.
>> For handling synchronization of the SNMPv3 user table in AppDirector 2.31 and later, see
the AppDirector User Guide.

Document ID: RDWR-APSV-V0130_UG1205

265

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Synchronization Parameters
File Type
(This parameter is
available only in
AppDirector versions
later than 1.07.12.)

266

The AppDirector device stores separate configuration files for a peer


device (in an active-active configuration), and a backup device (in an
active-backup configuration). Select which configuration file to use for the
synchronization.
Values: Peer, Backup

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks
Include Private Keys
(This parameter is
available only in
AppDirector versions
later than 1.07.12.)

When enabled, the certificate private key information is included in the


synchronization.

Cluster

Select the AppDirector cluster to synchronize.

Device

Select the device whose configuration will be used for synchronization.

Communication Parameters
Protocol

The protocol that APSolute Vision uses for this task.


Values: HTTP, HTTPS
Default: HTTPS

Update RSA Signatures File Parameters


Note: The frequency range for the Update RSA Security Signature task is 1060 minutes. The
default interval is 60 minutes.

Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Document ID: RDWR-APSV-V0130_UG1205

267

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Schedule Period

Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
DefensePro devices with Fraud Protection enabled. The Selected Devices list displays the
DefensePro devices whose RSA signature files this task update.

Update Radware Security Signatures Files for a Device


Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

268

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Parameter

Description
Schedule

Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

Communication Parameters
Upload Protocol

The protocol used to upload the updated signature file from APSolute
Vision to the device.
Values: HTTPS, HTTP, TFTP
Default: HTTPS

Devices
The Available Devices list and the Selected Devices list. The Available Devices list displays the
available devices. The Selected Devices list displays the devices whose Radware signature files this
task updates.

Document ID: RDWR-APSV-V0130_UG1205

269

APSolute Vision User Guide


Scheduling APSolute Vision and Device Tasks

Update APSolute Vision Attack Description File Parameters


Parameter

Description
Basic Parameters

Name

A unique name for the task.


Default: The selected task type name. If there are existing tasks that use
this name, n is appended to the name, where n is the next available
sequential number.

Description

A user-defined description of the task.

Enabled

When selected, the task is performed according to the defined schedule.


Disabled tasks are not activated, but the task configuration is saved in the
database.

Schedule
Frequency

The frequency at which the task is performed.


Select a frequency, then configure the related time and day/date
parameters.
Values:
OnceThe task is performed one time only at the specified date and
time.
MinutesThe task is performed at intervals of the specified number
of minutes between task starts. The minimum interval is 60 minutes.
DailyThe task is performed daily at the specified time.
WeeklyThe task is performed every week on the specified day or
days, at the specified time.
Note: Tasks run according to the time as configured on the APSolute
Vision client.

Schedule Period
Run Always

Specifies whether the task always runs or only during the defined period.
Values:
EnabledThe task is activated immediately and runs indefinitely,
with no start or end time. It runs at the first Time configured with the
Frequency in the Schedule group box.
DisabledThe task runs (at the Time and Frequency specified in the
Schedule group box) from the specified Start Date at the Start Time
until the End Date at the End Time.
Default: Enabled

Start Date

The date and time at which the task is activated.

Start Time
End Date

The date and time after which the task no longer runs.

End Time

270

Document ID: RDWR-APSV-V0130_UG1205

Radware Ltd. End User License Agreement


By accepting this End User License Agreement (this License Agreement) you agree to be contacted
by Radware Ltd.s (Radware) sales personnel.
If you would like to receive license rights different from the rights granted below or if you wish to
acquire warranty or support services beyond the scope provided herein (if any), please contact
Radwares sales team.
THIS LICENSE AGREEMENT GOVERNS YOUR USE OF ANY SOFTWARE DEVELOPED AND/OR
DISTRIBUTED BY RADWARE AND ANY UPGRADES, MODIFIED VERSIONS, UPDATES, ADDITIONS,
AND COPIES OF THE SOFTWARE FURNISHED TO YOU DURING THE TERM OF THE LICENSE
GRANTED HEREIN (THE SOFTWARE). THIS LICENSE AGREEMENT APPLIES REGARDLESS OF
WHETHER THE SOFTWARE IS DELIVERED TO YOU AS AN EMBEDDED COMPONENT OF A RADWARE
PRODUCT (PRODUCT), OR WHETHER IT IS DELIVERED AS A STANDALONE SOFTWARE PRODUCT.
FOR THE AVOIDANCE OF DOUBT IT IS HEREBY CLARIFIED THAT THIS LICENSE AGREEMENT
APPLIES TO PLUG-INS, CONNECTORS, EXTENSIONS AND SIMILAR SOFTWARE COMPONENTS
DEVELOPED BY RADWARE THAT CONNECT OR INTEGRATE A RADWARE PRODUCT WITH THE
PRODUCT OF A THIRD PARTY (COLLECTIVELY, CONNECTORS) FOR PROVISIONING,
DECOMMISSIONING, MANAGING, CONFIGURING OR MONITORING RADWARE PRODUCTS. THE
APPLICABILITY OF THIS LICENSE AGREEMENT TO CONNECTORS IS REGARDLESS OF WHETHER
SUCH CONNECTORS ARE DISTRIBUTED TO YOU BY RADWARE OR BY A THIRD PARTY PRODUCT
VENDOR. IN CASE A CONNECTOR IS DISTRIBUTED TO YOU BY A THIRD PARTY PRODUCT VENDOR
PURSUANT TO THE TERMS OF AN AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT
VENDOR, THEN, AS BETWEEN RADWARE AND YOURSELF, TO THE EXTENT THERE IS ANY
DISCREPANCY OR INCONSISTENCY BETWEEN THE TERMS OF THIS LICENSE AGREEMENT AND THE
TERMS OF THE AGREEMENT BETWEEN YOU AND THE THIRD PARTY PRODUCT VENDOR, THE TERMS
OF THIS LICENSE AGREEMENT WILL GOVERN AND PREVAIL. PLEASE READ THE TERMS AND
CONDITIONS OF THIS LICENSE AGREEMENT CAREFULLY BEFORE OPENING THE PACKAGE
CONTAINING RADWARES PRODUCT, OR BEFORE DOWNLOADING, INSTALLING, COPYING OR
OTHERWISE USING RADWARE'S STANDALONE SOFTWARE (AS APPLICABLE). THE SOFTWARE IS
LICENSED (NOT SOLD). BY OPENING THE PACKAGE CONTAINING RADWARE'S PRODUCT, OR BY
DOWNLOADING, INSTALLING, COPYING OR USING THE SOFTWARE (AS APPLICABLE), YOU
CONFIRM THAT YOU HAVE READ AND UNDERSTAND THIS LICENSE AGREEMENT AND YOU AGREE
TO BE BOUND BY THE TERMS OF THIS LICENSE AGREEMENT. FURTHERMORE, YOU HEREBY WAIVE
ANY CLAIM OR RIGHT THAT YOU MAY HAVE TO ASSERT THAT YOUR ACCEPTANCE AS STATED
HEREINABOVE IS NOT THE EQUIVALENT OF, OR DEEMED AS, A VALID SIGNATURE TO THIS LICENSE
AGREEMENT. IF YOU ARE NOT WILLING TO BE BOUND BY THE TERMS OF THIS LICENSE
AGREEMENT, YOU SHOULD PROMPTLY RETURN THE UNOPENED PRODUCT PACKAGE OR YOU
SHOULD NOT DOWNLOAD, INSTALL, COPY OR OTHERWISE USE THE SOFTWARE (AS APPLICABLE).
THIS LICENSE AGREEMENT REPRESENTS THE ENTIRE AGREEMENT CONCERNING THE SOFTWARE
BETWEEN YOU AND RADWARE, AND SUPERSEDES ANY AND ALL PRIOR PROPOSALS,
REPRESENTATIONS, OR UNDERSTANDINGS BETWEEN THE PARTIES. YOU MEANS THE NATURAL
PERSON OR THE ENTITY THAT IS AGREEING TO BE BOUND BY THIS LICENSE AGREEMENT, THEIR
EMPLOYEES AND THIRD PARTY CONTRACTORS. YOU SHALL BE LIABLE FOR ANY FAILURE BY SUCH
EMPLOYEES AND THIRD PARTY CONTRACTORS TO COMPLY WITH THE TERMS OF THIS LICENSE
AGREEMENT.
1.

License Grant. Subject to Section 2 below (if applicable), Radware hereby grants to you, and
you accept, a nonexclusive, nontransferable license to install and use the Software in machinereadable, object code form only and solely for your internal purposes (Commercial License).
You further agree that you will not assign, sublicense, transfer, pledge, lease, rent or share your
rights under this License Agreement nor will you distribute copies of the Software.

2.

Evaluation Use. Notwithstanding anything to the contrary in this License Agreement, if the
Software is provided to you for evaluation purposes, as indicated in your purchase order or sales
receipt, on the website from which You download the Software, as inferred from any timelimited evaluation license keys that You are provided with to activate the Software, or otherwise,
then You may use the Software only for internal evaluation purposes (Evaluation Use) for a
maximum of 30 days or such other duration as may specified by Radware in writing at its sole

Document ID: RDWR-APSV-V0130_UG1205

271

APSolute Vision User Guide


Radware Ltd. End User License Agreement
discretion (the Evaluation Period). The evaluation copy of the Software contains a feature that
will automatically disable it after expiration of the Evaluation Period. You agree not to disable,
destroy, or remove this feature of the Software, and any attempt to do so will be a material
breach of this License Agreement. During or at the end of the evaluation period, you may
contact Radware sales team to purchase a Commercial License to continue using the Software
pursuant to the terms of this License Agreement. If you elect not to purchase a Commercial
License, You agree to stop using the Software and to delete the evaluation copy received
hereunder from all computers under your possession or control at the end of the Evaluation
Period. In any event, your continued use of the Software beyond the Evaluation Period (if
possible) shall be deemed your acceptance of a Commercial License to the Software pursuant to
the terms of this License Agreement, and You agree to pay Radware any amounts due for any
applicable license fees at Radwares then-current list prices.
3.

Limitations on Use. You agree that you will not: (a) copy, modify, translate, adapt, or create
any derivative works based on the Software; or (b) sublicense or transfer the Software, or
include the Software or any portion thereof in any product; or (b) reverse assemble, decompile,
reverse engineer or otherwise attempt to derive source code (or the underlying ideas,
algorithms, structure or organization) from the Software; or (c) remove any copyright notices,
identification or any other proprietary notices from the Software (including any notices of Third
Party Software (as defined below); or (d) copy the Software onto any public or distributed
network or use the Software to operate in or as a time-sharing, outsourcing, service bureau,
application service provider, or managed service provider environment. Notwithstanding Section
3(d), if you provide hosting or cloud computing services to your customers, you are entitled to
use and include the Software in your IT infrastructure on which you provide your services.

4.

Intellectual Property Rights. You acknowledge and agree that this License Agreement does
not convey to you any interest in the Software except for the limited right to use the Software,
and that all right, title, and interest in and to the Software, including any and all associated
intellectual property rights, are and shall remain with Radware or its third party licensors. You
further acknowledge and agree that the Software is a proprietary product of Radware and/or its
licensors and is protected under applicable copyright law.

5.

No Warranty. The Software, and any and all accompanying software, files, libraries, data and
materials, are distributed and provided AS IS by Radware or by its third party licensors (as
applicable) and with no warranty of any kind, whether express or implied, including, without
limitation, any non-infringement warranty or warranty of merchantability or fitness for a
particular purpose. Neither Radware nor any of its affiliates or licensors warrants, guarantees, or
makes any representation regarding the title in the Software, the use of, or the results of the
use of the Software. Neither Radware nor any of its affiliates or licensors warrants that the
operation of the Software will be uninterrupted or error-free, or that the use of any passwords,
license keys and/or encryption features will be effective in preventing the unintentional
disclosure of information contained in any file. You acknowledge that good data processing
procedure dictates that any program, including the Software, must be thoroughly tested with
non-critical data before there is any reliance on it, and you hereby assume the entire risk of all
use of the copies of the Software covered by this License. This disclaimer of warranty constitutes
an essential and material part of this License.
In the event that, notwithstanding the disclaimer of warranty above, Radware is held liable
under any warranty provision, Radware shall be released from all such obligations in the event
that the Software shall have been subject to misuse, neglect, accident or improper installation,
or if repairs or modifications were made by persons other than by Radwares authorized service
personnel.

6.

Limitation of Liability. Except to the extent expressly prohibited by applicable statutes, in no


event shall Radware, or its principals, shareholders, officers, employees, affiliates, licensors,
contractors, subsidiaries, or parent organizations (together, the Radware Parties), be liable for
any direct, indirect, incidental, consequential, special, or punitive damages whatsoever relating
to the use of, or the inability to use, the Software, or to your relationship with, Radware or any
of the Radware Parties (including, without limitation, loss or disclosure of data or information,
and/or loss of profit, revenue, business opportunity or business advantage, and/or business
interruption), whether based upon a claim or action of contract, warranty, negligence, strict
liability, contribution, indemnity, or any other legal theory or cause of action, even if advised of

272

Document ID: RDWR-APSV-V0130_UG1205

APSolute Vision User Guide


Radware Ltd. End User License Agreement
the possibility of such damages. If any Radware Party is found to be liable to You or to any thirdparty under any applicable law despite the explicit disclaimers and limitations under these
terms, then any liability of such Radware Party, will be limited exclusively to refund of any
license or registration or subscription fees paid by you to Radware.
7. Third Party Software. The Software includes software portions developed and owned by third
parties (the Third Party Software). Third Party Software shall be deemed part of the Software
for all intents and purposes of this License Agreement; provided, however, that in the event that
a Third Party Software is a software for which the source code is made available under an open
source software license agreement, then, to the extent there is any discrepancy or inconsistency
between the terms of this License Agreement and the terms of any such open source license
agreement (including, for example, license rights in the open source license agreement that are
broader than the license rights set forth in Section 1 above and/or no limitation in the open
source license agreement on the actions set forth in Section 3 above), the terms of any such
open source license agreement will govern and prevail. The terms of open source license
agreements and copyright notices under which Third Party Software is being licensed to
Radware or a link thereto, are included with the Software documentation or in the header or
readme files of the Software. Third Party licensors and suppliers retain all right, title and interest
in and to the Third Party Software and all copies thereof, including all copyright and other
intellectual property associated therewith. In addition to the use limitations applicable to Third
Party Software pursuant to Section 3 above, you agree and undertake not to use the Third Party
Software as a general SQL server, as a stand-alone application or with applications other than
the Software under this License Agreement.
8. Term and Termination. This License Agreement is effective upon the first to occur of your
opening the package of the Product, purchasing, downloading, installing, copying or using the
Software or any portion thereof, and shall continue until terminated. However, sections 3-11
shall survive any termination of this License Agreement. The License under this License
Agreement is not transferable and will terminate upon transfer of the Software.
9. Export. The Software or any part thereof may be subject to export or import controls under the
laws and regulations of the United States and/or Israel. You agree to comply with such laws and
regulations, and, agree not to knowingly export, re-export, import or re-import, or transfer
products without first obtaining all required Government authorizations or licenses therefor.
10. Governing Law. This License Agreement shall be construed and governed in accordance with
the laws of the State of Israel.
11. Miscellaneous. If a judicial determination is made that any of the provisions contained in this
License Agreement is unreasonable, illegal or otherwise unenforceable, such provision or
provisions shall be rendered void or invalid only to the extent that such judicial determination
finds such provisions to be unreasonable, illegal or otherwise unenforceable, and the remainder
of this License Agreement shall remain operative and in full force and effect. In any event a
party breaches or threatens to commit a breach of this License Agreement, the other party will,
in addition to any other remedies available to, be entitled to injunction relief. This License
Agreement constitutes the entire agreement between the parties hereto and supersedes all prior
agreements between the parties hereto with respect to the subject matter hereof. The failure of
any party hereto to require the performance of any provisions of this License Agreement shall in
no manner affect the right to enforce the same. No waiver by any party hereto of any provisions
or of any breach of any provisions of this License Agreement shall be deemed or construed
either as a further or continuing waiver of any such provisions or breach waiver or as a waiver of
any other provision or breach of any other provision of this License Agreement.
IF YOU DO NOT AGREE WITH THE TERMS OF THIS LICENSE, YOU MUST REMOVE THE
SOFTWARE FROM ANY DEVICE OWNED BY YOU AND IMMIDIATELY CEASE USING THE
SOFTWARE.
COPYRIGHT 2012, Radware Ltd. All Rights Reserved.

Document ID: RDWR-APSV-V0130_UG1205

273